From c2d7649e3632d6ec22be4474744e51c6f74089cc Mon Sep 17 00:00:00 2001 From: ThibG Date: Sat, 26 Jan 2019 23:59:39 +0100 Subject: [PATCH] Prevent posting toots with media attachments from someone else (#9921) --- app/services/post_status_service.rb | 2 +- spec/services/post_status_service_spec.rb | 15 ++++++++++++++- 2 files changed, 15 insertions(+), 2 deletions(-) diff --git a/app/services/post_status_service.rb b/app/services/post_status_service.rb index 1f5a3f4cf9ee5e..9959bb1fbf7d02 100644 --- a/app/services/post_status_service.rb +++ b/app/services/post_status_service.rb @@ -93,7 +93,7 @@ def validate_media! raise Mastodon::ValidationError, I18n.t('media_attachments.validations.too_many') if @options[:media_ids].size > 4 - @media = MediaAttachment.where(status_id: nil).where(id: @options[:media_ids].take(4).map(&:to_i)) + @media = @account.media_attachments.where(status_id: nil).where(id: @options[:media_ids].take(4).map(&:to_i)) raise Mastodon::ValidationError, I18n.t('media_attachments.validations.images_and_video') if @media.size > 1 && @media.find(&:video?) end diff --git a/spec/services/post_status_service_spec.rb b/spec/services/post_status_service_spec.rb index 680cebbcf38311..facbe977f23330 100644 --- a/spec/services/post_status_service_spec.rb +++ b/spec/services/post_status_service_spec.rb @@ -167,7 +167,7 @@ it 'attaches the given media to the created status' do account = Fabricate(:account) - media = Fabricate(:media_attachment) + media = Fabricate(:media_attachment, account: account) status = subject.call( account, @@ -178,6 +178,19 @@ expect(media.reload.status).to eq status end + it 'does not attach media from another account to the created status' do + account = Fabricate(:account) + media = Fabricate(:media_attachment, account: Fabricate(:account)) + + status = subject.call( + account, + text: "test status update", + media_ids: [media.id], + ) + + expect(media.reload.status).to eq nil + end + it 'does not allow attaching more than 4 files' do account = Fabricate(:account)