Allow accessing local private/DM messages by URL (#8196)

* Allow accessing local private/DM messages by URL (Provided the user pasting the URL is authorized to see the toot, obviously) * Fix SearchServiceSpec tests
2018-08-15 19:33:36 +02:00
parent 4df9cabb22
commit af912fb308
3 changed files with 12 additions and 6 deletions
--- a/app/services/resolve_url_service.rb
+++ b/app/services/resolve_url_service.rb
@ -2,11 +2,13 @@

 class ResolveURLService < BaseService
  include JsonLdHelper
+  include Authorization

  attr_reader :url

-  def call(url)
+  def call(url, on_behalf_of: nil)
    @url = url
+    @on_behalf_of = on_behalf_of

    return process_local_url if local_url?

@ -84,6 +86,10 @@ class ResolveURLService < BaseService

  def check_local_status(status)
    return if status.nil?
-    status if status.public_visibility? || status.unlisted_visibility?
+    authorize_with @on_behalf_of, status, :show?
+    status
+  rescue Mastodon::NotPermittedError
+    # Do not disclose the existence of status the user is not authorized to see
+    nil
  end
 end
--- a/app/services/search_service.rb
+++ b/app/services/search_service.rb
@ -53,7 +53,7 @@ class SearchService < BaseService
  end

  def url_resource
-    @_url_resource ||= ResolveURLService.new.call(query)
+    @_url_resource ||= ResolveURLService.new.call(query, on_behalf_of: @account)
  end

  def url_resource_symbol
--- a/spec/services/search_service_spec.rb
+++ b/spec/services/search_service_spec.rb
@ -29,7 +29,7 @@ describe SearchService, type: :service do
          allow(ResolveURLService).to receive(:new).and_return(service)
          results = subject.call(@query, 10)

-          expect(service).to have_received(:call).with(@query)
+          expect(service).to have_received(:call).with(@query, on_behalf_of: nil)
          expect(results).to eq empty_results
        end
      end
@ -41,7 +41,7 @@ describe SearchService, type: :service do
          allow(ResolveURLService).to receive(:new).and_return(service)

          results = subject.call(@query, 10)
-          expect(service).to have_received(:call).with(@query)
+          expect(service).to have_received(:call).with(@query, on_behalf_of: nil)
          expect(results).to eq empty_results.merge(accounts: [account])
        end
      end
@ -53,7 +53,7 @@ describe SearchService, type: :service do
          allow(ResolveURLService).to receive(:new).and_return(service)

          results = subject.call(@query, 10)
-          expect(service).to have_received(:call).with(@query)
+          expect(service).to have_received(:call).with(@query, on_behalf_of: nil)
          expect(results).to eq empty_results.merge(statuses: [status])
        end
      end