commit: e031fd60ad9ee492fbbda319eaeb213098898d03
parent: bc4fad9e22695aae04cf06ada7f1c70887028cde
Author: Jack Jennings <jack@standard-library.com>
Date: Tue, 30 May 2017 06:16:14 -0700
Move status reblog authorization into policy (#3425)
Diffstat:
3 files changed, 42 insertions(+), 11 deletions(-)
diff --git a/app/policies/status_policy.rb b/app/policies/status_policy.rb
@@ -9,12 +9,26 @@ class StatusPolicy
end
def show?
- if status.direct_visibility?
+ if direct?
status.account.id == account&.id || status.mentions.where(account: account).exists?
- elsif status.private_visibility?
+ elsif private?
status.account.id == account&.id || account&.following?(status.account) || status.mentions.where(account: account).exists?
else
account.nil? || !status.account.blocking?(account)
end
end
+
+ def reblog?
+ !direct? && !private? && show?
+ end
+
+ private
+
+ def direct?
+ status.direct_visibility?
+ end
+
+ def private?
+ status.private_visibility?
+ end
end
diff --git a/app/services/reblog_service.rb b/app/services/reblog_service.rb
@@ -11,8 +11,7 @@ class ReblogService < BaseService
def call(account, reblogged_status)
reblogged_status = reblogged_status.reblog if reblogged_status.reblog?
- authorize_with account, reblogged_status, :show?
- raise Mastodon::NotPermittedError if reblogged_status.direct_visibility? || reblogged_status.private_visibility?
+ authorize_with account, reblogged_status, :reblog?
reblog = account.statuses.create!(reblog: reblogged_status, text: '')
diff --git a/spec/policies/status_policy_spec.rb b/spec/policies/status_policy_spec.rb
@@ -7,6 +7,20 @@ RSpec.describe StatusPolicy, type: :model do
let(:alice) { Fabricate(:account, username: 'alice') }
let(:status) { Fabricate(:status, account: alice) }
+ permissions :show?, :reblog? do
+ it 'grants access when no viewer' do
+ expect(subject).to permit(nil, status)
+ end
+
+ it 'denies access when viewer is blocked' do
+ block = Fabricate(:block)
+ status.visibility = :private
+ status.account = block.target_account
+
+ expect(subject).to_not permit(block.account, status)
+ end
+ end
+
permissions :show? do
it 'grants access when direct and account is viewer' do
status.visibility = :direct
@@ -54,17 +68,21 @@ RSpec.describe StatusPolicy, type: :model do
expect(subject).to_not permit(viewer, status)
end
+ end
- it 'grants access when no viewer' do
- expect(subject).to permit(nil, status)
+ permissions :reblog? do
+ it 'denies access when private' do
+ viewer = Fabricate(:account)
+ status.visibility = :private
+
+ expect(subject).to_not permit(viewer, status)
end
- it 'denies access when viewer is blocked' do
- block = Fabricate(:block)
- status.visibility = :private
- status.account = block.target_account
+ it 'denies access when direct' do
+ viewer = Fabricate(:account)
+ status.visibility = :direct
- expect(subject).to_not permit(block.account, status)
+ expect(subject).to_not permit(viewer, status)
end
end
end