MediaController: enforced owner-only access in :show action.

Improved error response on denied access (now 403). Adjusted tests.

test/web/mastodon_api/controllers/media_controller_test.exs

@@ -63,10 +63,9 @@ defmodule Pleroma.Web.MastodonAPI.MediaControllerTest do
       assert media["type"] == "image"
       assert media["description"] == desc
       assert media["id"]
-      object = Object.get_by_id(media["id"])
 
-      # TODO: clarify: if this EP allows access to non-owned objects, the following may be false:
-      assert object.data["actor"] == User.ap_id(conn.assigns[:user])
+      object = Object.get_by_id(media["id"])
+      assert object.data["actor"] == user.ap_id
     end
   end
 
@@ -102,7 +101,7 @@ defmodule Pleroma.Web.MastodonAPI.MediaControllerTest do
     end
   end
 
-  describe "Get media by id" do
+  describe "Get media by id (/api/v1/media/:id)" do
     setup do: oauth_access(["read:media"])
 
     setup %{user: actor} do
@@ -122,7 +121,7 @@ defmodule Pleroma.Web.MastodonAPI.MediaControllerTest do
       [object: object]
     end
 
-    test "/api/v1/media/:id", %{conn: conn, object: object} do
+    test "it returns media object when requested by owner", %{conn: conn, object: object} do
       media =
         conn
         |> get("/api/v1/media/#{object.id}")
@@ -132,5 +131,16 @@ defmodule Pleroma.Web.MastodonAPI.MediaControllerTest do
       assert media["type"] == "image"
       assert media["id"]
     end
+
+    test "it returns 403 if media object requested by non-owner", %{object: object, user: user} do
+      %{conn: conn, user: other_user} = oauth_access(["read:media"])
+
+      assert object.data["actor"] == user.ap_id
+      refute user.id == other_user.id
+
+      conn
+      |> get("/api/v1/media/#{object.id}")
+      |> json_response(403)
+    end
   end
 end