logo

mastofe

My custom branche(s) on git.pleroma.social/pleroma/mastofe
commit: e031fd60ad9ee492fbbda319eaeb213098898d03
parent: bc4fad9e22695aae04cf06ada7f1c70887028cde
Author: Jack Jennings <jack@standard-library.com>
Date:   Tue, 30 May 2017 06:16:14 -0700

Move status reblog authorization into policy (#3425)


Diffstat:

Mapp/policies/status_policy.rb18++++++++++++++++--
Mapp/services/reblog_service.rb3+--
Mspec/policies/status_policy_spec.rb32+++++++++++++++++++++++++-------
3 files changed, 42 insertions(+), 11 deletions(-)

diff --git a/app/policies/status_policy.rb b/app/policies/status_policy.rb @@ -9,12 +9,26 @@ class StatusPolicy end def show? - if status.direct_visibility? + if direct? status.account.id == account&.id || status.mentions.where(account: account).exists? - elsif status.private_visibility? + elsif private? status.account.id == account&.id || account&.following?(status.account) || status.mentions.where(account: account).exists? else account.nil? || !status.account.blocking?(account) end end + + def reblog? + !direct? && !private? && show? + end + + private + + def direct? + status.direct_visibility? + end + + def private? + status.private_visibility? + end end diff --git a/app/services/reblog_service.rb b/app/services/reblog_service.rb @@ -11,8 +11,7 @@ class ReblogService < BaseService def call(account, reblogged_status) reblogged_status = reblogged_status.reblog if reblogged_status.reblog? - authorize_with account, reblogged_status, :show? - raise Mastodon::NotPermittedError if reblogged_status.direct_visibility? || reblogged_status.private_visibility? + authorize_with account, reblogged_status, :reblog? reblog = account.statuses.create!(reblog: reblogged_status, text: '') diff --git a/spec/policies/status_policy_spec.rb b/spec/policies/status_policy_spec.rb @@ -7,6 +7,20 @@ RSpec.describe StatusPolicy, type: :model do let(:alice) { Fabricate(:account, username: 'alice') } let(:status) { Fabricate(:status, account: alice) } + permissions :show?, :reblog? do + it 'grants access when no viewer' do + expect(subject).to permit(nil, status) + end + + it 'denies access when viewer is blocked' do + block = Fabricate(:block) + status.visibility = :private + status.account = block.target_account + + expect(subject).to_not permit(block.account, status) + end + end + permissions :show? do it 'grants access when direct and account is viewer' do status.visibility = :direct @@ -54,17 +68,21 @@ RSpec.describe StatusPolicy, type: :model do expect(subject).to_not permit(viewer, status) end + end - it 'grants access when no viewer' do - expect(subject).to permit(nil, status) + permissions :reblog? do + it 'denies access when private' do + viewer = Fabricate(:account) + status.visibility = :private + + expect(subject).to_not permit(viewer, status) end - it 'denies access when viewer is blocked' do - block = Fabricate(:block) - status.visibility = :private - status.account = block.target_account + it 'denies access when direct' do + viewer = Fabricate(:account) + status.visibility = :direct - expect(subject).to_not permit(block.account, status) + expect(subject).to_not permit(viewer, status) end end end