diff options
| author |  tobi <31960611+tsmethurst@users.noreply.github.com> | 2023-03-03 13:35:49 +0100 |
|---|---|---|
| committer |  GitHub <noreply@github.com> | 2023-03-03 13:35:49 +0100 |
| commit | 29f8c51ab82703b8df36444eed790194886a466e (patch) | |
| tree | 48ae1edc9cf639f8ed4beba7194cbda9077d76b6 /internal/processing/status | |
| parent | [bugfix] on deref new account, check db again for account on ErrAlreadyExists... (diff) | |
| download | gotosocial-29f8c51ab82703b8df36444eed790194886a466e.tar.xz | |
[bugfix] Fix unpinning statuses not working (#1582)
And also fix unpinning/pinning potentially leaking the ID of followers-only statuses through returning 422 instead of 404.
Also tests!
Diffstat (limited to 'internal/processing/status')
| -rw-r--r-- | internal/processing/status/pin.go | 18 |
1 files changed, 17 insertions, 1 deletions
diff --git a/internal/processing/status/pin.go b/internal/processing/status/pin.go index 6001a147f..7633850ca 100644 --- a/internal/processing/status/pin.go +++ b/internal/processing/status/pin.go @@ -35,6 +35,7 @@ const allowedPinnedCount = 10 // can pin or unpin it. // // It checks: +// - Status is visible to requesting account. // - Status belongs to requesting account. // - Status is public, unlisted, or followers-only. // - Status is not a boost. @@ -45,6 +46,21 @@ func (p *Processor) getPinnableStatus(ctx context.Context, targetStatusID string return nil, gtserror.NewErrorNotFound(err) } + requestingAccount, err := p.state.DB.GetAccountByID(ctx, requestingAccountID) + if err != nil { + return nil, gtserror.NewErrorInternalError(err) + } + + visible, err := p.filter.StatusVisible(ctx, targetStatus, requestingAccount) + if err != nil { + return nil, gtserror.NewErrorInternalError(err) + } + + if !visible { + err = fmt.Errorf("status %s not visible to account %s", targetStatusID, requestingAccountID) + return nil, gtserror.NewErrorNotFound(err) + } + if targetStatus.AccountID != requestingAccountID { err = fmt.Errorf("status %s does not belong to account %s", targetStatusID, requestingAccountID) return nil, gtserror.NewErrorUnprocessableEntity(err, err.Error()) @@ -124,7 +140,7 @@ func (p *Processor) PinRemove(ctx context.Context, requestingAccount *gtsmodel.A return nil, errWithCode } - if targetStatus.PinnedAt.IsZero() { + if !targetStatus.PinnedAt.IsZero() { targetStatus.PinnedAt = time.Time{} if err := p.state.DB.UpdateStatus(ctx, targetStatus, "pinned_at"); err != nil { return nil, gtserror.NewErrorInternalError(fmt.Errorf("db error unpinning status: %w", err)) |