Merge pull request from GHSA-58x8-3qxw-6hm7

* Fix insufficient permission checking for public timeline endpoints Note that this changes unauthenticated access failure code from 401 to 422 * Add more tests for public timelines * Require user token in `/api/v1/statuses/:id/translate` and `/api/v1/scheduled_statuses`
2024-07-04 16:26:49 +02:00 · 2024-07-04 16:26:49 +02:00 · 502cf75b16
commit 502cf75b16
parent 395f17ca17
11 changed files with 82 additions and 23 deletions
--- a/spec/requests/api/v1/scheduled_status_spec.rb
+++ b/spec/requests/api/v1/scheduled_status_spec.rb
@ -25,6 +25,17 @@ describe 'Scheduled Statuses' do
      it_behaves_like 'forbidden for wrong scope', 'write write:statuses'
    end

+    context 'with an application token' do
+      let(:token) { Fabricate(:accessible_access_token, resource_owner_id: nil, scopes: 'read:statuses') }
+
+      it 'returns http unprocessable entity' do
+        get api_v1_scheduled_statuses_path, headers: headers
+
+        expect(response)
+          .to have_http_status(422)
+      end
+    end
+
    context 'with correct scope' do
      let(:scopes) { 'read:statuses' }