8 files changed, 460 insertions, 17 deletions

diff --git a/internal/apimodule/status/status.go b/internal/apimodule/status/status.go
index 73a1b5847..900ec32b9 100644
--- a/internal/apimodule/status/status.go
+++ b/internal/apimodule/status/status.go
@@ -37,9 +37,9 @@ import (
 
 const (
 	// IDKey is for status UUIDs
-	IDKey          = "id"
+	IDKey = "id"
 	// BasePath is the base path for serving the status API
-	BasePath       = "/api/v1/statuses"
+	BasePath = "/api/v1/statuses"
 	// BasePathWithID is just the base path with the ID key in it.
 	// Use this anywhere you need to know the ID of the status being queried.
 	BasePathWithID = BasePath + "/:" + IDKey
@@ -48,31 +48,31 @@ const (
 	ContextPath = BasePathWithID + "/context"
 
 	// FavouritedPath is for seeing who's faved a given status
-	FavouritedPath  = BasePathWithID + "/favourited_by"
+	FavouritedPath = BasePathWithID + "/favourited_by"
 	// FavouritePath is for posting a fave on a status
-	FavouritePath   = BasePathWithID + "/favourite"
+	FavouritePath = BasePathWithID + "/favourite"
 	// UnfavouritePath is for removing a fave from a status
 	UnfavouritePath = BasePathWithID + "/unfavourite"
 
 	// RebloggedPath is for seeing who's boosted a given status
 	RebloggedPath = BasePathWithID + "/reblogged_by"
 	// ReblogPath is for boosting/reblogging a given status
-	ReblogPath    = BasePathWithID + "/reblog"
+	ReblogPath = BasePathWithID + "/reblog"
 	// UnreblogPath is for undoing a boost/reblog of a given status
-	UnreblogPath  = BasePathWithID + "/unreblog"
+	UnreblogPath = BasePathWithID + "/unreblog"
 
 	// BookmarkPath is for creating a bookmark on a given status
-	BookmarkPath   = BasePathWithID + "/bookmark"
+	BookmarkPath = BasePathWithID + "/bookmark"
 	// UnbookmarkPath is for removing a bookmark from a given status
 	UnbookmarkPath = BasePathWithID + "/unbookmark"
 
 	// MutePath is for muting a given status so that notifications will no longer be received about it.
-	MutePath   = BasePathWithID + "/mute"
+	MutePath = BasePathWithID + "/mute"
 	// UnmutePath is for undoing an existing mute
 	UnmutePath = BasePathWithID + "/unmute"
 
 	// PinPath is for pinning a status to an account profile so that it's the first thing people see
-	PinPath   = BasePathWithID + "/pin"
+	PinPath = BasePathWithID + "/pin"
 	// UnpinPath is for undoing a pin and returning a status to the ever-swirling drain of time and entropy
 	UnpinPath = BasePathWithID + "/unpin"
 )
@@ -107,6 +107,8 @@ func (m *Module) Route(r router.Router) error {
 	r.AttachHandler(http.MethodPost, FavouritePath, m.StatusFavePOSTHandler)
 	r.AttachHandler(http.MethodPost, UnfavouritePath, m.StatusFavePOSTHandler)
 
+	r.AttachHandler(http.MethodPost, ReblogPath, m.StatusReblogPOSTHandler)
+
 	r.AttachHandler(http.MethodGet, BasePathWithID, m.muxHandler)
 	return nil
 }
diff --git a/internal/apimodule/status/test/statuscreate_test.go b/internal/apimodule/status/statuscreate_test.go
index d143ac9a7..8c2212b26 100644
--- a/internal/apimodule/status/test/statuscreate_test.go
+++ b/internal/apimodule/status/statuscreate_test.go
@@ -16,7 +16,7 @@
    along with this program.  If not, see <http://www.gnu.org/licenses/>.
 */
 
