SECURITY: correct local onebox category checks

Also removes ugly "source_topic_id" from cooked posts Patch was authored by @zogstrip Signed-off-by: Sam <sam.saffron@gmail.com>
2025-02-25 18:55:32 -06:00 · 2018-02-14 10:39:44 +11:00
parent 548db91c76
commit f028ffaf29
14 changed files with 251 additions and 361 deletions
--- a/app/controllers/onebox_controller.rb
+++ b/app/controllers/onebox_controller.rb
@@ -14,13 +14,19 @@ class OneboxController < ApplicationController
    return render(body: nil, status: 429) if Oneboxer.is_previewing?(current_user.id)

    user_id = current_user.id
+    category_id = params[:category_id].to_i
    invalidate = params[:refresh] == 'true'
    url = params[:url]

    hijack do
      Oneboxer.preview_onebox!(user_id)

-      preview = Oneboxer.preview(url, invalidate_oneboxes: invalidate)
+      preview = Oneboxer.preview(url,
+        invalidate_oneboxes: invalidate,
+        user_id: user_id,
+        category_id: category_id
+      )
+
      preview.strip! if preview.present?

      Oneboxer.onebox_previewed!(user_id)