diff options
| author | Ivan Tashkinov <ivantashkinov@gmail.com> | 2020-05-17 08:46:43 +0300 |
|---|---|---|
| committer | Ivan Tashkinov <ivantashkinov@gmail.com> | 2020-05-17 08:46:43 +0300 |
| commit | af9dfdce6b502d3a33db7a496879dda56719f56e (patch) | |
| tree | dc42177041881f52a28d506963d63cf4d7d43508 /lib | |
| parent | d96f8f17e82147c50b3413c3739f5023a5daa834 (diff) | |
| download | pleroma-af9dfdce6b502d3a33db7a496879dda56719f56e.tar.gz pleroma-af9dfdce6b502d3a33db7a496879dda56719f56e.zip | |
MediaController OAuth scope assignments fix.
Typo fix (`def get_media` instead of `def show`).
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/pleroma/web/mastodon_api/controllers/media_controller.ex | 6 |
1 files changed, 4 insertions, 2 deletions
diff --git a/lib/pleroma/web/mastodon_api/controllers/media_controller.ex b/lib/pleroma/web/mastodon_api/controllers/media_controller.ex index a21233393..afa8b2ea2 100644 --- a/lib/pleroma/web/mastodon_api/controllers/media_controller.ex +++ b/lib/pleroma/web/mastodon_api/controllers/media_controller.ex @@ -14,7 +14,8 @@ defmodule Pleroma.Web.MastodonAPI.MediaController do plug(Pleroma.Web.ApiSpec.CastAndValidate) plug(:put_view, Pleroma.Web.MastodonAPI.StatusView) - plug(OAuthScopesPlug, %{scopes: ["write:media"]}) + plug(OAuthScopesPlug, %{scopes: ["read:media"]} when action == :show) + plug(OAuthScopesPlug, %{scopes: ["write:media"]} when action != :show) defdelegate open_api_operation(action), to: Pleroma.Web.ApiSpec.MediaOperation @@ -65,6 +66,7 @@ defmodule Pleroma.Web.MastodonAPI.MediaController do def update(conn, data), do: show(conn, data) + # TODO: clarify: is the access to non-owned objects granted intentionally? @doc "GET /api/v1/media/:id" def show(conn, %{id: id}) do with %Object{data: data, id: object_id} <- Object.get_by_id(id) do @@ -74,5 +76,5 @@ defmodule Pleroma.Web.MastodonAPI.MediaController do end end - def get_media(_conn, _data), do: {:error, :bad_request} + def show(_conn, _data), do: {:error, :bad_request} end |