Fix leak of existence of otherwise inaccessible statuses in REST API (#17684)

author Eugen Rochko <eugen@zeonfederated.com>

Wed, 2 Mar 2022 17:57:26 +0000 (18:57 +0100)

committer GitHub <noreply@github.com>

Wed, 2 Mar 2022 17:57:26 +0000 (18:57 +0100)
author Eugen Rochko <eugen@zeonfederated.com>
Wed, 2 Mar 2022 17:57:26 +0000 (18:57 +0100)
committer GitHub <noreply@github.com>
Wed, 2 Mar 2022 17:57:26 +0000 (18:57 +0100)
diff --git a/app/controllers/api/v1/statuses_controller.rb b/app/controllers/api/v1/statuses_controller.rb

index 2d82a7a99b8a5e46aee17263cbed6e6de8e8b53c..f48aeb945aec21c42d690c4f02516b4813c694d6 100644 (file)
--- a/app/controllers/api/v1/statuses_controller.rb
+++ b/app/controllers/api/v1/statuses_controller.rb
@@ -92,8 +92,9 @@ class Api::V1::StatusesController < Api::BaseController
    end
  
    def set_thread
-    @thread = status_params[:in_reply_to_id].blank? ? nil : Status.find(status_params[:in_reply_to_id])
-  rescue ActiveRecord::RecordNotFound
+    @thread = Status.find(status_params[:in_reply_to_id]) if status_params[:in_reply_to_id].present?
+    authorize(@thread, :show?) if @thread.present?
+  rescue ActiveRecord::RecordNotFound, Mastodon::NotPermittedError
      render json: { error: I18n.t('statuses.errors.in_reply_not_found') }, status: 404
    end
author	Eugen Rochko <eugen@zeonfederated.com>
	Wed, 2 Mar 2022 17:57:26 +0000 (18:57 +0100)
committer	GitHub <noreply@github.com>
	Wed, 2 Mar 2022 17:57:26 +0000 (18:57 +0100)