Fix suspended users being able to access APIs that don't require a user (#18524)
This commit is contained in:
parent
96129c2f10
commit
9f81b9f29a
|
@ -2,6 +2,7 @@
|
||||||
|
|
||||||
class ActivityPub::BaseController < Api::BaseController
|
class ActivityPub::BaseController < Api::BaseController
|
||||||
skip_before_action :require_authenticated_user!
|
skip_before_action :require_authenticated_user!
|
||||||
|
skip_before_action :require_not_suspended!
|
||||||
skip_around_action :set_locale
|
skip_around_action :set_locale
|
||||||
|
|
||||||
private
|
private
|
||||||
|
|
|
@ -11,6 +11,7 @@ class Api::BaseController < ApplicationController
|
||||||
skip_before_action :require_functional!, unless: :whitelist_mode?
|
skip_before_action :require_functional!, unless: :whitelist_mode?
|
||||||
|
|
||||||
before_action :require_authenticated_user!, if: :disallow_unauthenticated_api_access?
|
before_action :require_authenticated_user!, if: :disallow_unauthenticated_api_access?
|
||||||
|
before_action :require_not_suspended!
|
||||||
before_action :set_cache_headers
|
before_action :set_cache_headers
|
||||||
|
|
||||||
protect_from_forgery with: :null_session
|
protect_from_forgery with: :null_session
|
||||||
|
@ -97,6 +98,10 @@ class Api::BaseController < ApplicationController
|
||||||
render json: { error: 'This method requires an authenticated user' }, status: 401 unless current_user
|
render json: { error: 'This method requires an authenticated user' }, status: 401 unless current_user
|
||||||
end
|
end
|
||||||
|
|
||||||
|
def require_not_suspended!
|
||||||
|
render json: { error: 'Your login is currently disabled' }, status: 403 if current_user&.account&.suspended?
|
||||||
|
end
|
||||||
|
|
||||||
def require_user!
|
def require_user!
|
||||||
if !current_user
|
if !current_user
|
||||||
render json: { error: 'This method requires an authenticated user' }, status: 422
|
render json: { error: 'This method requires an authenticated user' }, status: 422
|
||||||
|
|
Loading…
Reference in New Issue