Fix leak of existence of otherwise inaccessible statuses in REST API (#17684)

This commit is contained in:
Eugen Rochko 2022-03-02 18:57:26 +01:00 committed by GitHub
parent 02b8d63fce
commit e24b14cc74
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

View File

@ -92,8 +92,9 @@ class Api::V1::StatusesController < Api::BaseController
end end
def set_thread def set_thread
@thread = status_params[:in_reply_to_id].blank? ? nil : Status.find(status_params[:in_reply_to_id]) @thread = Status.find(status_params[:in_reply_to_id]) if status_params[:in_reply_to_id].present?
rescue ActiveRecord::RecordNotFound authorize(@thread, :show?) if @thread.present?
rescue ActiveRecord::RecordNotFound, Mastodon::NotPermittedError
render json: { error: I18n.t('statuses.errors.in_reply_not_found') }, status: 404 render json: { error: I18n.t('statuses.errors.in_reply_not_found') }, status: 404
end end