Skip to content

Commit

Permalink
port tootsuite/mastodon#12930 to monsterfork: Fix OEmbed leaking info…
Browse files Browse the repository at this point in the history
…rmation about existence of non-public statuses
  • Loading branch information
Gargron authored and multiple creatures committed Feb 21, 2020
1 parent f983779 commit 294ac7e
Show file tree
Hide file tree
Showing 2 changed files with 15 additions and 5 deletions.
16 changes: 13 additions & 3 deletions app/controllers/api/oembed_controller.rb
Original file line number Diff line number Diff line change
@@ -1,15 +1,25 @@
# frozen_string_literal: true

class Api::OEmbedController < Api::BaseController
respond_to :json
skip_before_action :require_authenticated_user!

before_action :set_status
before_action :require_public_status!

def show
@status = status_finder.status
render json: @status, serializer: OEmbedSerializer, width: maxwidth_or_default, height: maxheight_or_default, monsterfork_api: monsterfork_api
render json: @status, serializer: OEmbedSerializer, width: maxwidth_or_default, height: maxheight_or_default
end

private

def set_status
@status = status_finder.status
end

def require_public_status!
not_found unless @status.distributable?
end

def status_finder
StatusFinder.new(params[:url])
end
Expand Down
4 changes: 2 additions & 2 deletions app/controllers/statuses_controller.rb
Original file line number Diff line number Diff line change
Expand Up @@ -47,7 +47,7 @@ def activity
end

def embed
raise ActiveRecord::RecordNotFound unless @status.distributable?
return not_found unless @status.distributable?

expires_in 180, public: true
response.headers['X-Frame-Options'] = 'ALLOWALL'
Expand Down Expand Up @@ -75,7 +75,7 @@ def set_status
authorize @status, :show?
end
rescue Mastodon::NotPermittedError
raise ActiveRecord::RecordNotFound
not_found
end

def handle_sharekey_change
Expand Down

0 comments on commit 294ac7e

Please sign in to comment.