class MediaProxyController < ApplicationController
include RoutingHelper
+ include Authorization
skip_before_action :store_current_location
skip_before_action :require_functional!
rescue_from ActiveRecord::RecordInvalid, with: :not_found
rescue_from Mastodon::UnexpectedResponseError, with: :not_found
+ rescue_from Mastodon::NotPermittedError, with: :not_found
rescue_from HTTP::TimeoutError, HTTP::ConnectionError, OpenSSL::SSL::SSLError, with: :internal_server_error
def show
RedisLock.acquire(lock_options) do |lock|
if lock.acquired?
- @media_attachment = MediaAttachment.remote.find(params[:id])
+ @media_attachment = MediaAttachment.remote.attached.find(params[:id])
+ authorize @media_attachment.status, :show?
redownload! if @media_attachment.needs_redownload? && !reject_media?
else
raise Mastodon::RaceConditionError
t.index ["target_account_id"], name: "index_account_moderation_notes_on_target_account_id"
end
+ create_table "account_notes", force: :cascade do |t|
+ t.bigint "account_id"
+ t.bigint "target_account_id"
+ t.text "comment", null: false
+ t.datetime "created_at", null: false
+ t.datetime "updated_at", null: false
+ t.index ["account_id", "target_account_id"], name: "index_account_notes_on_account_id_and_target_account_id", unique: true
+ t.index ["target_account_id"], name: "index_account_notes_on_target_account_id"
+ end
+
create_table "account_pins", force: :cascade do |t|
t.bigint "account_id"
t.bigint "target_account_id"
t.index ["user_id", "timeline"], name: "index_markers_on_user_id_and_timeline", unique: true
end
- create_table "media_attachments", force: :cascade do |t|
+ create_table "media_attachments", id: :bigint, default: -> { "timestamp_id('media_attachments'::text)" }, force: :cascade do |t|
t.bigint "status_id"
t.string "file_file_name"
t.string "file_content_type"
t.index ["user_id"], name: "index_user_invite_requests_on_user_id"
end
- create_table "account_notes", force: :cascade do |t|
- t.bigint "account_id"
- t.bigint "target_account_id"
- t.text "comment", null: false
- t.datetime "created_at", null: false
- t.datetime "updated_at", null: false
- t.index ["account_id", "target_account_id"], name: "index_account_notes_on_account_id_and_target_account_id", unique: true
- t.index ["target_account_id"], name: "index_account_notes_on_target_account_id"
- end
-
create_table "users", force: :cascade do |t|
t.string "email", default: "", null: false
t.datetime "created_at", null: false
add_foreign_key "account_migrations", "accounts", on_delete: :cascade
add_foreign_key "account_moderation_notes", "accounts"
add_foreign_key "account_moderation_notes", "accounts", column: "target_account_id"
+ add_foreign_key "account_notes", "accounts", column: "target_account_id", on_delete: :cascade
+ add_foreign_key "account_notes", "accounts", on_delete: :cascade
add_foreign_key "account_pins", "accounts", column: "target_account_id", on_delete: :cascade
add_foreign_key "account_pins", "accounts", on_delete: :cascade
add_foreign_key "account_stats", "accounts", on_delete: :cascade
add_foreign_key "statuses_tags", "tags", name: "fk_3081861e21", on_delete: :cascade
add_foreign_key "tombstones", "accounts", on_delete: :cascade
add_foreign_key "user_invite_requests", "users", on_delete: :cascade
- add_foreign_key "account_notes", "accounts", column: "target_account_id", on_delete: :cascade
- add_foreign_key "account_notes", "accounts", on_delete: :cascade
add_foreign_key "users", "accounts", name: "fk_50500f500d", on_delete: :cascade
add_foreign_key "users", "invites", on_delete: :nullify
add_foreign_key "users", "oauth_applications", column: "created_by_application_id", on_delete: :nullify
--- /dev/null
+# frozen_string_literal: true
+
+require 'rails_helper'
+
+describe MediaProxyController do
+ render_views
+
+ before do
+ stub_request(:get, 'http://example.com/attachment.png').to_return(request_fixture('avatar.txt'))
+ end
+
+ describe '#show' do
+ it 'redirects when attached to a status' do
+ status = Fabricate(:status)
+ media_attachment = Fabricate(:media_attachment, status: status, remote_url: 'http://example.com/attachment.png')
+ get :show, params: { id: media_attachment.id }
+
+ expect(response).to have_http_status(302)
+ end
+
+ it 'responds with missing when there is not an attached status' do
+ media_attachment = Fabricate(:media_attachment, status: nil, remote_url: 'http://example.com/attachment.png')
+ get :show, params: { id: media_attachment.id }
+
+ expect(response).to have_http_status(404)
+ end
+
+ it 'raises when id cant be found' do
+ get :show, params: { id: 'missing' }
+
+ expect(response).to have_http_status(404)
+ end
+
+ it 'raises when not permitted to view' do
+ status = Fabricate(:status, visibility: :direct)
+ media_attachment = Fabricate(:media_attachment, status: status, remote_url: 'http://example.com/attachment.png')
+ get :show, params: { id: media_attachment.id }
+
+ expect(response).to have_http_status(404)
+ end
+ end
+end
cat aescling's git repositories / mastodon.git / commitdiff