Extract authorization policy for viewing statuses (#3150)

2017-05-29 09:22:22 -07:00 · 2017-05-29 09:22:22 -07:00 · 3a2003ba86
commit 3a2003ba86
parent 9a81be0d37
16 changed files with 155 additions and 80 deletions
--- a/app/controllers/statuses_controller.rb
+++ b/app/controllers/statuses_controller.rb
@ -1,6 +1,8 @@
 # frozen_string_literal: true

 class StatusesController < ApplicationController
+  include Authorization
+
  layout 'public'

  before_action :set_account
@ -30,7 +32,10 @@ class StatusesController < ApplicationController
    @stream_entry = @status.stream_entry
    @type         = @stream_entry.activity_type.downcase

-    raise ActiveRecord::RecordNotFound unless @status.permitted?(current_account)
+    authorize @status, :show?
+  rescue Mastodon::NotPermittedError
+    # Reraise in order to get a 404
+    raise ActiveRecord::RecordNotFound
  end

  def check_account_suspension