Prevent posting toots with media attachments from someone else (#9921)

author ThibG <thib@sitedethib.com>

Sat, 26 Jan 2019 22:59:39 +0000 (23:59 +0100)

committer Eugen Rochko <eugen@zeonfederated.com>

Sat, 26 Jan 2019 22:59:39 +0000 (23:59 +0100)
author ThibG <thib@sitedethib.com>
Sat, 26 Jan 2019 22:59:39 +0000 (23:59 +0100)
committer Eugen Rochko <eugen@zeonfederated.com>
Sat, 26 Jan 2019 22:59:39 +0000 (23:59 +0100)
diff --git a/app/services/post_status_service.rb b/app/services/post_status_service.rb

index 1f5a3f4cf9ee5e4238cfe47613dd6611ed926d6e..9959bb1fbf7d02ea8de817b655bea66116e016e9 100644 (file)
--- a/app/services/post_status_service.rb
+++ b/app/services/post_status_service.rb
@@ -93,7 +93,7 @@ class PostStatusService < BaseService
  
      raise Mastodon::ValidationError, I18n.t('media_attachments.validations.too_many') if @options[:media_ids].size > 4
  
-    @media = MediaAttachment.where(status_id: nil).where(id: @options[:media_ids].take(4).map(&:to_i))
+    @media = @account.media_attachments.where(status_id: nil).where(id: @options[:media_ids].take(4).map(&:to_i))
  
      raise Mastodon::ValidationError, I18n.t('media_attachments.validations.images_and_video') if @media.size > 1 && @media.find(&:video?)
    end
diff --git a/spec/services/post_status_service_spec.rb b/spec/services/post_status_service_spec.rb

index 680cebbcf383112023c6baff5eb7cd842c89ac83..facbe977f2333096f345c8b9e27ad082ae3bb63f 100644 (file)
--- a/spec/services/post_status_service_spec.rb
+++ b/spec/services/post_status_service_spec.rb
@@ -167,7 +167,7 @@ RSpec.describe PostStatusService, type: :service do
  
    it 'attaches the given media to the created status' do
      account = Fabricate(:account)
-    media = Fabricate(:media_attachment)
+    media = Fabricate(:media_attachment, account: account)
  
      status = subject.call(
        account,
@@ -178,6 +178,19 @@ RSpec.describe PostStatusService, type: :service do
      expect(media.reload.status).to eq status
    end
  
+  it 'does not attach media from another account to the created status' do
+    account = Fabricate(:account)
+    media = Fabricate(:media_attachment, account: Fabricate(:account))
+
+    status = subject.call(
+      account,
+      text: "test status update",
+      media_ids: [media.id],
+    )
+
+    expect(media.reload.status).to eq nil
+  end
+
    it 'does not allow attaching more than 4 files' do
      account = Fabricate(:account)
author	ThibG <thib@sitedethib.com>
	Sat, 26 Jan 2019 22:59:39 +0000 (23:59 +0100)
committer	Eugen Rochko <eugen@zeonfederated.com>
	Sat, 26 Jan 2019 22:59:39 +0000 (23:59 +0100)
app/services/post_status_service.rb		patch \| blob \| history
spec/services/post_status_service_spec.rb		patch \| blob \| history