Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix poll API not requiring authentication on non-public polls #10960

Merged
merged 2 commits into from
Jun 4, 2019

Conversation

Gargron
Copy link
Member

@Gargron Gargron commented Jun 4, 2019

That API does not reveal the content of the status, i.e. the question itself, nor who the author is, nor which status it belongs to, but it does reveal the poll options and how many answers they got

Fix #10959

@Gargron Gargron added api REST API, Streaming API, Web Push API security Security issues and fixes, vulnerabilities labels Jun 4, 2019
Copy link
Contributor

@ClearlyClaire ClearlyClaire left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. Adding a test for that might be good.

context 'when parent status is private' do
let(:visibility) { 'private' }

it 'returns http success' do
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

“returns http unauthorized”

Gargron added 2 commits June 4, 2019 19:36
That API does not reveal the content of the status, i.e. the question
itself, nor who the author is, nor which status it belongs to, but it
does reveal the poll options and how many answers they got

Fix #10959
@Gargron Gargron force-pushed the fix-poll-visibility branch from c8bfccf to cc6f74d Compare June 4, 2019 17:36
@Gargron Gargron merged commit 48fee1a into master Jun 4, 2019
@Gargron Gargron deleted the fix-poll-visibility branch June 4, 2019 18:10
hiyuki2578 pushed a commit to ProjectMyosotis/mastodon that referenced this pull request Oct 2, 2019
…on#10960)

* Fix poll API not requiring authentication on non-public polls

That API does not reveal the content of the status, i.e. the question
itself, nor who the author is, nor which status it belongs to, but it
does reveal the poll options and how many answers they got

Fix mastodon#10959

* Add test
rtucker pushed a commit to vulpineclub/mastodon that referenced this pull request Jan 7, 2021
…on#10960)

* Fix poll API not requiring authentication on non-public polls

That API does not reveal the content of the status, i.e. the question
itself, nor who the author is, nor which status it belongs to, but it
does reveal the poll options and how many answers they got

Fix mastodon#10959

* Add test
messenjahofchrist pushed a commit to Origin-Creative/mastodon that referenced this pull request Jul 30, 2021
…on#10960)

* Fix poll API not requiring authentication on non-public polls

That API does not reveal the content of the status, i.e. the question
itself, nor who the author is, nor which status it belongs to, but it
does reveal the poll options and how many answers they got

Fix mastodon#10959

* Add test
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
api REST API, Streaming API, Web Push API security Security issues and fixes, vulnerabilities
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Polls API doesn't require authentication
2 participants