Unfloyded/Legamunt
0
0
Fork 0
Code Activity

Extract authorization policy for viewing statuses (#3150)

Browse source
This commit is contained in:
Jack Jennings 2017-05-29 09:22:22 -07:00 committed by Eugen Rochko
parent 9a81be0d37
commit 3a2003ba86
16 changed files with 155 additions and 80 deletions
Download patch file Download diff file Expand all files Collapse all files

7
app/controllers/api/v1/statuses_controller.rb
View file

@ -1,6 +1,8 @@
# frozen_string_literal: true
class Api::V1::StatusesController < ApiController
include Authorization
before_action :authorize_if_got_token, except: [:create, :destroy, :reblog, :unreblog, :favourite, :unfavourite, :mute, :unmute]
before_action -> { doorkeeper_authorize! :write }, only: [:create, :destroy, :reblog, :unreblog, :favourite, :unfavourite, :mute, :unmute]
before_action :require_user!, except: [:show, :context, :card, :reblogged_by, :favourited_by]
@ -130,7 +132,10 @@ class Api::V1::StatusesController < ApiController
def set_status
@status = Status.find(params[:id])
raise ActiveRecord::RecordNotFound unless @status.permitted?(current_account)
authorize @status, :show?
rescue Mastodon::NotPermittedError
# Reraise in order to get a 404 instead of a 403 error code
raise ActiveRecord::RecordNotFound
end
def set_conversation