Fix OEmbed leaking information about existence of non-public statuses (#12930)

diff --git a/app/controllers/api/oembed_controller.rb b/app/controllers/api/oembed_controller.rb
index c8c60b1cf664c9b6f1fd641c9b732dc331b6bb5a..66da65bedaf7411884f92d2c3106d811259c3435 100644 (file)
--- a/app/controllers/api/oembed_controller.rb
+++ b/app/controllers/api/oembed_controller.rb
@@ -1,17 +1,25 @@
 # frozen_string_literal: true
 
 class Api::OEmbedController < Api::BaseController
-  respond_to :json
-
   skip_before_action :require_authenticated_user!
 
+  before_action :set_status
+  before_action :require_public_status!
+
   def show
-    @status = status_finder.status
     render json: @status, serializer: OEmbedSerializer, width: maxwidth_or_default, height: maxheight_or_default
   end
 
   private
 
+  def set_status
+    @status = status_finder.status
+  end
+
+  def require_public_status!
+    not_found if @status.hidden?
+  end
+
   def status_finder
     StatusFinder.new(params[:url])
   end

diff --git a/app/controllers/statuses_controller.rb b/app/controllers/statuses_controller.rb
index 57bbeca6434bed4e58b81dea78f8a7103448abce..4fa1283034fa90edfb2e71786c97d3eb28961b14 100644 (file)
--- a/app/controllers/statuses_controller.rb
+++ b/app/controllers/statuses_controller.rb
@@ -46,7 +46,7 @@ class StatusesController < ApplicationController
   end
 
   def embed
-    raise ActiveRecord::RecordNotFound if @status.hidden?
+    return not_found if @status.hidden?
 
     expires_in 180, public: true
     response.headers['X-Frame-Options'] = 'ALLOWALL'
@@ -68,7 +68,7 @@ class StatusesController < ApplicationController
     @status = @account.statuses.find(params[:id])
     authorize @status, :show?
   rescue Mastodon::NotPermittedError
-    raise ActiveRecord::RecordNotFound
+    not_found
   end
 
   def set_instance_presenter