media assets: fix md5 leak in media assets.

Fix unprivileged users being able to see images and MD5 hashes of media assets belonging to censored posts.
2022-01-30 23:23:55 -06:00
parent 2fe058eccf
commit 0132c5f0a5
5 changed files with 34 additions and 7 deletions
--- a/app/policies/media_asset_policy.rb
+++ b/app/policies/media_asset_policy.rb
@@ -4,4 +4,16 @@ class MediaAssetPolicy < ApplicationPolicy
  def index?
    true
  end
+
+  def can_see_image?
+    record.post.blank? || record.post.visible?(user)
+  end
+
+  def api_attributes
+    if can_see_image?
+      super
+    else
+      super.excluding(:md5)
+    end
+  end
 end