CommonAPI: Prevent users from accessing media of other users

2023-09-02 01:43:25 +03:00 · 2023-09-02 01:43:25 +03:00 · 1afde067b1
commit 1afde067b1
parent 9da4f89b7b
9 changed files with 82 additions and 31 deletions
--- a/test/pleroma/web/common_api/utils_test.exs
+++ b/test/pleroma/web/common_api/utils_test.exs
@ -586,46 +586,61 @@ defmodule Pleroma.Web.CommonAPI.UtilsTest do
    end
  end

-  describe "attachments_from_ids_descs/2" do
+  describe "attachments_from_ids_descs/3" do
    test "returns [] when attachment ids is empty" do
-      assert Utils.attachments_from_ids_descs([], "{}") == []
+      assert Utils.attachments_from_ids_descs([], "{}", nil) == []
    end

    test "returns list attachments with desc" do
-      object = insert(:attachment)
+      user = insert(:user)
+      object = insert(:attachment, %{user: user})
      desc = Jason.encode!(%{object.id => "test-desc"})

-      assert Utils.attachments_from_ids_descs(["#{object.id}", "34"], desc) == [
+      assert Utils.attachments_from_ids_descs(["#{object.id}", "34"], desc, user) == [
               Map.merge(object.data, %{"name" => "test-desc"})
             ]
    end
  end

-  describe "attachments_from_ids/1" do
+  describe "attachments_from_ids/2" do
    test "returns attachments with descs" do
-      object = insert(:attachment)
+      user = insert(:user)
+      object = insert(:attachment, %{user: user})
      desc = Jason.encode!(%{object.id => "test-desc"})

-      assert Utils.attachments_from_ids(%{
-               media_ids: ["#{object.id}"],
-               descriptions: desc
-             }) == [
+      assert Utils.attachments_from_ids(
+               %{
+                 media_ids: ["#{object.id}"],
+                 descriptions: desc
+               },
+               user
+             ) == [
               Map.merge(object.data, %{"name" => "test-desc"})
             ]
    end

    test "returns attachments without descs" do
-      object = insert(:attachment)
-      assert Utils.attachments_from_ids(%{media_ids: ["#{object.id}"]}) == [object.data]
+      user = insert(:user)
+      object = insert(:attachment, %{user: user})
+      assert Utils.attachments_from_ids(%{media_ids: ["#{object.id}"]}, user) == [object.data]
    end

    test "returns [] when not pass media_ids" do
-      assert Utils.attachments_from_ids(%{}) == []
+      assert Utils.attachments_from_ids(%{}, nil) == []
+    end
+
+    test "returns [] when media_ids not belong to current user" do
+      user = insert(:user)
+      user2 = insert(:user)
+
+      object = insert(:attachment, %{user: user})
+
+      assert Utils.attachments_from_ids(%{media_ids: ["#{object.id}"]}, user2) == []
    end

    test "checks that the object is of upload type" do
      object = insert(:note)
-      assert Utils.attachments_from_ids(%{media_ids: ["#{object.id}"]}) == []
+      assert Utils.attachments_from_ids(%{media_ids: ["#{object.id}"]}, nil) == []
    end
  end