Fix /api/v1/timelines/tag/:hashtag allowing for unauthenticated access when public preview is disabled (#26237)

This commit is contained in:
Daniel M Brasil 2023-08-31 08:53:24 -03:00 committed by GitHub
parent 336ec503c2
commit ccca542db1
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 53 additions and 18 deletions

View file

@ -1,6 +1,7 @@
# frozen_string_literal: true # frozen_string_literal: true
class Api::V1::Timelines::TagController < Api::BaseController class Api::V1::Timelines::TagController < Api::BaseController
before_action -> { doorkeeper_authorize! :read, :'read:statuses' }, only: :show, if: :require_auth?
before_action :load_tag before_action :load_tag
after_action :insert_pagination_headers, unless: -> { @statuses.empty? } after_action :insert_pagination_headers, unless: -> { @statuses.empty? }
@ -12,6 +13,10 @@ class Api::V1::Timelines::TagController < Api::BaseController
private private
def require_auth?
!Setting.timeline_preview
end
def load_tag def load_tag
@tag = Tag.find_normalized(params[:id]) @tag = Tag.find_normalized(params[:id])
end end

View file

@ -5,36 +5,66 @@ require 'rails_helper'
describe Api::V1::Timelines::TagController do describe Api::V1::Timelines::TagController do
render_views render_views
let(:user) { Fabricate(:user) } let(:user) { Fabricate(:user) }
let(:token) { Fabricate(:accessible_access_token, resource_owner_id: user.id, scopes: 'read:statuses') }
before do before do
allow(controller).to receive(:doorkeeper_token) { token } allow(controller).to receive(:doorkeeper_token) { token }
end end
context 'with a user context' do describe 'GET #show' do
let(:token) { Fabricate(:accessible_access_token, resource_owner_id: user.id) } subject do
get :show, params: { id: 'test' }
end
describe 'GET #show' do before do
before do PostStatusService.new.call(user.account, text: 'It is a #test')
PostStatusService.new.call(user.account, text: 'It is a #test') end
context 'when the instance allows public preview' do
context 'when the user is not authenticated' do
let(:token) { nil }
it 'returns http success', :aggregate_failures do
subject
expect(response).to have_http_status(200)
expect(response.headers['Link'].links.size).to eq(2)
end
end end
it 'returns http success' do context 'when the user is authenticated' do
get :show, params: { id: 'test' } it 'returns http success', :aggregate_failures do
expect(response).to have_http_status(200) subject
expect(response.headers['Link'].links.size).to eq(2)
expect(response).to have_http_status(200)
expect(response.headers['Link'].links.size).to eq(2)
end
end end
end end
end
context 'without a user context' do context 'when the instance does not allow public preview' do
let(:token) { Fabricate(:accessible_access_token, resource_owner_id: nil) } before do
Form::AdminSettings.new(timeline_preview: false).save
end
describe 'GET #show' do context 'when the user is not authenticated' do
it 'returns http success' do let(:token) { nil }
get :show, params: { id: 'test' }
expect(response).to have_http_status(200) it 'returns http unauthorized' do
expect(response.headers['Link']).to be_nil subject
expect(response).to have_http_status(401)
end
end
context 'when the user is authenticated' do
it 'returns http success', :aggregate_failures do
subject
expect(response).to have_http_status(200)
expect(response.headers['Link'].links.size).to eq(2)
end
end end
end end
end end