Extract authorization policy for viewing statuses (#3150)

2017-05-29 09:22:22 -07:00 · 2017-05-29 09:22:22 -07:00 · 3a2003ba86
commit 3a2003ba86
parent 9a81be0d37
16 changed files with 155 additions and 80 deletions
--- a/app/controllers/api/activitypub/activities_controller.rb
+++ b/app/controllers/api/activitypub/activities_controller.rb
@ -1,6 +1,8 @@
 # frozen_string_literal: true

 class Api::Activitypub::ActivitiesController < ApiController
+  include Authorization
+
  # before_action :set_follow, only: [:show_follow]
  before_action :set_status, only: [:show_status]

@ -8,7 +10,7 @@ class Api::Activitypub::ActivitiesController < ApiController

  # Show a status in AS2 format, as either an Announce (reblog) or a Create (post) activity.
  def show_status
-    return forbidden unless @status.permitted?
+    authorize @status, :show?

    if @status.reblog?
      render :show_status_announce
--- a/app/controllers/api/activitypub/notes_controller.rb
+++ b/app/controllers/api/activitypub/notes_controller.rb
@ -1,12 +1,14 @@
 # frozen_string_literal: true

 class Api::Activitypub::NotesController < ApiController
+  include Authorization
+
  before_action :set_status

  respond_to :activitystreams2

  def show
-    forbidden unless @status.permitted?
+    authorize @status, :show?
  end

  private