Fix leak of existence of otherwise inaccessible statuses in REST API (#17684)

This commit is contained in:
Eugen Rochko 2022-03-02 18:57:26 +01:00 committed by GitHub
parent 02b8d63fce
commit e24b14cc74
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23

View file

@ -92,8 +92,9 @@ class Api::V1::StatusesController < Api::BaseController
end
def set_thread
@thread = status_params[:in_reply_to_id].blank? ? nil : Status.find(status_params[:in_reply_to_id])
rescue ActiveRecord::RecordNotFound
@thread = Status.find(status_params[:in_reply_to_id]) if status_params[:in_reply_to_id].present?
authorize(@thread, :show?) if @thread.present?
rescue ActiveRecord::RecordNotFound, Mastodon::NotPermittedError
render json: { error: I18n.t('statuses.errors.in_reply_not_found') }, status: 404
end