Unfloyded/Legamunt
0
0
Fork 0
Code Activity

Merge pull request from GHSA-58x8-3qxw-6hm7

Browse source 
* Fix insufficient permission checking for public timeline endpoints

Note that this changes unauthenticated access failure code from 401 to 422

* Add more tests for public timelines

* Require user token in `/api/v1/statuses/:id/translate` and `/api/v1/scheduled_statuses`
This commit is contained in:
Claire 2024-07-04 16:26:49 +02:00 committed by GitHub
parent 395f17ca17
commit 502cf75b16
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
11 changed files with 82 additions and 23 deletions
Download patch file Download diff file Expand all files Collapse all files

6
app/controllers/api/v1/timelines/public_controller.rb
View file

@ -1,7 +1,7 @@
# frozen_string_literal: true
class Api::V1::Timelines::PublicController < Api::V1::Timelines::BaseController
before_action :require_user!, only: [:show], if: :require_auth?
before_action -> { authorize_if_got_token! :read, :'read:statuses' }
PERMITTED_PARAMS = %i(local remote limit only_media).freeze
@ -13,10 +13,6 @@ class Api::V1::Timelines::PublicController < Api::V1::Timelines::BaseController
private
def require_auth?
!Setting.timeline_preview
end
def load_statuses
preloaded_public_statuses_page
end