Merge pull request from GHSA-58x8-3qxw-6hm7

* Fix insufficient permission checking for public timeline endpoints Note that this changes unauthenticated access failure code from 401 to 422 * Add more tests for public timelines * Require user token in `/api/v1/statuses/:id/translate` and `/api/v1/scheduled_statuses`
2024-07-04 16:26:49 +02:00 · 2024-07-04 16:26:49 +02:00 · 21b716db12
commit 21b716db12
parent ca1e2e6131
9 changed files with 64 additions and 15 deletions
--- a/app/controllers/api/v1/scheduled_statuses_controller.rb
+++ b/app/controllers/api/v1/scheduled_statuses_controller.rb
@ -6,6 +6,7 @@ class Api::V1::ScheduledStatusesController < Api::BaseController
  before_action -> { doorkeeper_authorize! :read, :'read:statuses' }, except: [:update, :destroy]
  before_action -> { doorkeeper_authorize! :write, :'write:statuses' }, only: [:update, :destroy]

+  before_action :require_user!
  before_action :set_statuses, only: :index
  before_action :set_status, except: :index