Merge pull request from GHSA-58x8-3qxw-6hm7

* Fix insufficient permission checking for public timeline endpoints

Note that this changes unauthenticated access failure code from 401 to 422

* Add more tests for public timelines

* Require user token in `/api/v1/statuses/:id/translate` and `/api/v1/scheduled_statuses`
This commit is contained in:
Claire 2024-07-04 16:26:49 +02:00 committed by GitHub
parent df974a912b
commit 4fb4721072
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
8 changed files with 71 additions and 11 deletions

View file

@ -13,6 +13,17 @@ describe Api::V1::ScheduledStatusesController do
allow(controller).to receive(:doorkeeper_token) { token }
end
context 'with an application token' do
let(:token) { Fabricate(:accessible_access_token, resource_owner_id: nil, scopes: 'read:statuses') }
it 'returns http unprocessable entity' do
get :index
expect(response)
.to have_http_status(422)
end
end
describe 'GET #index' do
it 'returns http success' do
get :index