mirror of https://github.com/tootsuite/mastodon
Fix media attachment enumeration
Signed-off-by: Eugen Rochko <eugen@zeonfederated.com>stable-3.1
parent
951e997b26
commit
2d2e3651ee
|
@ -2,6 +2,7 @@
|
|||
|
||||
class MediaProxyController < ApplicationController
|
||||
include RoutingHelper
|
||||
include Authorization
|
||||
|
||||
skip_before_action :store_current_location
|
||||
skip_before_action :require_functional!
|
||||
|
@ -10,12 +11,14 @@ class MediaProxyController < ApplicationController
|
|||
|
||||
rescue_from ActiveRecord::RecordInvalid, with: :not_found
|
||||
rescue_from Mastodon::UnexpectedResponseError, with: :not_found
|
||||
rescue_from Mastodon::NotPermittedError, with: :not_found
|
||||
rescue_from HTTP::TimeoutError, HTTP::ConnectionError, OpenSSL::SSL::SSLError, with: :internal_server_error
|
||||
|
||||
def show
|
||||
RedisLock.acquire(lock_options) do |lock|
|
||||
if lock.acquired?
|
||||
@media_attachment = MediaAttachment.remote.find(params[:id])
|
||||
@media_attachment = MediaAttachment.remote.attached.find(params[:id])
|
||||
authorize @media_attachment.status, :show?
|
||||
redownload! if @media_attachment.needs_redownload? && !reject_media?
|
||||
else
|
||||
raise Mastodon::RaceConditionError
|
||||
|
|
|
@ -28,9 +28,8 @@ describe MediaController do
|
|||
end
|
||||
|
||||
it 'raises when not permitted to view' do
|
||||
status = Fabricate(:status)
|
||||
status = Fabricate(:status, visibility: :direct)
|
||||
media_attachment = Fabricate(:media_attachment, status: status)
|
||||
allow_any_instance_of(MediaController).to receive(:authorize).and_raise(ActiveRecord::RecordNotFound)
|
||||
get :show, params: { id: media_attachment.to_param }
|
||||
|
||||
expect(response).to have_http_status(404)
|
||||
|
|
|
@ -0,0 +1,42 @@
|
|||
# frozen_string_literal: true
|
||||
|
||||
require 'rails_helper'
|
||||
|
||||
describe MediaProxyController do
|
||||
render_views
|
||||
|
||||
before do
|
||||
stub_request(:get, 'http://example.com/attachment.png').to_return(request_fixture('avatar.txt'))
|
||||
end
|
||||
|
||||
describe '#show' do
|
||||
it 'redirects when attached to a status' do
|
||||
status = Fabricate(:status)
|
||||
media_attachment = Fabricate(:media_attachment, status: status, remote_url: 'http://example.com/attachment.png')
|
||||
get :show, params: { id: media_attachment.id }
|
||||
|
||||
expect(response).to have_http_status(302)
|
||||
end
|
||||
|
||||
it 'responds with missing when there is not an attached status' do
|
||||
media_attachment = Fabricate(:media_attachment, status: nil, remote_url: 'http://example.com/attachment.png')
|
||||
get :show, params: { id: media_attachment.id }
|
||||
|
||||
expect(response).to have_http_status(404)
|
||||
end
|
||||
|
||||
it 'raises when id cant be found' do
|
||||
get :show, params: { id: 'missing' }
|
||||
|
||||
expect(response).to have_http_status(404)
|
||||
end
|
||||
|
||||
it 'raises when not permitted to view' do
|
||||
status = Fabricate(:status, visibility: :direct)
|
||||
media_attachment = Fabricate(:media_attachment, status: status, remote_url: 'http://example.com/attachment.png')
|
||||
get :show, params: { id: media_attachment.id }
|
||||
|
||||
expect(response).to have_http_status(404)
|
||||
end
|
||||
end
|
||||
end
|
Loading…
Reference in New Issue