Merge pull request from GHSA-58x8-3qxw-6hm7

* Fix insufficient permission checking for public timeline endpoints Note that this changes unauthenticated access failure code from 401 to 422 * Add more tests for public timelines * Require user token in `/api/v1/statuses/:id/translate` and `/api/v1/scheduled_statuses`
2024-07-04 16:26:49 +02:00 · 2024-07-04 16:26:49 +02:00 · 502cf75b16
commit 502cf75b16
parent 395f17ca17
11 changed files with 82 additions and 23 deletions
--- a/app/controllers/api/v1/scheduled_statuses_controller.rb
+++ b/app/controllers/api/v1/scheduled_statuses_controller.rb
@ -6,6 +6,7 @@ class Api::V1::ScheduledStatusesController < Api::BaseController
  before_action -> { doorkeeper_authorize! :read, :'read:statuses' }, except: [:update, :destroy]
  before_action -> { doorkeeper_authorize! :write, :'write:statuses' }, only: [:update, :destroy]

+  before_action :require_user!
  before_action :set_statuses, only: :index
  before_action :set_status, except: :index

--- a/app/controllers/api/v1/statuses/translations_controller.rb
+++ b/app/controllers/api/v1/statuses/translations_controller.rb
@ -2,6 +2,7 @@

 class Api::V1::Statuses::TranslationsController < Api::V1::Statuses::BaseController
  before_action -> { doorkeeper_authorize! :read, :'read:statuses' }
+  before_action :require_user!
  before_action :set_translation

  rescue_from TranslationService::NotConfiguredError, with: :not_found
--- a/app/controllers/api/v1/timelines/base_controller.rb
+++ b/app/controllers/api/v1/timelines/base_controller.rb
@ -3,8 +3,14 @@
 class Api::V1::Timelines::BaseController < Api::BaseController
  after_action :insert_pagination_headers, unless: -> { @statuses.empty? }

+  before_action :require_user!, if: :require_auth?
+
  private

+  def require_auth?
+    !Setting.timeline_preview
+  end
+
  def pagination_collection
    @statuses
  end
--- a/app/controllers/api/v1/timelines/link_controller.rb
+++ b/app/controllers/api/v1/timelines/link_controller.rb
@ -1,7 +1,7 @@
 # frozen_string_literal: true

 class Api::V1::Timelines::LinkController < Api::V1::Timelines::BaseController
-  before_action -> { doorkeeper_authorize! :read, :'read:statuses' }, only: :show, if: :require_auth?
+  before_action -> { authorize_if_got_token! :read, :'read:statuses' }
  before_action :set_preview_card
  before_action :set_statuses

@ -17,10 +17,6 @@ class Api::V1::Timelines::LinkController < Api::V1::Timelines::BaseController

  private

-  def require_auth?
-    !Setting.timeline_preview
-  end
-
  def set_preview_card
    @preview_card = PreviewCard.joins(:trend).merge(PreviewCardTrend.allowed).find_by!(url: params[:url])
  end
--- a/app/controllers/api/v1/timelines/public_controller.rb
+++ b/app/controllers/api/v1/timelines/public_controller.rb
@ -1,7 +1,7 @@
 # frozen_string_literal: true

 class Api::V1::Timelines::PublicController < Api::V1::Timelines::BaseController
-  before_action :require_user!, only: [:show], if: :require_auth?
+  before_action -> { authorize_if_got_token! :read, :'read:statuses' }

  PERMITTED_PARAMS = %i(local remote limit only_media).freeze

@ -13,10 +13,6 @@ class Api::V1::Timelines::PublicController < Api::V1::Timelines::BaseController

  private

-  def require_auth?
-    !Setting.timeline_preview
-  end
-
  def load_statuses
    preloaded_public_statuses_page
  end
--- a/app/controllers/api/v1/timelines/tag_controller.rb
+++ b/app/controllers/api/v1/timelines/tag_controller.rb
@ -1,7 +1,7 @@
 # frozen_string_literal: true

 class Api::V1::Timelines::TagController < Api::V1::Timelines::BaseController
-  before_action -> { doorkeeper_authorize! :read, :'read:statuses' }, only: :show, if: :require_auth?
+  before_action -> { authorize_if_got_token! :read, :'read:statuses' }
  before_action :load_tag

  PERMITTED_PARAMS = %i(local limit only_media).freeze