Extract authorization policy for viewing statuses (#3150)

app/controllers/media_controller.rb

@@ -1,6 +1,8 @@
 # frozen_string_literal: true
 
 class MediaController < ApplicationController
+  include Authorization
+
   before_action :verify_permitted_status
 
   def show
@@ -14,6 +16,9 @@ class MediaController < ApplicationController
   end
 
   def verify_permitted_status
-    raise ActiveRecord::RecordNotFound unless media_attachment.status.permitted?(current_account)
+    authorize media_attachment.status, :show?
+  rescue Mastodon::NotPermittedError
+    # Reraise in order to get a 404 instead of a 403 error code
+    raise ActiveRecord::RecordNotFound
   end
 end