CommonAPI: Prevent users from accessing media of other users

2023-09-02 01:43:25 +03:00 · 2023-09-02 01:43:25 +03:00 · 1afde067b1
commit 1afde067b1
parent 9da4f89b7b
9 changed files with 82 additions and 31 deletions
--- a/test/pleroma/web/common_api_test.exs
+++ b/test/pleroma/web/common_api_test.exs
@ -279,6 +279,24 @@ defmodule Pleroma.Web.CommonAPITest do
      assert {:reject, "[KeywordPolicy] Matches with rejected keyword"} ==
               CommonAPI.post_chat_message(author, recipient, "GNO/Linux")
    end
+
+    test "it reject messages with attachments not belonging to user" do
+      author = insert(:user)
+      not_author = insert(:user)
+      recipient = author
+
+      attachment = insert(:attachment, %{user: not_author})
+
+      {:error, message} =
+        CommonAPI.post_chat_message(
+          author,
+          recipient,
+          "123",
+          media_id: attachment.id
+        )
+
+      assert message == :forbidden
+    end
  end

  describe "unblocking" do