Fix leak of arbitrary statuses through unfavourite action in REST API (#13161)

2020-02-27 12:32:54 +01:00
parent 7face973fa
commit 0c28a505dd
8 changed files with 203 additions and 124 deletions
--- a/app/controllers/api/v1/statuses/favourited_by_accounts_controller.rb
+++ b/app/controllers/api/v1/statuses/favourited_by_accounts_controller.rb
@ -69,8 +69,7 @@ class Api::V1::Statuses::FavouritedByAccountsController < Api::BaseController
    @status = Status.find(params[:status_id])
    authorize @status, :show?
  rescue Mastodon::NotPermittedError
-    # Reraise in order to get a 404 instead of a 403 error code
-    raise ActiveRecord::RecordNotFound
+    not_found
  end

  def pagination_params(core_params)