Merge pull request from GHSA-58x8-3qxw-6hm7

* Fix insufficient permission checking for public timeline endpoints Note that this changes unauthenticated access failure code from 401 to 422 * Add more tests for public timelines * Require user token in `/api/v1/statuses/:id/translate` and `/api/v1/scheduled_statuses`
2024-07-04 16:26:49 +02:00
parent 395f17ca17
commit 502cf75b16
11 changed files with 82 additions and 23 deletions
--- a/spec/requests/api/v1/timelines/link_spec.rb
+++ b/spec/requests/api/v1/timelines/link_spec.rb
@@ -41,6 +41,8 @@ describe 'Link' do
      end
    end

+    it_behaves_like 'forbidden for wrong scope', 'profile'
+
    context 'when there is no preview card' do
      let(:preview_card) { nil }

@@ -80,13 +82,25 @@ describe 'Link' do
        Form::AdminSettings.new(timeline_preview: false).save
      end

-      context 'when the user is not authenticated' do
+      it_behaves_like 'forbidden for wrong scope', 'profile'
+
+      context 'without an authentication token' do
        let(:headers) { {} }

-        it 'returns http unauthorized' do
+        it 'returns http unprocessable entity' do
          subject

-          expect(response).to have_http_status(401)
+          expect(response).to have_http_status(422)
+        end
+      end
+
+      context 'with an application access token, not bound to a user' do
+        let(:token) { Fabricate(:accessible_access_token, resource_owner_id: nil, scopes: scopes) }
+
+        it 'returns http unprocessable entity' do
+          subject
+
+          expect(response).to have_http_status(422)
        end
      end