chinwag
/
chinwagsocial
Watch 1
Star 0
Fork 0
Code Issues 0 Pull Requests 0 Releases 183 Wiki Activity
Browse Source

Fix media attachment enumeration 

Signed-off-by: Eugen Rochko <eugen@zeonfederated.com>
Thibaut Girka 1 month ago
parent
951e997b26
commit
2d2e3651ee
3 changed files with 47 additions and 3 deletions
Split View Show Diff Stats
  1. 4
    1
      app/controllers/media_proxy_controller.rb
  2. 1
    2
      spec/controllers/media_controller_spec.rb
  3. 42
    0
      spec/controllers/media_proxy_controller_spec.rb

+ 4
- 1
app/controllers/media_proxy_controller.rb View File 

@@ -2,6 +2,7 @@
2 2
3 3 
 class MediaProxyController < ApplicationController
4 4 
   include RoutingHelper
5 
+  include Authorization
5 6
6 7 
   skip_before_action :store_current_location
7 8 
   skip_before_action :require_functional!
 
@@ -10,12 +11,14 @@ class MediaProxyController < ApplicationController
10 11
11 12 
   rescue_from ActiveRecord::RecordInvalid, with: :not_found
12 13 
   rescue_from Mastodon::UnexpectedResponseError, with: :not_found
14 
+  rescue_from Mastodon::NotPermittedError, with: :not_found
13 15 
   rescue_from HTTP::TimeoutError, HTTP::ConnectionError, OpenSSL::SSL::SSLError, with: :internal_server_error
14 16
15 17 
   def show
16 18 
     RedisLock.acquire(lock_options) do |lock|
17 19 
       if lock.acquired?
18 
-        @media_attachment = MediaAttachment.remote.find(params[:id])
20 
+        @media_attachment = MediaAttachment.remote.attached.find(params[:id])
21 
+        authorize @media_attachment.status, :show?
19 22 
         redownload! if @media_attachment.needs_redownload? && !reject_media?
20 23 
       else
21 24 
         raise Mastodon::RaceConditionError

+ 1
- 2
spec/controllers/media_controller_spec.rb View File 

@@ -28,9 +28,8 @@ describe MediaController do
28 28 
     end
29 29
30 30 
     it 'raises when not permitted to view' do
31 
-      status = Fabricate(:status)
31 
+      status = Fabricate(:status, visibility: :direct)
32 32 
       media_attachment = Fabricate(:media_attachment, status: status)
33 
-      allow_any_instance_of(MediaController).to receive(:authorize).and_raise(ActiveRecord::RecordNotFound)
34 33 
       get :show, params: { id: media_attachment.to_param }
35 34
36 35 
       expect(response).to have_http_status(404)

+ 42
- 0
spec/controllers/media_proxy_controller_spec.rb View File 

@@ -0,0 +1,42 @@
1 
+# frozen_string_literal: true
2 
+
3 
+require 'rails_helper'
4 
+
5 
+describe MediaProxyController do
6 
+  render_views
7 
+
8 
+  before do
9 
+    stub_request(:get, 'http://example.com/attachment.png').to_return(request_fixture('avatar.txt'))
10 
+  end
11 
+
12 
+  describe '#show' do
13 
+    it 'redirects when attached to a status' do
14 
+      status = Fabricate(:status)
15 
+      media_attachment = Fabricate(:media_attachment, status: status, remote_url: 'http://example.com/attachment.png')
16 
+      get :show, params: { id: media_attachment.id }
17 
+
18 
+      expect(response).to have_http_status(302)
19 
+    end
20 
+
21 
+    it 'responds with missing when there is not an attached status' do
22 
+      media_attachment = Fabricate(:media_attachment, status: nil, remote_url: 'http://example.com/attachment.png')
23 
+      get :show, params: { id: media_attachment.id }
24 
+
25 
+      expect(response).to have_http_status(404)
26 
+    end
27 
+
28 
+    it 'raises when id cant be found' do
29 
+      get :show, params: { id: 'missing' }
30 
+
31 
+      expect(response).to have_http_status(404)
32 
+    end
33 
+
34 
+    it 'raises when not permitted to view' do
35 
+      status = Fabricate(:status, visibility: :direct)
36 
+      media_attachment = Fabricate(:media_attachment, status: status, remote_url: 'http://example.com/attachment.png')
37 
+      get :show, params: { id: media_attachment.id }
38 
+
39 
+      expect(response).to have_http_status(404)
40 
+    end
41 
+  end
42 
+end

Write Preview
Loading…
Cancel
Save