gearheads
/
mastodon
Archived
2
0
Fork 0
Code Releases 4 Activity

Fix using wrong policy on status-related actions in admin UI (#19490)

gh/stable
Eugen Rochko 2022-10-28 00:48:30 +02:00 committed by GitHub
parent 8ae0936ddd
commit 07cc201acc
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 4 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
app/models/admin/status_batch_action.rb
View File

@ -40,7 +40,7 @@ class Admin::StatusBatchAction
end end
def handle_delete! def handle_delete!
statuses.each { |status| authorize(status, :destroy?) } statuses.each { |status| authorize([:admin, status], :destroy?) }
ApplicationRecord.transaction do ApplicationRecord.transaction do
statuses.each do |status| statuses.each do |status|
@ -75,7 +75,7 @@ class Admin::StatusBatchAction
statuses.includes(:media_attachments, :preview_cards).find_each do |status| statuses.includes(:media_attachments, :preview_cards).find_each do |status|
next unless status.with_media? || status.with_preview_card? next unless status.with_media? || status.with_preview_card?
authorize(status, :update?) authorize([:admin, status], :update?)
if target_account.local? if target_account.local?
UpdateStatusService.new.call(status, representative_account.id, sensitive: true) UpdateStatusService.new.call(status, representative_account.id, sensitive: true)

4
app/models/trends/status_batch.rb
View File

@ -30,7 +30,7 @@ class Trends::StatusBatch
end end
def approve! def approve!
statuses.each { |status| authorize(status, :review?) } statuses.each { |status| authorize([:admin, status], :review?) }
statuses.update_all(trendable: true) statuses.update_all(trendable: true)
end end
@ -45,7 +45,7 @@ class Trends::StatusBatch
end end
def reject! def reject!
statuses.each { |status| authorize(status, :review?) } statuses.each { |status| authorize([:admin, status], :review?) }
statuses.update_all(trendable: false) statuses.update_all(trendable: false)
end end