-package status
+package status_test
 
 import (
 	"encoding/json"
diff --git a/internal/apimodule/status/test/statusfave_test.go b/internal/apimodule/status/statusfave_test.go
index 9ccf58948..824912513 100644
--- a/internal/apimodule/status/test/statusfave_test.go
+++ b/internal/apimodule/status/statusfave_test.go
@@ -16,7 +16,7 @@
    along with this program.  If not, see <http://www.gnu.org/licenses/>.
 */
 
-package status
+package status_test
 
 import (
 	"encoding/json"
@@ -96,7 +96,7 @@ func (suite *StatusFaveTestSuite) TearDownSuite() {
 
 func (suite *StatusFaveTestSuite) SetupTest() {
 	testrig.StandardDBSetup(suite.db)
-	testrig.StandardStorageSetup(suite.storage, "../../../../testrig/media")
+	testrig.StandardStorageSetup(suite.storage, "../../../testrig/media")
 	suite.testTokens = testrig.NewTestTokens()
 	suite.testClients = testrig.NewTestClients()
 	suite.testApplications = testrig.NewTestApplications()
diff --git a/internal/apimodule/status/test/statusfavedby_test.go b/internal/apimodule/status/statusfavedby_test.go
index 169543a81..b655f8365 100644
--- a/internal/apimodule/status/test/statusfavedby_test.go
+++ b/internal/apimodule/status/statusfavedby_test.go
@@ -16,7 +16,7 @@
    along with this program.  If not, see <http://www.gnu.org/licenses/>.
 */
 
-package status
+package status_test
 
 import (
 	"encoding/json"
@@ -92,7 +92,7 @@ func (suite *StatusFavedByTestSuite) TearDownSuite() {
 
 func (suite *StatusFavedByTestSuite) SetupTest() {
 	testrig.StandardDBSetup(suite.db)
-	testrig.StandardStorageSetup(suite.storage, "../../../../testrig/media")
+	testrig.StandardStorageSetup(suite.storage, "../../../testrig/media")
 	suite.testTokens = testrig.NewTestTokens()
 	suite.testClients = testrig.NewTestClients()
 	suite.testApplications = testrig.NewTestApplications()
diff --git a/internal/apimodule/status/test/statusget_test.go b/internal/apimodule/status/statusget_test.go
index ce817d247..bef51ee29 100644
--- a/internal/apimodule/status/test/statusget_test.go
+++ b/internal/apimodule/status/statusget_test.go
@@ -16,7 +16,7 @@
    along with this program.  If not, see <http://www.gnu.org/licenses/>.
 */
 
