From e031fd60ad9ee492fbbda319eaeb213098898d03 Mon Sep 17 00:00:00 2001 From: Jack Jennings Date: Tue, 30 May 2017 06:16:14 -0700 Subject: [PATCH] Move status reblog authorization into policy (#3425) --- app/policies/status_policy.rb | 18 ++++++++++++++-- app/services/reblog_service.rb | 3 +-- spec/policies/status_policy_spec.rb | 32 ++++++++++++++++++++++------- 3 files changed, 42 insertions(+), 11 deletions(-) diff --git a/app/policies/status_policy.rb b/app/policies/status_policy.rb index 658ba6d12..41d63fcbc 100644 --- a/app/policies/status_policy.rb +++ b/app/policies/status_policy.rb @@ -9,12 +9,26 @@ class StatusPolicy end def show? - if status.direct_visibility? + if direct? status.account.id == account&.id || status.mentions.where(account: account).exists? - elsif status.private_visibility? + elsif private? status.account.id == account&.id || account&.following?(status.account) || status.mentions.where(account: account).exists? else account.nil? || !status.account.blocking?(account) end end + + def reblog? + !direct? && !private? && show? + end + + private + + def direct? + status.direct_visibility? + end + + def private? + status.private_visibility? + end end diff --git a/app/services/reblog_service.rb b/app/services/reblog_service.rb index 9c44b1980..a3636a283 100644 --- a/app/services/reblog_service.rb +++ b/app/services/reblog_service.rb @@ -11,8 +11,7 @@ class ReblogService < BaseService def call(account, reblogged_status) reblogged_status = reblogged_status.reblog if reblogged_status.reblog? - authorize_with account, reblogged_status, :show? - raise Mastodon::NotPermittedError if reblogged_status.direct_visibility? || reblogged_status.private_visibility? + authorize_with account, reblogged_status, :reblog? reblog = account.statuses.create!(reblog: reblogged_status, text: '') diff --git a/spec/policies/status_policy_spec.rb b/spec/policies/status_policy_spec.rb index ee7060b98..b969988e9 100644 --- a/spec/policies/status_policy_spec.rb +++ b/spec/policies/status_policy_spec.rb @@ -7,6 +7,20 @@ RSpec.describe StatusPolicy, type: :model do let(:alice) { Fabricate(:account, username: 'alice') } let(:status) { Fabricate(:status, account: alice) } + permissions :show?, :reblog? do + it 'grants access when no viewer' do + expect(subject).to permit(nil, status) + end + + it 'denies access when viewer is blocked' do + block = Fabricate(:block) + status.visibility = :private + status.account = block.target_account + + expect(subject).to_not permit(block.account, status) + end + end + permissions :show? do it 'grants access when direct and account is viewer' do status.visibility = :direct @@ -54,17 +68,21 @@ RSpec.describe StatusPolicy, type: :model do expect(subject).to_not permit(viewer, status) end + end - it 'grants access when no viewer' do - expect(subject).to permit(nil, status) + permissions :reblog? do + it 'denies access when private' do + viewer = Fabricate(:account) + status.visibility = :private + + expect(subject).to_not permit(viewer, status) end - it 'denies access when viewer is blocked' do - block = Fabricate(:block) - status.visibility = :private - status.account = block.target_account + it 'denies access when direct' do + viewer = Fabricate(:account) + status.visibility = :direct - expect(subject).to_not permit(block.account, status) + expect(subject).to_not permit(viewer, status) end end end