FIX: self-onebox in read protected categories

lib/onebox/engine/discourse_local_onebox.rb

@@ -26,7 +26,7 @@ module Onebox
 
         case route[:controller]
         when "uploads" then upload_html(path)
-        when "topics"  then topic_html(path, route)
+        when "topics"  then topic_html(route)
         end
       end
 
@@ -41,13 +41,14 @@ module Onebox
           end
         end
 
-        def topic_html(path, route)
+        def topic_html(route)
           link = "<a href='#{@url}'>#{@url}</a>"
           source_topic_id = @url[/[&?]source_topic_id=(\d+)/, 1].to_i
+          source_topic = Topic.find_by(id: source_topic_id) if source_topic_id > 0
 
           if route[:post_number].present? && route[:post_number].to_i > 1
             post = Post.find_by(topic_id: route[:topic_id], post_number: route[:post_number])
-            return link if post.nil? || post.hidden || !Guardian.new.can_see?(post)
+            return link unless can_see_post?(post, source_topic)
 
             topic = post.topic
             slug = Slug.for(topic.title)
@@ -63,7 +64,7 @@ module Onebox
             PrettyText.cook(quote, args)
           else
             topic = Topic.find_by(id: route[:topic_id])
-            return link if topic.nil? || !Guardian.new.can_see?(topic)
+            return link unless can_see_topic?(topic, source_topic)
 
             first_post = topic.ordered_posts.first
 
@@ -81,6 +82,20 @@ module Onebox
           end
         end
 
+        def can_see_post?(post, source_topic)
+          return false if post.nil? || post.hidden || post.trashed? || post.topic.nil?
+          Guardian.new.can_see_post?(post) || same_category?(post.topic.category, source_topic)
+        end
+
+        def can_see_topic?(topic, source_topic)
+          return false if topic.nil? || topic.trashed? || topic.private_message?
+          Guardian.new.can_see_topic?(topic) || same_category?(topic.category, source_topic)
+        end
+
+        def same_category?(category, source_topic)
+          source_topic.try(:category_id) == category.try(:id)
+        end
+
     end
   end
 end

spec/components/onebox/engine/discourse_local_onebox_spec.rb

@@ -15,7 +15,7 @@ describe Onebox::Engine::DiscourseLocalOnebox do
 
     it "returns a link if not allowed to see the post" do
       url = "#{Discourse.base_url}#{post2.url}"
-      Guardian.any_instance.stubs(:can_see?).returns(false)
+      Guardian.any_instance.expects(:can_see_post?).returns(false)
       expect(Onebox.preview(url).to_s).to eq("<a href='#{url}'>#{url}</a>")
     end
 
@@ -46,9 +46,9 @@ describe Onebox::Engine::DiscourseLocalOnebox do
       expect(Onebox.preview(url).to_s).to eq("<a href='#{url}'>#{url}</a>")
     end
 
-    it "returns a link if not allowed to see the post" do
+    it "returns a link if not allowed to see the topic" do
       url = topic.url
-      Guardian.any_instance.stubs(:can_see?).returns(false)
+      Guardian.any_instance.expects(:can_see_topic?).returns(false)
       expect(Onebox.preview(url).to_s).to eq("<a href='#{url}'>#{url}</a>")
     end
 
@@ -57,8 +57,7 @@ describe Onebox::Engine::DiscourseLocalOnebox do
       expect(Onebox.preview(topic.url).to_s).to match(/hamburger\.png/)
     end
 
-    it "returns some onebox goodness if post exists and can be seen" do
-      Guardian.any_instance.stubs(:can_see?).returns(true)
+    it "returns some onebox goodness if topic exists and can be seen" do
       html = Onebox.preview(topic.url).to_s
       expect(html).to include(topic.ordered_posts.first.user.username)
       expect(html).to include("<blockquote>")
@@ -101,7 +100,6 @@ describe Onebox::Engine::DiscourseLocalOnebox do
 
       it "returns some onebox goodness if post exists and can be seen" do
         url = "#{Discourse.base_url}#{post2.url}?source_topic_id=#{post2.topic_id+1}"
-        Guardian.any_instance.stubs(:can_see?).returns(true)
         html = Onebox.preview(url).to_s
         expect(html).to include(post2.excerpt)
         expect(html).to include(post2.topic.title)