Merge pull request from GHSA-58x8-3qxw-6hm7
* Fix insufficient permission checking for public timeline endpoints Note that this changes unauthenticated access failure code from 401 to 422 * Add more tests for public timelines * Require user token in `/api/v1/statuses/:id/translate` and `/api/v1/scheduled_statuses`
This commit is contained in:
parent
df974a912b
commit
4fb4721072
8 changed files with 71 additions and 11 deletions
|
@ -13,6 +13,17 @@ describe Api::V1::ScheduledStatusesController do
|
|||
allow(controller).to receive(:doorkeeper_token) { token }
|
||||
end
|
||||
|
||||
context 'with an application token' do
|
||||
let(:token) { Fabricate(:accessible_access_token, resource_owner_id: nil, scopes: 'read:statuses') }
|
||||
|
||||
it 'returns http unprocessable entity' do
|
||||
get :index
|
||||
|
||||
expect(response)
|
||||
.to have_http_status(422)
|
||||
end
|
||||
end
|
||||
|
||||
describe 'GET #index' do
|
||||
it 'returns http success' do
|
||||
get :index
|
||||
|
|
Loading…
Add table
Add a link
Reference in a new issue