Fix OEmbed leaking information about existence of non-public statuses (#12930)
This commit is contained in:
		| @@ -1,17 +1,25 @@ | ||||
| # frozen_string_literal: true | ||||
|  | ||||
| class Api::OEmbedController < Api::BaseController | ||||
|   respond_to :json | ||||
|  | ||||
|   skip_before_action :require_authenticated_user! | ||||
|  | ||||
|   before_action :set_status | ||||
|   before_action :require_public_status! | ||||
|  | ||||
|   def show | ||||
|     @status = status_finder.status | ||||
|     render json: @status, serializer: OEmbedSerializer, width: maxwidth_or_default, height: maxheight_or_default | ||||
|   end | ||||
|  | ||||
|   private | ||||
|  | ||||
|   def set_status | ||||
|     @status = status_finder.status | ||||
|   end | ||||
|  | ||||
|   def require_public_status! | ||||
|     not_found if @status.hidden? | ||||
|   end | ||||
|  | ||||
|   def status_finder | ||||
|     StatusFinder.new(params[:url]) | ||||
|   end | ||||
|   | ||||
| @@ -46,7 +46,7 @@ class StatusesController < ApplicationController | ||||
|   end | ||||
|  | ||||
|   def embed | ||||
|     raise ActiveRecord::RecordNotFound if @status.hidden? | ||||
|     return not_found if @status.hidden? | ||||
|  | ||||
|     expires_in 180, public: true | ||||
|     response.headers['X-Frame-Options'] = 'ALLOWALL' | ||||
| @@ -68,7 +68,7 @@ class StatusesController < ApplicationController | ||||
|     @status = @account.statuses.find(params[:id]) | ||||
|     authorize @status, :show? | ||||
|   rescue Mastodon::NotPermittedError | ||||
|     raise ActiveRecord::RecordNotFound | ||||
|     not_found | ||||
|   end | ||||
|  | ||||
|   def set_instance_presenter | ||||
|   | ||||
		Reference in New Issue
	
	Block a user