Skip to content

Commit

Permalink
Prevent posting toots with media attachments from someone else (masto…
Browse files Browse the repository at this point in the history
  • Loading branch information
ClearlyClaire authored and hiyuki2578 committed Oct 2, 2019
1 parent 7de52b3 commit c2d7649
Show file tree
Hide file tree
Showing 2 changed files with 15 additions and 2 deletions.
2 changes: 1 addition & 1 deletion app/services/post_status_service.rb
Original file line number Diff line number Diff line change
Expand Up @@ -93,7 +93,7 @@ def validate_media!

raise Mastodon::ValidationError, I18n.t('media_attachments.validations.too_many') if @options[:media_ids].size > 4

@media = MediaAttachment.where(status_id: nil).where(id: @options[:media_ids].take(4).map(&:to_i))
@media = @account.media_attachments.where(status_id: nil).where(id: @options[:media_ids].take(4).map(&:to_i))

raise Mastodon::ValidationError, I18n.t('media_attachments.validations.images_and_video') if @media.size > 1 && @media.find(&:video?)
end
Expand Down
15 changes: 14 additions & 1 deletion spec/services/post_status_service_spec.rb
Original file line number Diff line number Diff line change
Expand Up @@ -167,7 +167,7 @@

it 'attaches the given media to the created status' do
account = Fabricate(:account)
media = Fabricate(:media_attachment)
media = Fabricate(:media_attachment, account: account)

status = subject.call(
account,
Expand All @@ -178,6 +178,19 @@
expect(media.reload.status).to eq status
end

it 'does not attach media from another account to the created status' do
account = Fabricate(:account)
media = Fabricate(:media_attachment, account: Fabricate(:account))

status = subject.call(
account,
text: "test status update",
media_ids: [media.id],
)

expect(media.reload.status).to eq nil
end

it 'does not allow attaching more than 4 files' do
account = Fabricate(:account)

Expand Down

0 comments on commit c2d7649

Please sign in to comment.