Extract authorization policy for viewing statuses (#3150)

2017-05-29 09:22:22 -07:00 · 2017-05-29 09:22:22 -07:00 · 3a2003ba86
commit 3a2003ba86
parent 9a81be0d37
16 changed files with 155 additions and 80 deletions
--- a/app/services/reblog_service.rb
+++ b/app/services/reblog_service.rb
@ -1,6 +1,7 @@
 # frozen_string_literal: true

 class ReblogService < BaseService
+  include Authorization
  include StreamEntryRenderer

  # Reblog a status and notify its remote author
@ -10,7 +11,8 @@ class ReblogService < BaseService
  def call(account, reblogged_status)
    reblogged_status = reblogged_status.reblog if reblogged_status.reblog?

-    raise Mastodon::NotPermittedError if reblogged_status.direct_visibility? || reblogged_status.private_visibility? || !reblogged_status.permitted?(account)
+    authorize_with account, reblogged_status, :show?
+    raise Mastodon::NotPermittedError if reblogged_status.direct_visibility? || reblogged_status.private_visibility?

    reblog = account.statuses.create!(reblog: reblogged_status, text: '')