-package status
+package status_test
 
 import (
 	"testing"
diff --git a/internal/apimodule/status/statusreblog.go b/internal/apimodule/status/statusreblog.go
new file mode 100644
index 000000000..cf00679c0
--- /dev/null
+++ b/internal/apimodule/status/statusreblog.go
@@ -0,0 +1,176 @@
+/*
+   GoToSocial
+   Copyright (C) 2021 GoToSocial Authors admin@gotosocial.org
+
+   This program is free software: you can redistribute it and/or modify
+   it under the terms of the GNU Affero General Public License as published by
+   the Free Software Foundation, either version 3 of the License, or
+   (at your option) any later version.
+
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU Affero General Public License for more details.
+
+   You should have received a copy of the GNU Affero General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+package status
+
+import (
+	"fmt"
+	"net/http"
+	"time"
+
+	"github.com/gin-gonic/gin"
+	"github.com/google/uuid"
+	"github.com/sirupsen/logrus"
+	"github.com/superseriousbusiness/gotosocial/internal/db/gtsmodel"
+	"github.com/superseriousbusiness/gotosocial/internal/distributor"
+	"github.com/superseriousbusiness/gotosocial/internal/oauth"
+	"github.com/superseriousbusiness/gotosocial/internal/util"
+)
+
+// StatusReblogPOSTHandler handles boost/reblog requests against a given status ID
+func (m *Module) StatusReblogPOSTHandler(c *gin.Context) {
+	l := m.log.WithFields(logrus.Fields{
+		"func":        "StatusReblogPOSTHandler",
+		"request_uri": c.Request.RequestURI,
+		"user_agent":  c.Request.UserAgent(),
+		"origin_ip":   c.ClientIP(),
+	})
+	l.Debugf("entering function")
+
+	authed, err := oauth.MustAuth(c, true, false, true, true) // we don't really need an app here but we want everything else
+	if err != nil {
+		l.Debug("not authed so can't boost status")
+		c.JSON(http.StatusUnauthorized, gin.H{"error": "not authorized"})
+		return
+	}
+
+	targetStatusID := c.Param(IDKey)
+	if targetStatusID == "" {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "no status id provided"})
+		return
+	}
+
+	l.Tracef("going to search for target status %s", targetStatusID)
+	targetStatus := &gtsmodel.Status{}
+	if err := m.db.GetByID(targetStatusID, targetStatus); err != nil {
+		l.Errorf("error fetching status %s: %s", targetStatusID, err)
+		c.JSON(http.StatusNotFound, gin.H{"error": fmt.Sprintf("status %s not found", targetStatusID)})
+		return
+	}
+
+	l.Tracef("going to search for target account %s", targetStatus.AccountID)
+	targetAccount := &gtsmodel.Account{}
+	if err := m.db.GetByID(targetStatus.AccountID, targetAccount); err != nil {
+		l.Errorf("error fetching target account %s: %s", targetStatus.AccountID, err)
+		c.JSON(http.StatusNotFound, gin.H{"error": fmt.Sprintf("status %s not found", targetStatusID)})
+		return
+	}
+
+	l.Trace("going to get relevant accounts")
+	relevantAccounts, err := m.db.PullRelevantAccountsFromStatus(targetStatus)
+	if err != nil {
+		l.Errorf("error fetching related accounts for status %s: %s", targetStatusID, err)
+		c.JSON(http.StatusNotFound, gin.H{"error": fmt.Sprintf("status %s not found", targetStatusID)})
+		return
+	}
+
+	l.Trace("going to see if status is visible")
+	visible, err := m.db.StatusVisible(targetStatus, targetAccount, authed.Account, relevantAccounts) // requestingAccount might well be nil here, but StatusVisible knows how to take care of that
+	if err != nil {
+		l.Errorf("error seeing if status %s is visible: %s", targetStatus.ID, err)
+		c.JSON(http.StatusNotFound, gin.H{"error": fmt.Sprintf("status %s not found", targetStatusID)})
+		return
+	}
+
+	if !visible {
+		l.Trace("status is not visible so cannot be boosted")
