Fix using wrong policy on status-related actions in admin UI (#19490)

07cc201a · Eugen Rochko · GitHub · 8ae0936d · 07cc201a · 07cc201a
Unverified Commit 07cc201a authored 2 years ago by Eugen Rochko Committed by GitHub 2 years ago
Hide whitespace changes
Inline Side-by-side

Showing

with 4 additions and 4 deletions
+4 -4
--- a/app/models/admin/status_batch_action.rb
+++ b/app/models/admin/status_batch_action.rb
@@ -40,7 +40,7 @@ class Admin::StatusBatchAction
  end

  def handle_delete!
-    statuses.each { |status| authorize(status, :destroy?) }
+    statuses.each { |status| authorize([:admin, status], :destroy?) }

    ApplicationRecord.transaction do
      statuses.each do |status|
@@ -75,7 +75,7 @@ class Admin::StatusBatchAction
    statuses.includes(:media_attachments, :preview_cards).find_each do |status|
      next unless status.with_media? || status.with_preview_card?

-      authorize(status, :update?)
+      authorize([:admin, status], :update?)

      if target_account.local?
        UpdateStatusService.new.call(status, representative_account.id, sensitive: true)

--- a/app/models/trends/status_batch.rb
+++ b/app/models/trends/status_batch.rb
@@ -30,7 +30,7 @@ class Trends::StatusBatch
  end

  def approve!
-    statuses.each { |status| authorize(status, :review?) }
+    statuses.each { |status| authorize([:admin, status], :review?) }
    statuses.update_all(trendable: true)
  end

@@ -45,7 +45,7 @@ class Trends::StatusBatch
  end

  def reject!
-    statuses.each { |status| authorize(status, :review?) }
+    statuses.each { |status| authorize([:admin, status], :review?) }
    statuses.update_all(trendable: false)
  end