Browse Source

Prevent posting toots with media attachments from someone else (#9921)

ThibG 2 months ago
parent
commit
e2a5be6e9a
2 changed files with 15 additions and 2 deletions
  1. 1
    1
      app/services/post_status_service.rb
  2. 14
    1
      spec/services/post_status_service_spec.rb

+ 1
- 1
app/services/post_status_service.rb View File

@@ -93,7 +93,7 @@ class PostStatusService < BaseService
93 93
 
94 94
     raise Mastodon::ValidationError, I18n.t('media_attachments.validations.too_many') if @options[:media_ids].size > 4
95 95
 
96
-    @media = MediaAttachment.where(status_id: nil).where(id: @options[:media_ids].take(4).map(&:to_i))
96
+    @media = @account.media_attachments.where(status_id: nil).where(id: @options[:media_ids].take(4).map(&:to_i))
97 97
 
98 98
     raise Mastodon::ValidationError, I18n.t('media_attachments.validations.images_and_video') if @media.size > 1 && @media.find(&:video?)
99 99
   end

+ 14
- 1
spec/services/post_status_service_spec.rb View File

@@ -167,7 +167,7 @@ RSpec.describe PostStatusService, type: :service do
167 167
 
168 168
   it 'attaches the given media to the created status' do
169 169
     account = Fabricate(:account)
170
-    media = Fabricate(:media_attachment)
170
+    media = Fabricate(:media_attachment, account: account)
171 171
 
172 172
     status = subject.call(
173 173
       account,
@@ -178,6 +178,19 @@ RSpec.describe PostStatusService, type: :service do
178 178
     expect(media.reload.status).to eq status
179 179
   end
180 180
 
181
+  it 'does not attach media from another account to the created status' do
182
+    account = Fabricate(:account)
183
+    media = Fabricate(:media_attachment, account: Fabricate(:account))
184
+
185
+    status = subject.call(
186
+      account,
187
+      text: "test status update",
188
+      media_ids: [media.id],
189
+    )
190
+
191
+    expect(media.reload.status).to eq nil
192
+  end
193
+
181 194
   it 'does not allow attaching more than 4 files' do
182 195
     account = Fabricate(:account)
183 196
 

Loading…
Cancel
Save