+		c.JSON(http.StatusNotFound, gin.H{"error": fmt.Sprintf("status %s not found", targetStatusID)})
+		return
+	}
+
+	// is the status boostable?
+	if !targetStatus.VisibilityAdvanced.Boostable {
+		l.Debug("status is not boostable")
+		c.JSON(http.StatusForbidden, gin.H{"error": fmt.Sprintf("status %s not boostable", targetStatusID)})
+		return
+	}
+
+	/*
+		FROM THIS POINT ONWARDS WE ARE HAPPY WITH THE BOOST -- it is valid and we will try to create it
+	*/
+
+	// it's visible! it's boostable! so let's boost the FUCK out of it
+	// first we create a new status and add some basic info to it -- this will be the wrapper for the boosted status
+
+	// the wrapper won't use the same ID as the boosted status so we generate some new UUIDs
+	uris := util.GenerateURIs(authed.Account.Username, m.config.Protocol, m.config.Host)
+	boostWrapperStatusID := uuid.NewString()
+	boostWrapperStatusURI := fmt.Sprintf("%s/%s", uris.StatusesURI, boostWrapperStatusID)
+	boostWrapperStatusURL := fmt.Sprintf("%s/%s", uris.StatusesURL, boostWrapperStatusID)
+
+	boostWrapperStatus := &gtsmodel.Status{
+		ID:  boostWrapperStatusID,
+		URI: boostWrapperStatusURI,
+		URL: boostWrapperStatusURL,
+
+		// the boosted status is not created now, but the boost certainly is
+		CreatedAt:                time.Now(),
+		UpdatedAt:                time.Now(),
+		Local:                    true, // always local since this is being done through the client API
+		AccountID:                authed.Account.ID,
+		CreatedWithApplicationID: authed.Application.ID,
+
+		// replies can be boosted, but boosts are never replies
+		InReplyToID:        "",
+		InReplyToAccountID: "",
+
+		// these will all be wrapped in the boosted status so set them empty here
+		Attachments: []string{},
+		Tags:        []string{},
+		Mentions:    []string{},
+		Emojis:      []string{},
+
+		// the below fields will be taken from the target status
+		Content:             util.HTMLFormat(targetStatus.Content), // take content from target status
+		ContentWarning:      targetStatus.ContentWarning,           // same warning as the target status
+		ActivityStreamsType: targetStatus.ActivityStreamsType,      // same activitystreams type as target status
+		Sensitive:           targetStatus.Sensitive,
+		Language:            targetStatus.Language,
+		Text:                targetStatus.Text,
+		BoostOfID:           targetStatus.ID,
+		Visibility:          targetStatus.Visibility,
+		VisibilityAdvanced:  targetStatus.VisibilityAdvanced,
+
+		// attach these here for convenience -- the boosted status/account won't go in the DB
+		// but they're needed in the distributor and for the frontend. Since we have them, we can
+		// attach them so we don't need to fetch them again later (save some DB calls)
+		GTSBoostedStatus:  targetStatus,
+		GTSBoostedAccount: targetAccount,
+	}
+
+	// put the boost in the database
+	if err := m.db.Put(boostWrapperStatus); err != nil {
+		c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()})
+		return
+	}
+
+	// pass to the distributor to take care of side effects asynchronously -- federation, mentions, updating metadata, etc, etc
+	m.distributor.FromClientAPI() <- distributor.FromClientAPI{
+		APObjectType:   gtsmodel.ActivityStreamsNote,
+		APActivityType: gtsmodel.ActivityStreamsAnnounce, // boost/reblog is an 'announce' activity
+		Activity:       boostWrapperStatus,
+	}
+
+	// return the frontend representation of the new status to the submitter
+	mastoStatus, err := m.mastoConverter.StatusToMasto(boostWrapperStatus, authed.Account, authed.Account, targetAccount, nil, targetStatus)
+	if err != nil {
+		c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()})
+		return
+	}
+	c.JSON(http.StatusOK, mastoStatus)
+}
