mstdn.y-zu.org/mastodon
4
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request from GHSA-58x8-3qxw-6hm7

Browse Source 
* Fix insufficient permission checking for public timeline endpoints

Note that this changes unauthenticated access failure code from 401 to 422

* Add more tests for public timelines

* Require user token in `/api/v1/statuses/:id/translate` and `/api/v1/scheduled_statuses`
This commit is contained in:
Claire
2024-07-04 16:26:49 +02:00
committed by GitHub
parent 122740047a
commit 34aeef3453
9 changed files with 242 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
spec/controllers/api/v1/timelines/public_controller_spec.rb
View File

@@ -12,7 +12,7 @@ describe Api::V1::Timelines::PublicController do
end
context 'with a user context' do
let(:token) { Fabricate(:accessible_access_token, resource_owner_id: user.id) }
let(:token) { Fabricate(:accessible_access_token, resource_owner_id: user.id, scopes: 'read:statuses') }
describe 'GET #show' do
before do
@@ -42,7 +42,7 @@ describe Api::V1::Timelines::PublicController do
end
context 'without a user context' do
let(:token) { Fabricate(:accessible_access_token, resource_owner_id: nil) }
let(:token) { Fabricate(:accessible_access_token, resource_owner_id: nil, scopes: 'read:statuses') }
describe 'GET #show' do
it 'returns http success' do