Fix `/api/v1/timelines/tag/:hashtag` allowing for unauthenticated access when public preview is disabled (#26237)
This commit is contained in:
parent
336ec503c2
commit
ccca542db1
|
@ -1,6 +1,7 @@
|
||||||
# frozen_string_literal: true
|
# frozen_string_literal: true
|
||||||
|
|
||||||
class Api::V1::Timelines::TagController < Api::BaseController
|
class Api::V1::Timelines::TagController < Api::BaseController
|
||||||
|
before_action -> { doorkeeper_authorize! :read, :'read:statuses' }, only: :show, if: :require_auth?
|
||||||
before_action :load_tag
|
before_action :load_tag
|
||||||
after_action :insert_pagination_headers, unless: -> { @statuses.empty? }
|
after_action :insert_pagination_headers, unless: -> { @statuses.empty? }
|
||||||
|
|
||||||
|
@ -12,6 +13,10 @@ class Api::V1::Timelines::TagController < Api::BaseController
|
||||||
|
|
||||||
private
|
private
|
||||||
|
|
||||||
|
def require_auth?
|
||||||
|
!Setting.timeline_preview
|
||||||
|
end
|
||||||
|
|
||||||
def load_tag
|
def load_tag
|
||||||
@tag = Tag.find_normalized(params[:id])
|
@tag = Tag.find_normalized(params[:id])
|
||||||
end
|
end
|
||||||
|
|
|
@ -6,35 +6,65 @@ describe Api::V1::Timelines::TagController do
|
||||||
render_views
|
render_views
|
||||||
|
|
||||||
let(:user) { Fabricate(:user) }
|
let(:user) { Fabricate(:user) }
|
||||||
|
let(:token) { Fabricate(:accessible_access_token, resource_owner_id: user.id, scopes: 'read:statuses') }
|
||||||
|
|
||||||
before do
|
before do
|
||||||
allow(controller).to receive(:doorkeeper_token) { token }
|
allow(controller).to receive(:doorkeeper_token) { token }
|
||||||
end
|
end
|
||||||
|
|
||||||
context 'with a user context' do
|
|
||||||
let(:token) { Fabricate(:accessible_access_token, resource_owner_id: user.id) }
|
|
||||||
|
|
||||||
describe 'GET #show' do
|
describe 'GET #show' do
|
||||||
|
subject do
|
||||||
|
get :show, params: { id: 'test' }
|
||||||
|
end
|
||||||
|
|
||||||
before do
|
before do
|
||||||
PostStatusService.new.call(user.account, text: 'It is a #test')
|
PostStatusService.new.call(user.account, text: 'It is a #test')
|
||||||
end
|
end
|
||||||
|
|
||||||
it 'returns http success' do
|
context 'when the instance allows public preview' do
|
||||||
get :show, params: { id: 'test' }
|
context 'when the user is not authenticated' do
|
||||||
|
let(:token) { nil }
|
||||||
|
|
||||||
|
it 'returns http success', :aggregate_failures do
|
||||||
|
subject
|
||||||
|
|
||||||
|
expect(response).to have_http_status(200)
|
||||||
|
expect(response.headers['Link'].links.size).to eq(2)
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
context 'when the user is authenticated' do
|
||||||
|
it 'returns http success', :aggregate_failures do
|
||||||
|
subject
|
||||||
|
|
||||||
expect(response).to have_http_status(200)
|
expect(response).to have_http_status(200)
|
||||||
expect(response.headers['Link'].links.size).to eq(2)
|
expect(response.headers['Link'].links.size).to eq(2)
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
context 'without a user context' do
|
context 'when the instance does not allow public preview' do
|
||||||
let(:token) { Fabricate(:accessible_access_token, resource_owner_id: nil) }
|
before do
|
||||||
|
Form::AdminSettings.new(timeline_preview: false).save
|
||||||
|
end
|
||||||
|
|
||||||
|
context 'when the user is not authenticated' do
|
||||||
|
let(:token) { nil }
|
||||||
|
|
||||||
|
it 'returns http unauthorized' do
|
||||||
|
subject
|
||||||
|
|
||||||
|
expect(response).to have_http_status(401)
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
context 'when the user is authenticated' do
|
||||||
|
it 'returns http success', :aggregate_failures do
|
||||||
|
subject
|
||||||
|
|
||||||
describe 'GET #show' do
|
|
||||||
it 'returns http success' do
|
|
||||||
get :show, params: { id: 'test' }
|
|
||||||
expect(response).to have_http_status(200)
|
expect(response).to have_http_status(200)
|
||||||
expect(response.headers['Link']).to be_nil
|
expect(response.headers['Link'].links.size).to eq(2)
|
||||||
|
end
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
Loading…
Reference in New Issue