Prevent unauthenticated access to tag timelines if timeline_preview is disabled

2022-12-21 13:58:32 +11:00
2 changed files with 11 additions and 6 deletions
--- a/Gemfile.lock
+++ b/Gemfile.lock
@ -259,19 +259,19 @@ GEM
    ffi-compiler (1.0.1)
      ffi (>= 1.0.0)
      rake
-    fog-core (2.1.0)
+    fog-core (2.3.0)
      builder
-      excon (~> 0.58)
-      formatador (~> 0.2)
+      excon (~> 0.71)
+      formatador (>= 0.2, < 2.0)
      mime-types
    fog-json (1.2.0)
      fog-core
      multi_json (~> 1.10)
-    fog-openstack (0.3.10)
-      fog-core (>= 1.45, <= 2.1.0)
+    fog-openstack (0.3.2)
+      fog-core (~> 2.1)
      fog-json (>= 1.0)
      ipaddress (>= 0.8)
-    formatador (0.3.0)
+    formatador (1.1.0)
    fugit (1.7.1)
      et-orbi (~> 1, >= 1.2.7)
      raabro (~> 1.4)
--- a/app/controllers/api/v1/timelines/tag_controller.rb
+++ b/app/controllers/api/v1/timelines/tag_controller.rb
@ -1,6 +1,7 @@
 # frozen_string_literal: true

 class Api::V1::Timelines::TagController < Api::BaseController
+  before_action :require_user!, only: [:show], if: :require_auth?
  before_action :load_tag
  after_action :insert_pagination_headers, unless: -> { @statuses.empty? }

@ -10,6 +11,10 @@ class Api::V1::Timelines::TagController < Api::BaseController
  end

  private
+  
+  def require_auth?
+    !Setting.timeline_preview
+  end

  def load_tag
    @tag = Tag.find_normalized(params[:id])