Update StatusPolicy to check current_account for local_only? toots.

StatusPolicy#account was renamed to StatusPolicy#current_account in
upstream.  This commit renames the local-only changes to match and
augments the #show? policy spec with what we expect for local-only
toots.

diff --git a/app/policies/status_policy.rb b/app/policies/status_policy.rb
index 8e0c1eef18fe4f791d9201dd98ab649d70a44218..369ede2b0b70d5ce2bb4ea7e0db488a80c7a24c7 100644 (file)
--- a/app/policies/status_policy.rb
+++ b/app/policies/status_policy.rb
@@ -6,7 +6,7 @@ class StatusPolicy < ApplicationPolicy
   end
 
   def show?
-    return false if local_only? && account.nil?
+    return false if local_only? && current_account.nil?
 
     if direct?
       owned? || record.mentions.where(account: current_account).exists?

diff --git a/spec/policies/status_policy_spec.rb b/spec/policies/status_policy_spec.rb
index bacb8fd9e3fe9e62d4c80367022cc8ce0ac833af..a90e22aadd48849707cd7ac9afbcb2abf6f0857d 100644 (file)
--- a/spec/policies/status_policy_spec.rb
+++ b/spec/policies/status_policy_spec.rb
@@ -71,6 +71,12 @@ RSpec.describe StatusPolicy, type: :model do
 
       expect(subject).to_not permit(viewer, status)
     end
+
+    it 'denies access when local-only and the viewer is not logged in' do
+      allow(status).to receive(:local_only?) { true }
+
+      expect(subject).to_not permit(nil, status)
+    end
   end
 
   permissions :reblog? do