Merge pull request from GHSA-58x8-3qxw-6hm7
* Fix insufficient permission checking for public timeline endpoints Note that this changes unauthenticated access failure code from 401 to 422 * Add more tests for public timelines * Require user token in `/api/v1/statuses/:id/translate` and `/api/v1/scheduled_statuses`
This commit is contained in:
Claire
KMY
parent
ca1e2e6131
commit
21b716db12
9 changed files with 64 additions and 15 deletions
|
|
@ -1,7 +1,7 @@
|
|||
# frozen_string_literal: true
|
||||
|
||||
class Api::V1::Timelines::PublicController < Api::V1::Timelines::BaseController
|
||||
before_action :require_user!, only: [:show], if: :require_auth?
|
||||
before_action -> { authorize_if_got_token! :read, :'read:statuses' }
|
||||
|
||||
PERMITTED_PARAMS = %i(local remote limit only_media).freeze
|
||||
|
||||
|
|
@ -15,10 +15,6 @@ class Api::V1::Timelines::PublicController < Api::V1::Timelines::BaseController
|
|||
|
||||
private
|
||||
|
||||
def require_auth?
|
||||
!Setting.timeline_preview
|
||||
end
|
||||
|
||||
def load_statuses
|
||||
cached_public_statuses_page
|
||||
end
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue