Allow accessing local private/DM messages by URL (#8196)

* Allow accessing local private/DM messages by URL

(Provided the user pasting the URL is authorized to see the toot, obviously)

* Fix SearchServiceSpec tests

diff --git a/app/services/resolve_url_service.rb b/app/services/resolve_url_service.rb
index a068c1ed86a2ae21f31ec9f58f34741d85eaac2b..1db1917e27c2ef2edbc85058b0d69c80de908c07 100644 (file)
--- a/app/services/resolve_url_service.rb
+++ b/app/services/resolve_url_service.rb
@@ -2,11 +2,13 @@
 
 class ResolveURLService < BaseService
   include JsonLdHelper
+  include Authorization
 
   attr_reader :url
 
-  def call(url)
+  def call(url, on_behalf_of: nil)
     @url = url
+    @on_behalf_of = on_behalf_of
 
     return process_local_url if local_url?
 
@@ -84,6 +86,10 @@ class ResolveURLService < BaseService
 
   def check_local_status(status)
     return if status.nil?
-    status if status.public_visibility? || status.unlisted_visibility?
+    authorize_with @on_behalf_of, status, :show?
+    status
+  rescue Mastodon::NotPermittedError
+    # Do not disclose the existence of status the user is not authorized to see
+    nil
   end
 end

diff --git a/app/services/search_service.rb b/app/services/search_service.rb
index 5bb395942da0bec28894e68d02db0600b8c84beb..cc1fcb52f0a5d3459a5f92de663d9e27f4ea7882 100644 (file)
--- a/app/services/search_service.rb
+++ b/app/services/search_service.rb
@@ -53,7 +53,7 @@ class SearchService < BaseService
   end
 
   def url_resource
-    @_url_resource ||= ResolveURLService.new.call(query)
+    @_url_resource ||= ResolveURLService.new.call(query, on_behalf_of: @account)
   end
 
   def url_resource_symbol

diff --git a/spec/services/search_service_spec.rb b/spec/services/search_service_spec.rb
index 673de523385c27ca8bc00cb6887dfa5d0b7fd0a4..671080f1d980e68936c3ddb9b613bf63dc8ac98f 100644 (file)
--- a/spec/services/search_service_spec.rb
+++ b/spec/services/search_service_spec.rb
@@ -29,7 +29,7 @@ describe SearchService, type: :service do
           allow(ResolveURLService).to receive(:new).and_return(service)
           results = subject.call(@query, 10)
 
-          expect(service).to have_received(:call).with(@query)
+          expect(service).to have_received(:call).with(@query, on_behalf_of: nil)
           expect(results).to eq empty_results
         end
       end
@@ -41,7 +41,7 @@ describe SearchService, type: :service do
           allow(ResolveURLService).to receive(:new).and_return(service)
 
           results = subject.call(@query, 10)
-          expect(service).to have_received(:call).with(@query)
+          expect(service).to have_received(:call).with(@query, on_behalf_of: nil)
           expect(results).to eq empty_results.merge(accounts: [account])
         end
       end
@@ -53,7 +53,7 @@ describe SearchService, type: :service do
           allow(ResolveURLService).to receive(:new).and_return(service)
 
           results = subject.call(@query, 10)
-          expect(service).to have_received(:call).with(@query)
+          expect(service).to have_received(:call).with(@query, on_behalf_of: nil)
           expect(results).to eq empty_results.merge(statuses: [status])
         end
       end