From fd779c25b93fbc38ab58f3033aa3803d59feaa9f Mon Sep 17 00:00:00 2001
From: Matt Jankowski <matt@jankowski.online>
Date: Wed, 30 Jul 2025 05:28:20 -0400
Subject: [PATCH] Avoid `return not_found` in statuses controller (#35585)

---
 app/controllers/statuses_controller.rb | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/app/controllers/statuses_controller.rb b/app/controllers/statuses_controller.rb
index 341b0e647..af6bebf36 100644
--- a/app/controllers/statuses_controller.rb
+++ b/app/controllers/statuses_controller.rb
@@ -11,6 +11,7 @@ class StatusesController < ApplicationController
   before_action :require_account_signature!, only: [:show, :activity], if: -> { request.format == :json && authorized_fetch_mode? }
   before_action :set_status
   before_action :redirect_to_original, only: :show
+  before_action :verify_embed_allowed, only: :embed
 
   after_action :set_link_headers
 
@@ -40,8 +41,6 @@ class StatusesController < ApplicationController
   end
 
   def embed
-    return not_found if @status.hidden? || @status.reblog?
-
     expires_in 180, public: true
     response.headers.delete('X-Frame-Options')
 
@@ -50,6 +49,10 @@ class StatusesController < ApplicationController
 
   private
 
+  def verify_embed_allowed
+    not_found if @status.hidden? || @status.reblog?
+  end
+
   def set_link_headers
     response.headers['Link'] = LinkHeader.new(
       [[ActivityPub::TagManager.instance.uri_for(@status), [%w(rel alternate), %w(type application/activity+json)]]]