diff --git a/app/controllers/api/oembed_controller.rb b/app/controllers/api/oembed_controller.rb index 25c877ecdfa4b6..b1970e9548938d 100644 --- a/app/controllers/api/oembed_controller.rb +++ b/app/controllers/api/oembed_controller.rb @@ -1,15 +1,25 @@ # frozen_string_literal: true class Api::OEmbedController < Api::BaseController - respond_to :json + skip_before_action :require_authenticated_user! + + before_action :set_status + before_action :require_public_status! def show - @status = status_finder.status - render json: @status, serializer: OEmbedSerializer, width: maxwidth_or_default, height: maxheight_or_default, monsterfork_api: monsterfork_api + render json: @status, serializer: OEmbedSerializer, width: maxwidth_or_default, height: maxheight_or_default end private + def set_status + @status = status_finder.status + end + + def require_public_status! + not_found unless @status.distributable? + end + def status_finder StatusFinder.new(params[:url]) end diff --git a/app/controllers/statuses_controller.rb b/app/controllers/statuses_controller.rb index 00db6c169e91c7..87fdf222ee6f1b 100644 --- a/app/controllers/statuses_controller.rb +++ b/app/controllers/statuses_controller.rb @@ -47,7 +47,7 @@ def activity end def embed - raise ActiveRecord::RecordNotFound unless @status.distributable? + return not_found unless @status.distributable? expires_in 180, public: true response.headers['X-Frame-Options'] = 'ALLOWALL' @@ -75,7 +75,7 @@ def set_status authorize @status, :show? end rescue Mastodon::NotPermittedError - raise ActiveRecord::RecordNotFound + not_found end def handle_sharekey_change