Fix: ドメイン単位の認証になるように

2023-12-14 10:15:34 +09:00 · 2023-12-14 10:15:34 +09:00 · 0b75ba0298
commit 0b75ba0298
parent 6a4f048930
4 changed files with 22 additions and 3 deletions
--- a/app/controllers/statuses_controller.rb
+++ b/app/controllers/statuses_controller.rb
@ -64,8 +64,10 @@ class StatusesController < ApplicationController

    if request.authorization.present? && request.authorization.match(/^Bearer /i)
      raise Mastodon::NotPermittedError unless @status.capability_tokens.find_by(token: request.authorization.gsub(/^Bearer /i, ''))
+    elsif request.format == :json && @status.expires?
+      raise Mastodon::NotPermittedError unless StatusPolicy.new(signed_request_account, status).show_activity?
    else
-      authorize @status, request.format == :json ? :show_activity? : :show?
+      authorize @status, :show?
    end
  rescue Mastodon::NotPermittedError
    not_found
--- a/app/models/concerns/account/interactions.rb
+++ b/app/models/concerns/account/interactions.rb
@ -211,6 +211,13 @@ module Account::Interactions
    other_account.following?(self)
  end

+  def followed_by_domain?(other_domain)
+    return true if other_domain.blank?
+    return true if local? || domain == other_domain
+
+    followers.exists?(domain: other_domain)
+  end
+
  def mutual?(other_account)
    following?(other_account) && followed_by?(other_account)
  end
--- a/app/models/status.rb
+++ b/app/models/status.rb
@ -253,6 +253,10 @@ class Status < ApplicationRecord
    !quote_of_id.nil? && !quote.nil?
  end

+  def expires?
+    scheduled_expiration_status.present?
+  end
+
  def within_realtime_window?
    created_at >= REAL_TIME_WINDOW.ago
  end
--- a/app/policies/status_policy.rb
+++ b/app/policies/status_policy.rb
@ -30,9 +30,9 @@ class StatusPolicy < ApplicationPolicy

  def show_activity?
    return false unless show?
-    return true if record.scheduled_expiration_status.blank?
+    return true unless record.expires?

-    following_author?
+    following_author_domain?
  end

  def reblog?
@ -122,6 +122,12 @@ class StatusPolicy < ApplicationPolicy
    @preloaded_relations[:following] ? @preloaded_relations[:following][author.id] : current_account.following?(author)
  end

+  def following_author_domain?
+    return false if current_account.nil?
+
+    author.followed_by_domain?(current_account.domain)
+  end
+
  def author
    record.account
  end