diff --git a/internal/apimodule/status/statusreblog_test.go b/internal/apimodule/status/statusreblog_test.go
new file mode 100644
index 000000000..094f8b24a
--- /dev/null
+++ b/internal/apimodule/status/statusreblog_test.go
@@ -0,0 +1,265 @@
+/*
+   GoToSocial
+   Copyright (C) 2021 GoToSocial Authors admin@gotosocial.org
+
+   This program is free software: you can redistribute it and/or modify
+   it under the terms of the GNU Affero General Public License as published by
+   the Free Software Foundation, either version 3 of the License, or
+   (at your option) any later version.
+
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU Affero General Public License for more details.
+
+   You should have received a copy of the GNU Affero General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+package status_test
+
+import (
+	"encoding/json"
+	"fmt"
+	"io/ioutil"
+	"net/http"
+	"net/http/httptest"
+	"strings"
+	"testing"
+
+	"github.com/gin-gonic/gin"
+	"github.com/sirupsen/logrus"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/suite"
+	"github.com/superseriousbusiness/gotosocial/internal/apimodule/status"
+	"github.com/superseriousbusiness/gotosocial/internal/config"
+	"github.com/superseriousbusiness/gotosocial/internal/db"
+	"github.com/superseriousbusiness/gotosocial/internal/db/gtsmodel"
+	"github.com/superseriousbusiness/gotosocial/internal/distributor"
+	"github.com/superseriousbusiness/gotosocial/internal/mastotypes"
+	mastomodel "github.com/superseriousbusiness/gotosocial/internal/mastotypes/mastomodel"
+	"github.com/superseriousbusiness/gotosocial/internal/media"
+	"github.com/superseriousbusiness/gotosocial/internal/oauth"
+	"github.com/superseriousbusiness/gotosocial/internal/storage"
+	"github.com/superseriousbusiness/gotosocial/testrig"
+)
+
+type StatusReblogTestSuite struct {
+	// standard suite interfaces
+	suite.Suite
+	config         *config.Config
+	db             db.DB
+	log            *logrus.Logger
+	storage        storage.Storage
+	mastoConverter mastotypes.Converter
+	mediaHandler   media.Handler
+	oauthServer    oauth.Server
+	distributor    distributor.Distributor
+
+	// standard suite models
+	testTokens       map[string]*oauth.Token
+	testClients      map[string]*oauth.Client
+	testApplications map[string]*gtsmodel.Application
+	testUsers        map[string]*gtsmodel.User
+	testAccounts     map[string]*gtsmodel.Account
+	testAttachments  map[string]*gtsmodel.MediaAttachment
+	testStatuses     map[string]*gtsmodel.Status
+
+	// module being tested
+	statusModule *status.Module
+}
+
+/*
+	TEST INFRASTRUCTURE
+*/
+
+// SetupSuite sets some variables on the suite that we can use as consts (more or less) throughout
+func (suite *StatusReblogTestSuite) SetupSuite() {
+	// setup standard items
+	suite.config = testrig.NewTestConfig()
+	suite.db = testrig.NewTestDB()
+	suite.log = testrig.NewTestLog()
+	suite.storage = testrig.NewTestStorage()
+	suite.mastoConverter = testrig.NewTestMastoConverter(suite.db)
+	suite.mediaHandler = testrig.NewTestMediaHandler(suite.db, suite.storage)
+	suite.oauthServer = testrig.NewTestOauthServer(suite.db)
+	suite.distributor = testrig.NewTestDistributor()
+
+	// setup module being tested
+	suite.statusModule = status.New(suite.config, suite.db, suite.mediaHandler, suite.mastoConverter, suite.distributor, suite.log).(*status.Module)
+}
+
+func (suite *StatusReblogTestSuite) TearDownSuite() {
+	testrig.StandardDBTeardown(suite.db)
+	testrig.StandardStorageTeardown(suite.storage)
+}
+
+func (suite *StatusReblogTestSuite) SetupTest() {
+	testrig.StandardDBSetup(suite.db)
+	testrig.StandardStorageSetup(suite.storage, "../../../testrig/media")
+	suite.testTokens = testrig.NewTestTokens()
+	suite.testClients = testrig.NewTestClients()
