closed-social
/
mastodon
3
0
Fork 2
Code Issues 5 Pull Requests 0 Projects 0 Releases 3 Wiki Activity
Browse Source

Fix poll API not requiring authentication on non-public polls (#10960) 

* Fix poll API not requiring authentication on non-public polls

That API does not reveal the content of the status, i.e. the question
itself, nor who the author is, nor which status it belongs to, but it
does reveal the poll options and how many answers they got

Fix #10959

* Add test
pull/4/head
Eugen Rochko 4 years ago
committed by GitHub
parent
6077eca240
commit
48fee1a800
No known key found for this signature in database GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 31 additions and 4 deletions
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. +16
    -1
      app/controllers/api/v1/polls_controller.rb
  2. +15
    -3
      spec/controllers/api/v1/polls_controller_spec.rb

+ 16
- 1
app/controllers/api/v1/polls_controller.rb View File

@ -1,13 +1,28 @@
# frozen_string_literal: true
class Api::V1::PollsController < Api::BaseController
include Authorization
before_action -> { authorize_if_got_token! :read, :'read:statuses' }, only: :show
before_action :set_poll
before_action :refresh_poll
respond_to :json
def show
render json: @poll, serializer: REST::PollSerializer, include_results: true
end
private
def set_poll
@poll = Poll.attached.find(params[:id])
authorize @poll.status, :show?
rescue Mastodon::NotPermittedError
raise ActiveRecord::RecordNotFound
end
def refresh_poll
ActivityPub::FetchRemotePollService.new.call(@poll, current_account) if user_signed_in? && @poll.possibly_stale?
render json: @poll, serializer: REST::PollSerializer, include_results: true
end
end

+ 15
- 3
spec/controllers/api/v1/polls_controller_spec.rb View File

@ -10,14 +10,26 @@ RSpec.describe Api::V1::PollsController, type: :controller do
before { allow(controller).to receive(:doorkeeper_token) { token } }
describe 'GET #show' do
let(:poll) { Fabricate(:poll) }
let(:poll) { Fabricate(:poll, status: Fabricate(:status, visibility: visibility)) }
before do
get :show, params: { id: poll.id }
end
it 'returns http success' do
expect(response).to have_http_status(200)
context 'when parent status is public' do
let(:visibility) { 'public' }
it 'returns http success' do
expect(response).to have_http_status(200)
end
end
context 'when parent status is private' do
let(:visibility) { 'private' }
it 'returns http not found' do
expect(response).to have_http_status(404)
end
end
end
end

Write Preview
Loading…
Cancel
Save