MediaController: enforced owner-only access in :show action.

Improved error response on denied access (now 403). Adjusted tests.
author: Ivan Tashkinov <ivantashkinov@gmail.com> 2020-05-18 09:51:53 +0300
committer: Ivan Tashkinov <ivantashkinov@gmail.com> 2020-05-18 09:51:53 +0300
commit: 9b765652649f8b6110bd70aa90b148a90057ff6a (patch)
tree: 31243c6eea114706129b3e20598c9c05e1e8c6ba /lib/pleroma/object.ex
parent: af9dfdce6b502d3a33db7a496879dda56719f56e (diff)
download: pleroma-9b765652649f8b6110bd70aa90b148a90057ff6a.tar.gz
1 files changed, 10 insertions, 5 deletions
diff --git a/lib/pleroma/object.ex b/lib/pleroma/object.ex
index e678fd415..ab16bf2db 100644
--- a/lib/pleroma/object.ex
+++ b/lib/pleroma/object.ex
@@ -138,12 +138,17 @@ defmodule Pleroma.Object do
 
   def normalize(_, _, _), do: nil
 
-  # Owned objects can only be mutated by their owner
-  def authorize_mutation(%Object{data: %{"actor" => actor}}, %User{ap_id: ap_id}),
-    do: actor == ap_id
+  # Owned objects can only be accessed by their owner
+  def authorize_access(%Object{data: %{"actor" => actor}}, %User{ap_id: ap_id}) do
+    if actor == ap_id do
+      :ok
+    else
+      {:error, :forbidden}
+    end
+  end
 
-  # Legacy objects can be mutated by anybody
-  def authorize_mutation(%Object{}, %User{}), do: true
+  # Legacy objects can be accessed by anybody
+  def authorize_access(%Object{}, %User{}), do: :ok
 
   @spec get_cached_by_ap_id(String.t()) :: Object.t() | nil
   def get_cached_by_ap_id(ap_id) do
author	Ivan Tashkinov <ivantashkinov@gmail.com>	2020-05-18 09:51:53 +0300
committer	Ivan Tashkinov <ivantashkinov@gmail.com>	2020-05-18 09:51:53 +0300
commit	9b765652649f8b6110bd70aa90b148a90057ff6a (patch)
tree	31243c6eea114706129b3e20598c9c05e1e8c6ba /lib/pleroma/object.ex
parent	af9dfdce6b502d3a33db7a496879dda56719f56e (diff)
download	pleroma-9b765652649f8b6110bd70aa90b148a90057ff6a.tar.gz