Change quote verification to not bypass authorization flow for mentions (#35528)

2026-02-04 03:25:14 +00:00 · 2025-07-31 09:39:53 +02:00 · 2025-07-31 09:39:53 +02:00 · 572a0e128d
commit 572a0e128d
parent 2131d1ff23
7 changed files with 13 additions and 31 deletions
--- a/spec/policies/status_policy_spec.rb
+++ b/spec/policies/status_policy_spec.rb
@ -94,19 +94,19 @@ RSpec.describe StatusPolicy, type: :model do
        expect(subject).to permit(status.account, status)
      end

-      it 'grants access when direct and viewer is mentioned' do
+      it 'does not grant access access when direct and viewer is mentioned but not explicitly allowed' do
        status.visibility = :direct
-        status.mentions = [Fabricate(:mention, account: alice)]
+        status.mentions = [Fabricate(:mention, account: bob)]

-        expect(subject).to permit(alice, status)
+        expect(subject).to_not permit(bob, status)
      end

-      it 'grants access when direct and non-owner viewer is mentioned and mentions are loaded' do
+      it 'does not grant access access when direct and viewer is mentioned but not explicitly allowed and mentions are loaded' do
        status.visibility = :direct
        status.mentions = [Fabricate(:mention, account: bob)]
        status.active_mentions.load

-        expect(subject).to permit(bob, status)
+        expect(subject).to_not permit(bob, status)
      end

      it 'denies access when direct and viewer is not mentioned' do
@ -123,11 +123,11 @@ RSpec.describe StatusPolicy, type: :model do
        expect(subject).to_not permit(viewer, status)
      end

-      it 'grants access when private and viewer is mentioned' do
+      it 'grants access when private and viewer is mentioned but not otherwise allowed' do
        status.visibility = :private
        status.mentions = [Fabricate(:mention, account: bob)]

-        expect(subject).to permit(bob, status)
+        expect(subject).to_not permit(bob, status)
      end

      it 'denies access when private and non-viewer is mentioned' do
--- a/spec/services/activitypub/verify_quote_service_spec.rb
+++ b/spec/services/activitypub/verify_quote_service_spec.rb
@ -267,9 +267,9 @@ RSpec.describe ActivityPub::VerifyQuoteService do
        quoted_status.mentions << Mention.new(account: account)
      end

-      it 'updates the status' do
+      it 'does not the status' do
        expect { subject.call(quote) }
-          .to change(quote, :state).to('accepted')
+          .to_not change(quote, :state).from('pending')
      end
    end
  end