+	suite.testApplications = testrig.NewTestApplications()
+	suite.testUsers = testrig.NewTestUsers()
+	suite.testAccounts = testrig.NewTestAccounts()
+	suite.testAttachments = testrig.NewTestAttachments()
+	suite.testStatuses = testrig.NewTestStatuses()
+}
+
+// TearDownTest drops tables to make sure there's no data in the db
+func (suite *StatusReblogTestSuite) TearDownTest() {
+	testrig.StandardDBTeardown(suite.db)
+	testrig.StandardStorageTeardown(suite.storage)
+}
+
+/*
+	ACTUAL TESTS
+*/
+
+// boost a status
+func (suite *StatusReblogTestSuite) TestPostReblog() {
+
+	t := suite.testTokens["local_account_1"]
+	oauthToken := oauth.TokenToOauthToken(t)
+
+	targetStatus := suite.testStatuses["admin_account_status_1"]
+
+	// setup
+	recorder := httptest.NewRecorder()
+	ctx, _ := gin.CreateTestContext(recorder)
+	ctx.Set(oauth.SessionAuthorizedApplication, suite.testApplications["application_1"])
+	ctx.Set(oauth.SessionAuthorizedToken, oauthToken)
+	ctx.Set(oauth.SessionAuthorizedUser, suite.testUsers["local_account_1"])
+	ctx.Set(oauth.SessionAuthorizedAccount, suite.testAccounts["local_account_1"])
+	ctx.Request = httptest.NewRequest(http.MethodPost, fmt.Sprintf("http://localhost:8080%s", strings.Replace(status.ReblogPath, ":id", targetStatus.ID, 1)), nil) // the endpoint we're hitting
+
+	// normally the router would populate these params from the path values,
+	// but because we're calling the function directly, we need to set them manually.
+	ctx.Params = gin.Params{
+		gin.Param{
+			Key:   status.IDKey,
+			Value: targetStatus.ID,
+		},
+	}
+
+	suite.statusModule.StatusReblogPOSTHandler(ctx)
+
+	// check response
+	suite.EqualValues(http.StatusOK, recorder.Code)
+
+	result := recorder.Result()
+	defer result.Body.Close()
+	b, err := ioutil.ReadAll(result.Body)
+	assert.NoError(suite.T(), err)
+
+	fmt.Println(string(b))
+
+	statusReply := &mastomodel.Status{}
+	err = json.Unmarshal(b, statusReply)
+	assert.NoError(suite.T(), err)
+
+	assert.False(suite.T(), statusReply.Sensitive)
+	assert.Equal(suite.T(), mastomodel.VisibilityPublic, statusReply.Visibility)
+
+	assert.Equal(suite.T(), targetStatus.ContentWarning, statusReply.SpoilerText)
+	assert.Equal(suite.T(), targetStatus.Content, statusReply.Content)
+	assert.Equal(suite.T(), "the_mighty_zork", statusReply.Account.Username)
+	assert.Len(suite.T(), statusReply.MediaAttachments, 0)
+	assert.Len(suite.T(), statusReply.Mentions, 0)
+	assert.Len(suite.T(), statusReply.Emojis, 0)
+	assert.Len(suite.T(), statusReply.Tags, 0)
+
+	assert.NotNil(suite.T(), statusReply.Application)
+	assert.Equal(suite.T(), "really cool gts application", statusReply.Application.Name)
+
+	assert.NotNil(suite.T(), statusReply.Reblog)
+	assert.Equal(suite.T(), 1, statusReply.Reblog.ReblogsCount)
+	assert.Equal(suite.T(), 1, statusReply.Reblog.FavouritesCount)
+	assert.Equal(suite.T(), targetStatus.Content, statusReply.Reblog.Content)
+	assert.Equal(suite.T(), targetStatus.ContentWarning, statusReply.Reblog.SpoilerText)
+	assert.Equal(suite.T(), targetStatus.AccountID, statusReply.Reblog.Account.ID)
+	assert.Len(suite.T(), statusReply.Reblog.MediaAttachments, 1)
+	assert.Len(suite.T(), statusReply.Reblog.Tags, 1)
+	assert.Len(suite.T(), statusReply.Reblog.Emojis, 1)
+	assert.Equal(suite.T(), "superseriousbusiness", statusReply.Reblog.Application.Name)
+}
+
+// try to boost a status that's not boostable
+func (suite *StatusReblogTestSuite) TestPostUnboostable() {
+
+	t := suite.testTokens["local_account_1"]
+	oauthToken := oauth.TokenToOauthToken(t)
+
+	targetStatus := suite.testStatuses["local_account_2_status_4"]
+
+	// setup
+	recorder := httptest.NewRecorder()
+	ctx, _ := gin.CreateTestContext(recorder)
