diff --git a/app/controllers/media_controller.rb b/app/controllers/media_controller.rb
index 488c4f944..fa1daf012 100644
--- a/app/controllers/media_controller.rb
+++ b/app/controllers/media_controller.rb
@@ -1,16 +1,19 @@
 # frozen_string_literal: true
 
 class MediaController < ApplicationController
-  before_action :set_media_attachment
+  before_action :verify_permitted_status
 
   def show
-    redirect_to @media_attachment.file.url(:original)
+    redirect_to media_attachment.file.url(:original)
   end
 
   private
 
-  def set_media_attachment
-    @media_attachment = MediaAttachment.where.not(status_id: nil).find_by!(shortcode: params[:id])
-    raise ActiveRecord::RecordNotFound unless @media_attachment.status.permitted?(current_account)
+  def media_attachment
+    MediaAttachment.attached.find_by!(shortcode: params[:id])
+  end
+
+  def verify_permitted_status
+    raise ActiveRecord::RecordNotFound unless media_attachment.status.permitted?(current_account)
   end
 end
diff --git a/app/models/media_attachment.rb b/app/models/media_attachment.rb
index 818190214..85e82e12b 100644
--- a/app/models/media_attachment.rb
+++ b/app/models/media_attachment.rb
@@ -33,6 +33,7 @@ class MediaAttachment < ApplicationRecord
 
   validates :account, presence: true
 
+  scope :attached, -> { where.not(status_id: nil) }
   scope :local, -> { where(remote_url: '') }
   default_scope { order('id asc') }
 
diff --git a/spec/controllers/media_controller_spec.rb b/spec/controllers/media_controller_spec.rb
new file mode 100644
index 000000000..ebf6aa006
--- /dev/null
+++ b/spec/controllers/media_controller_spec.rb
@@ -0,0 +1,37 @@
+# frozen_string_literal: true
+
+require 'rails_helper'
+
+describe MediaController do
+  describe '#show' do
+    it 'redirects to the file url when attached to a status' do
+      status = Fabricate(:status)
+      media_attachment = Fabricate(:media_attachment, status: status)
+      get :show, params: { id: media_attachment.to_param }
+
+      expect(response).to redirect_to(media_attachment.file.url(:original))
+    end
+
+    it 'responds with missing when there is not an attached status' do
+      media_attachment = Fabricate(:media_attachment, status: nil)
+      get :show, params: { id: media_attachment.to_param }
+
+      expect(response).to have_http_status(:missing)
+    end
+
+    it 'raises when shortcode cant be found' do
+      get :show, params: { id: 'missing' }
+
+      expect(response).to have_http_status(:missing)
+    end
+
+    it 'raises when not permitted to view' do
+      status = Fabricate(:status)
+      media_attachment = Fabricate(:media_attachment, status: status)
+      allow_any_instance_of(Status).to receive(:permitted?).and_return(false)
+      get :show, params: { id: media_attachment.to_param }
+
+      expect(response).to have_http_status(:missing)
+    end
+  end
+end