Skip to content
GitLab
Explore
Projects
Groups
Snippets
Projects
Groups
Snippets
/
Help
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Register
Sign in
Toggle navigation
Menu
Open sidebar
Tiger Ton
mastodon
Commits
2d2e3651
Commit
2d2e3651
authored
4 years ago
by
Thibaut Girka
Committed by
Eugen Rochko
4 years ago
Browse files
Options
Download
Email Patches
Plain Diff
Fix media attachment enumeration
Signed-off-by:
Eugen Rochko
<
eugen@zeonfederated.com
>
parent
951e997b
Changes
3
Hide whitespace changes
Inline
Side-by-side
Showing
3 changed files
app/controllers/media_proxy_controller.rb
+4
-1
app/controllers/media_proxy_controller.rb
spec/controllers/media_controller_spec.rb
+1
-2
spec/controllers/media_controller_spec.rb
spec/controllers/media_proxy_controller_spec.rb
+42
-0
spec/controllers/media_proxy_controller_spec.rb
with
47 additions
and
3 deletions
+47
-3
app/controllers/media_proxy_controller.rb
+
4
-
1
View file @
2d2e3651
...
...
@@ -2,6 +2,7 @@
class
MediaProxyController
<
ApplicationController
include
RoutingHelper
include
Authorization
skip_before_action
:store_current_location
skip_before_action
:require_functional!
...
...
@@ -10,12 +11,14 @@ class MediaProxyController < ApplicationController
rescue_from
ActiveRecord
::
RecordInvalid
,
with: :not_found
rescue_from
Mastodon
::
UnexpectedResponseError
,
with: :not_found
rescue_from
Mastodon
::
NotPermittedError
,
with: :not_found
rescue_from
HTTP
::
TimeoutError
,
HTTP
::
ConnectionError
,
OpenSSL
::
SSL
::
SSLError
,
with: :internal_server_error
def
show
RedisLock
.
acquire
(
lock_options
)
do
|
lock
|
if
lock
.
acquired?
@media_attachment
=
MediaAttachment
.
remote
.
find
(
params
[
:id
])
@media_attachment
=
MediaAttachment
.
remote
.
attached
.
find
(
params
[
:id
])
authorize
@media_attachment
.
status
,
:show?
redownload!
if
@media_attachment
.
needs_redownload?
&&
!
reject_media?
else
raise
Mastodon
::
RaceConditionError
...
...
This diff is collapsed.
Click to expand it.
spec/controllers/media_controller_spec.rb
+
1
-
2
View file @
2d2e3651
...
...
@@ -28,9 +28,8 @@ describe MediaController do
end
it
'raises when not permitted to view'
do
status
=
Fabricate
(
:status
)
status
=
Fabricate
(
:status
,
visibility: :direct
)
media_attachment
=
Fabricate
(
:media_attachment
,
status:
status
)
allow_any_instance_of
(
MediaController
).
to
receive
(
:authorize
).
and_raise
(
ActiveRecord
::
RecordNotFound
)
get
:show
,
params:
{
id:
media_attachment
.
to_param
}
expect
(
response
).
to
have_http_status
(
404
)
...
...
This diff is collapsed.
Click to expand it.
spec/controllers/media_proxy_controller_spec.rb
0 → 100644
+
42
-
0
View file @
2d2e3651
# frozen_string_literal: true
require
'rails_helper'
describe
MediaProxyController
do
render_views
before
do
stub_request
(
:get
,
'http://example.com/attachment.png'
).
to_return
(
request_fixture
(
'avatar.txt'
))
end
describe
'#show'
do
it
'redirects when attached to a status'
do
status
=
Fabricate
(
:status
)
media_attachment
=
Fabricate
(
:media_attachment
,
status:
status
,
remote_url:
'http://example.com/attachment.png'
)
get
:show
,
params:
{
id:
media_attachment
.
id
}
expect
(
response
).
to
have_http_status
(
302
)
end
it
'responds with missing when there is not an attached status'
do
media_attachment
=
Fabricate
(
:media_attachment
,
status:
nil
,
remote_url:
'http://example.com/attachment.png'
)
get
:show
,
params:
{
id:
media_attachment
.
id
}
expect
(
response
).
to
have_http_status
(
404
)
end
it
'raises when id cant be found'
do
get
:show
,
params:
{
id:
'missing'
}
expect
(
response
).
to
have_http_status
(
404
)
end
it
'raises when not permitted to view'
do
status
=
Fabricate
(
:status
,
visibility: :direct
)
media_attachment
=
Fabricate
(
:media_attachment
,
status:
status
,
remote_url:
'http://example.com/attachment.png'
)
get
:show
,
params:
{
id:
media_attachment
.
id
}
expect
(
response
).
to
have_http_status
(
404
)
end
end
end
This diff is collapsed.
Click to expand it.
Write
Preview
Supports
Markdown
0%
Try again
or
attach a new file
.
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment
Menu
Explore
Projects
Groups
Snippets