media assets: fix md5 leak in media assets.

Fix unprivileged users being able to see images and MD5 hashes of media assets belonging to censored posts.
2022-01-30 23:23:55 -06:00
parent 2fe058eccf
commit 0132c5f0a5
5 changed files with 34 additions and 7 deletions
--- a/app/views/media_assets/show.html.erb
+++ b/app/views/media_assets/show.html.erb
@@ -2,7 +2,9 @@
  <div id="a-show" class="fixed-width-container">
    <h1 class="mb-4">Media Asset</h1>

-    <%= render MediaAssetComponent.new(media_asset: @media_asset) %>
+    <% if policy(@media_asset).can_see_image? %>
+      <%= render MediaAssetComponent.new(media_asset: @media_asset) %>
+    <% end %>

    <table class="striped aligned-vertical">
      <% if @post.present? %>
@@ -12,10 +14,12 @@
        </tr>
      <% end %>

-      <tr>
-        <th>MD5</th>
-        <td><%= @media_asset.md5 %></td>
-      </tr>
+      <% if policy(@media_asset).can_see_image? %>
+        <tr>
+          <th>MD5</th>
+          <td><%= @media_asset.md5 %></td>
+        </tr>
+      <% end %>

      <% @media_asset.metadata.sort.each do |key, value| %>
        <tr>