FIX: Make inline oneboxes work with secured topics in secured contexts (#8895)

2025-02-25 18:55:32 -06:00 · 2020-02-12 12:11:28 +02:00
parent d7d4612b2d
commit ec40242b5c
8 changed files with 89 additions and 38 deletions
--- a/lib/cooked_post_processor.rb
+++ b/lib/cooked_post_processor.rb
@@ -710,7 +710,9 @@ class CookedPostProcessor
  def process_inline_onebox(element)
    inline_onebox = InlineOneboxer.lookup(
      element.attributes["href"].value,
-      invalidate: !!@opts[:invalidate_oneboxes]
+      invalidate: !!@opts[:invalidate_oneboxes],
+      user_id: @post&.user_id,
+      category_id: @post&.topic&.category_id
    )

    if title = inline_onebox&.dig(:title)
--- a/lib/inline_oneboxer.rb
+++ b/lib/inline_oneboxer.rb
@@ -33,11 +33,11 @@ class InlineOneboxer
    return unless url

    if route = Discourse.route_for(url)
-      if route[:controller] == "topics" &&
-        route[:action] == "show" &&
-        topic = Topic.where(id: route[:topic_id].to_i).first
-
-        return onebox_for(url, topic.title, opts) if Guardian.new.can_see?(topic)
+      if route[:controller] == "topics"
+        if topic = Oneboxer.local_topic(url, route, opts)
+          opts[:skip_cache] = true
+          return onebox_for(url, topic.title, opts)
+        end
      end
    end

--- a/lib/oneboxer.rb
+++ b/lib/oneboxer.rb
@@ -208,15 +208,15 @@ module Oneboxer
    end
  end

-  def self.local_topic_html(url, route, opts)
-    return unless current_user = User.find_by(id: opts[:user_id])
+  def self.local_topic(url, route, opts)
+    if current_user = User.find_by(id: opts[:user_id])
+      if current_category = Category.find_by(id: opts[:category_id])
+        return unless Guardian.new(current_user).can_see_category?(current_category)
+      end

-    if current_category = Category.find_by(id: opts[:category_id])
-      return unless Guardian.new(current_user).can_see_category?(current_category)
-    end
-
-    if current_topic = Topic.find_by(id: opts[:topic_id])
-      return unless Guardian.new(current_user).can_see_topic?(current_topic)
+      if current_topic = Topic.find_by(id: opts[:topic_id])
+        return unless Guardian.new(current_user).can_see_topic?(current_topic)
+      end
    end

    topic = Topic.find_by(id: route[:topic_id])
@@ -224,10 +224,16 @@ module Oneboxer
    return unless topic
    return if topic.private_message?

-    if current_category&.id != topic.category_id
+    if current_category.blank? || current_category.id != topic.category_id
      return unless Guardian.new.can_see_topic?(topic)
    end

+    topic
+  end
+
+  def self.local_topic_html(url, route, opts)
+    return unless topic = local_topic(url, route, opts)
+
    post_number = route[:post_number].to_i

    post = post_number > 1 ?
@@ -236,7 +242,7 @@ module Oneboxer

    return if !post || post.hidden || !allowed_post_types.include?(post.post_type)

-    if post_number > 1 && current_topic&.id == topic.id
+    if post_number > 1 && opts[:topic_id] == topic.id
      excerpt = post.excerpt(SiteSetting.post_onebox_maxlength)
      excerpt.gsub!(/[\r\n]+/, " ")
      excerpt.gsub!("[/quote]", "[quote]") # don't break my quote