+	ctx.Set(oauth.SessionAuthorizedApplication, suite.testApplications["application_1"])
+	ctx.Set(oauth.SessionAuthorizedToken, oauthToken)
+	ctx.Set(oauth.SessionAuthorizedUser, suite.testUsers["local_account_1"])
+	ctx.Set(oauth.SessionAuthorizedAccount, suite.testAccounts["local_account_1"])
+	ctx.Request = httptest.NewRequest(http.MethodPost, fmt.Sprintf("http://localhost:8080%s", strings.Replace(status.ReblogPath, ":id", targetStatus.ID, 1)), nil) // the endpoint we're hitting
+
+	// normally the router would populate these params from the path values,
+	// but because we're calling the function directly, we need to set them manually.
+	ctx.Params = gin.Params{
+		gin.Param{
+			Key:   status.IDKey,
+			Value: targetStatus.ID,
+		},
+	}
+
+	suite.statusModule.StatusReblogPOSTHandler(ctx)
+
+	// check response
+	suite.EqualValues(http.StatusForbidden, recorder.Code) // we 403 unboostable statuses
+
+	result := recorder.Result()
+	defer result.Body.Close()
+	b, err := ioutil.ReadAll(result.Body)
+	assert.NoError(suite.T(), err)
+	assert.Equal(suite.T(), fmt.Sprintf(`{"error":"status %s not boostable"}`, targetStatus.ID), string(b))
+}
+
+// try to boost a status that's not visible to the user
+func (suite *StatusReblogTestSuite) TestPostNotVisible() {
+
+	t := suite.testTokens["local_account_2"]
+	oauthToken := oauth.TokenToOauthToken(t)
+
+	targetStatus := suite.testStatuses["local_account_1_status_3"] // this is a mutual only status and these accounts aren't mutuals
+
+	// setup
+	recorder := httptest.NewRecorder()
+	ctx, _ := gin.CreateTestContext(recorder)
+	ctx.Set(oauth.SessionAuthorizedApplication, suite.testApplications["application_1"])
+	ctx.Set(oauth.SessionAuthorizedToken, oauthToken)
+	ctx.Set(oauth.SessionAuthorizedUser, suite.testUsers["local_account_2"])
+	ctx.Set(oauth.SessionAuthorizedAccount, suite.testAccounts["local_account_2"])
+	ctx.Request = httptest.NewRequest(http.MethodPost, fmt.Sprintf("http://localhost:8080%s", strings.Replace(status.ReblogPath, ":id", targetStatus.ID, 1)), nil) // the endpoint we're hitting
+
+	// normally the router would populate these params from the path values,
+	// but because we're calling the function directly, we need to set them manually.
+	ctx.Params = gin.Params{
+		gin.Param{
+			Key:   status.IDKey,
+			Value: targetStatus.ID,
+		},
+	}
+
+	suite.statusModule.StatusReblogPOSTHandler(ctx)
+
+	// check response
+	suite.EqualValues(http.StatusNotFound, recorder.Code) // we 404 statuses that aren't visible
+
+	result := recorder.Result()
+	defer result.Body.Close()
+	b, err := ioutil.ReadAll(result.Body)
+	assert.NoError(suite.T(), err)
+	assert.Equal(suite.T(), fmt.Sprintf(`{"error":"status %s not found"}`, targetStatus.ID), string(b))
+}
+
+func TestStatusReblogTestSuite(t *testing.T) {
+	suite.Run(t, new(StatusReblogTestSuite))
+}
diff --git a/internal/apimodule/status/test/statusunfave_test.go b/internal/apimodule/status/statusunfave_test.go
index 5f5277921..fe7fdec9e 100644
--- a/internal/apimodule/status/test/statusunfave_test.go
+++ b/internal/apimodule/status/statusunfave_test.go
@@ -16,7 +16,7 @@
    along with this program.  If not, see <http://www.gnu.org/licenses/>.
 */
 
-package status
+package status_test
 
 import (
 	"encoding/json"
@@ -96,7 +96,7 @@ func (suite *StatusUnfaveTestSuite) TearDownSuite() {
 
 func (suite *StatusUnfaveTestSuite) SetupTest() {
 	testrig.StandardDBSetup(suite.db)
-	testrig.StandardStorageSetup(suite.storage, "../../../../testrig/media")
+	testrig.StandardStorageSetup(suite.storage, "../../../testrig/media")
 	suite.testTokens = testrig.NewTestTokens()
 	suite.testClients = testrig.NewTestClients()
 	suite.testApplications = testrig.NewTestApplications()