mirror of
https://github.com/mastodon/mastodon.git
synced 2024-08-20 21:08:15 -07:00
a64973aecf
Fix OEmbed preview API leaking existence of private statuses (see #12930)
27 lines
646 B
Ruby
27 lines
646 B
Ruby
# frozen_string_literal: true
|
|
|
|
class Api::Web::EmbedsController < Api::Web::BaseController
|
|
respond_to :json
|
|
|
|
before_action :require_user!
|
|
|
|
def create
|
|
status = StatusFinder.new(params[:url]).status
|
|
|
|
return not_found if status.hidden?
|
|
|
|
render json: status, serializer: OEmbedSerializer, width: 400
|
|
rescue ActiveRecord::RecordNotFound
|
|
oembed = FetchOEmbedService.new.call(params[:url])
|
|
|
|
return not_found if oembed.nil?
|
|
|
|
begin
|
|
oembed[:html] = Formatter.instance.sanitize(oembed[:html], Sanitize::Config::MASTODON_OEMBED)
|
|
rescue ArgumentError
|
|
return not_found
|
|
end
|
|
|
|
render json: oembed
|
|
end
|
|
end
|