mirror of
https://github.com/mastodon/mastodon.git
synced 2024-12-22 18:45:41 +01:00
Fix some user-independent endpoints potentially reading session cookies (#24650)
This commit is contained in:
parent
276c39361b
commit
1419f90ef2
6 changed files with 32 additions and 0 deletions
|
@ -2,11 +2,17 @@
|
||||||
|
|
||||||
class Api::V1::Instances::ExtendedDescriptionsController < Api::BaseController
|
class Api::V1::Instances::ExtendedDescriptionsController < Api::BaseController
|
||||||
skip_before_action :require_authenticated_user!, unless: :whitelist_mode?
|
skip_before_action :require_authenticated_user!, unless: :whitelist_mode?
|
||||||
|
skip_around_action :set_locale
|
||||||
|
|
||||||
before_action :set_extended_description
|
before_action :set_extended_description
|
||||||
|
|
||||||
vary_by ''
|
vary_by ''
|
||||||
|
|
||||||
|
# Override `current_user` to avoid reading session cookies unless in whitelist mode
|
||||||
|
def current_user
|
||||||
|
super if whitelist_mode?
|
||||||
|
end
|
||||||
|
|
||||||
def show
|
def show
|
||||||
cache_even_if_authenticated!
|
cache_even_if_authenticated!
|
||||||
render json: @extended_description, serializer: REST::ExtendedDescriptionSerializer
|
render json: @extended_description, serializer: REST::ExtendedDescriptionSerializer
|
||||||
|
|
|
@ -4,9 +4,15 @@ class Api::V1::Instances::PeersController < Api::BaseController
|
||||||
before_action :require_enabled_api!
|
before_action :require_enabled_api!
|
||||||
|
|
||||||
skip_before_action :require_authenticated_user!, unless: :whitelist_mode?
|
skip_before_action :require_authenticated_user!, unless: :whitelist_mode?
|
||||||
|
skip_around_action :set_locale
|
||||||
|
|
||||||
vary_by ''
|
vary_by ''
|
||||||
|
|
||||||
|
# Override `current_user` to avoid reading session cookies unless in whitelist mode
|
||||||
|
def current_user
|
||||||
|
super if whitelist_mode?
|
||||||
|
end
|
||||||
|
|
||||||
def index
|
def index
|
||||||
cache_even_if_authenticated!
|
cache_even_if_authenticated!
|
||||||
render_with_cache(expires_in: 1.day) { Instance.where.not(domain: DomainBlock.select(:domain)).pluck(:domain) }
|
render_with_cache(expires_in: 1.day) { Instance.where.not(domain: DomainBlock.select(:domain)).pluck(:domain) }
|
||||||
|
|
|
@ -2,11 +2,17 @@
|
||||||
|
|
||||||
class Api::V1::Instances::RulesController < Api::BaseController
|
class Api::V1::Instances::RulesController < Api::BaseController
|
||||||
skip_before_action :require_authenticated_user!, unless: :whitelist_mode?
|
skip_before_action :require_authenticated_user!, unless: :whitelist_mode?
|
||||||
|
skip_around_action :set_locale
|
||||||
|
|
||||||
before_action :set_rules
|
before_action :set_rules
|
||||||
|
|
||||||
vary_by ''
|
vary_by ''
|
||||||
|
|
||||||
|
# Override `current_user` to avoid reading session cookies unless in whitelist mode
|
||||||
|
def current_user
|
||||||
|
super if whitelist_mode?
|
||||||
|
end
|
||||||
|
|
||||||
def index
|
def index
|
||||||
cache_even_if_authenticated!
|
cache_even_if_authenticated!
|
||||||
render json: @rules, each_serializer: REST::RuleSerializer
|
render json: @rules, each_serializer: REST::RuleSerializer
|
||||||
|
|
|
@ -2,9 +2,15 @@
|
||||||
|
|
||||||
class Api::V1::InstancesController < Api::BaseController
|
class Api::V1::InstancesController < Api::BaseController
|
||||||
skip_before_action :require_authenticated_user!, unless: :whitelist_mode?
|
skip_before_action :require_authenticated_user!, unless: :whitelist_mode?
|
||||||
|
skip_around_action :set_locale
|
||||||
|
|
||||||
vary_by ''
|
vary_by ''
|
||||||
|
|
||||||
|
# Override `current_user` to avoid reading session cookies unless in whitelist mode
|
||||||
|
def current_user
|
||||||
|
super if whitelist_mode?
|
||||||
|
end
|
||||||
|
|
||||||
def show
|
def show
|
||||||
cache_even_if_authenticated!
|
cache_even_if_authenticated!
|
||||||
render_with_cache json: InstancePresenter.new, serializer: REST::V1::InstanceSerializer, root: 'instance'
|
render_with_cache json: InstancePresenter.new, serializer: REST::V1::InstanceSerializer, root: 'instance'
|
||||||
|
|
|
@ -1,6 +1,10 @@
|
||||||
# frozen_string_literal: true
|
# frozen_string_literal: true
|
||||||
|
|
||||||
class ManifestsController < ActionController::Base # rubocop:disable Rails/ApplicationController
|
class ManifestsController < ActionController::Base # rubocop:disable Rails/ApplicationController
|
||||||
|
# Prevent `active_model_serializer`'s `ActionController::Serialization` from calling `current_user`
|
||||||
|
# and thus re-issuing session cookies
|
||||||
|
serialization_scope nil
|
||||||
|
|
||||||
def show
|
def show
|
||||||
expires_in 3.minutes, public: true
|
expires_in 3.minutes, public: true
|
||||||
render json: InstancePresenter.new, serializer: ManifestSerializer, root: 'instance'
|
render json: InstancePresenter.new, serializer: ManifestSerializer, root: 'instance'
|
||||||
|
|
|
@ -4,6 +4,10 @@ module WellKnown
|
||||||
class NodeInfoController < ActionController::Base # rubocop:disable Rails/ApplicationController
|
class NodeInfoController < ActionController::Base # rubocop:disable Rails/ApplicationController
|
||||||
include CacheConcern
|
include CacheConcern
|
||||||
|
|
||||||
|
# Prevent `active_model_serializer`'s `ActionController::Serialization` from calling `current_user`
|
||||||
|
# and thus re-issuing session cookies
|
||||||
|
serialization_scope nil
|
||||||
|
|
||||||
def index
|
def index
|
||||||
expires_in 3.days, public: true
|
expires_in 3.days, public: true
|
||||||
render_with_cache json: {}, serializer: NodeInfo::DiscoverySerializer, adapter: NodeInfo::Adapter, expires_in: 3.days, root: 'nodeinfo'
|
render_with_cache json: {}, serializer: NodeInfo::DiscoverySerializer, adapter: NodeInfo::Adapter, expires_in: 3.days, root: 'nodeinfo'
|
||||||
|
|
Loading…
Reference in a new issue