discourse/app/controllers/user_actions_controller.rb

# frozen_string_literal: true

class UserActionsController < ApplicationController
  def index
    user_actions_params.require(:username)

    user =
      fetch_user_from_params(
        include_inactive:
          current_user.try(:staff?) || (current_user && SiteSetting.show_inactive_accounts),
      )
    offset = [0, user_actions_params[:offset].to_i].max
    action_types = (user_actions_params[:filter] || "").split(",").map(&:to_i)
    limit = user_actions_params.fetch(:limit, 30).to_i

    raise Discourse::NotFound unless guardian.can_see_profile?(user)
    raise Discourse::NotFound unless guardian.can_see_user_actions?(user, action_types)

    opts = {
      user_id: user.id,
      user: user,
      offset: offset,
      limit: limit,
      action_types: action_types,
      guardian: guardian,
      ignore_private_messages: params[:filter].blank?,
      acting_username: params[:acting_username],
    }

    stream = UserAction.stream(opts).to_a
    render_serialized(stream, UserActionSerializer, root: "user_actions")
  end

  def show
    params.require(:id)
    render_serialized(UserAction.stream_item(params[:id], guardian), UserActionSerializer)
  end

  def private_messages
    # DO NOT REMOVE
    # TODO should preload messages to avoid extra http req
  end

  private

  def user_actions_params
    @user_actions_params ||= params.permit(:username, :filter, :offset, :acting_username, :limit)
  end
end
DEV: enable frozen string literal on all files This reduces chances of errors where consumers of strings mutate inputs and reduces memory usage of the app. Test suite passes now, but there may be some stuff left, so we will run a few sites on a branch prior to merging 2019-05-02 18:17:27 -04:00			`# frozen_string_literal: true`

Initial release of Discourse 2013-02-05 14:16:51 -05:00			`class UserActionsController < ApplicationController`
			`def index`
FIX: Sanitize parameters provided to user actions Currently, providing things like `filter[%24acunetix]=1` to `UserActionsController#index` will throw an exception because instead of getting a string as expected, we get a hash instead. This patch simply uses `#permit` from strong parameters properly: first we apply it on the whole parameters, this way it filters the keys we’re interested in. By doing this, if the value is a hash for example, the whole key/value pair will be ignored completely. 2022-02-22 06:02:04 -05:00			`user_actions_params.require(:username)`
introduce strong_parameters 2013-05-26 21:02:58 -04:00
DEV: Apply syntax_tree formatting to `app/*` 2023-01-09 07:20:10 -05:00			`user =`
			`fetch_user_from_params(`
			`include_inactive:`
			`current_user.try(:staff?) \|\| (current_user && SiteSetting.show_inactive_accounts),`
			`)`
FIX: Sanitize parameters provided to user actions Currently, providing things like `filter[%24acunetix]=1` to `UserActionsController#index` will throw an exception because instead of getting a string as expected, we get a hash instead. This patch simply uses `#permit` from strong parameters properly: first we apply it on the whole parameters, this way it filters the keys we’re interested in. By doing this, if the value is a hash for example, the whole key/value pair will be ignored completely. 2022-02-22 06:02:04 -05:00			`offset = [0, user_actions_params[:offset].to_i].max`
			`action_types = (user_actions_params[:filter] \|\| "").split(",").map(&:to_i)`
			`limit = user_actions_params.fetch(:limit, 30).to_i`
Refactor + Fix: Wasn't correctly loading activity streams. Code is a lot more Ember-y now. 2013-05-22 11:20:16 -04:00
FIX: restrict other user's notification routes (#14442) It was possible to see notifications of other users using routes: - notifications/responses - notifications/likes-received - notifications/mentions - notifications/edits We weren't showing anything private (like notifications about private messages), only things that're publicly available in other places. But anyway, it feels strange that it's possible to look at notifications of someone else. Additionally, there is a risk that we can unintentionally leak something on these pages in the future. This commit restricts these routes. 2021-09-29 08:24:28 -04:00			`raise Discourse::NotFound unless guardian.can_see_profile?(user)`
			`raise Discourse::NotFound unless guardian.can_see_user_actions?(user, action_types)`

FEATURE: Consolidate likes notifications. (#6879) 2019-01-15 21:40:16 -05:00			`opts = {`
			`user_id: user.id,`
			`user: user,`
FIX: ensure offset is always positive 2019-08-20 06:03:16 -04:00			`offset: offset,`
FEATURE: Quick access panels in user menu (#8073) * Extract QuickAccessPanel from UserNotifications. * FEATURE: Quick access panels in user menu. This feature adds quick access panels for bookmarks and personal messages. It allows uses to browse recent items directly in the user menu, without being redirected to the full pages. * REFACTOR: Use QuickAccessItem for messages. Reusing `DefaultNotificationItem` feels nice but it actually requires a lot of extra work that is not needed for a quick access item. Also, `DefaultNotificationItem` shows an incorrect tooptip ("unread private message"), and it is not trivial to remove / override that. * Use a plain JS object instead. An Ember object was required when `DefaultNotificationItem` was used. * Prefix instead suffix `_` for private helpers. * Set to null instead of deleting object keys. JavaScript engines can optimize object property access based on the object’s shape. https://mathiasbynens.be/notes/shapes-ics * Change trivial try/catch to one-liners. * Return the promise in case needs to be waited on. * Refactor showAll to a link with href * Store `emptyStatePlaceholderItemText` in state. * Store items in Session singleton instead. We can drop `staleItems` (and `findStaleItems`) altogether. Because `(old) items === staleItems` when switching back to a quick access panel. * Add `limit` parameter to the `user_actions` API. * Explicitly import Session instead. 2019-09-09 11:03:57 -04:00			`limit: limit,`
FEATURE: Consolidate likes notifications. (#6879) 2019-01-15 21:40:16 -05:00			`action_types: action_types,`
			`guardian: guardian,`
FIX: Sanitize parameters provided to user actions Currently, providing things like `filter[%24acunetix]=1` to `UserActionsController#index` will throw an exception because instead of getting a string as expected, we get a hash instead. This patch simply uses `#permit` from strong parameters properly: first we apply it on the whole parameters, this way it filters the keys we’re interested in. By doing this, if the value is a hash for example, the whole key/value pair will be ignored completely. 2022-02-22 06:02:04 -05:00			`ignore_private_messages: params[:filter].blank?,`
DEV: Apply syntax_tree formatting to `app/*` 2023-01-09 07:20:10 -05:00			`acting_username: params[:acting_username],`
FEATURE: Consolidate likes notifications. (#6879) 2019-01-15 21:40:16 -05:00			`}`
Users can see their pending posts 2015-04-21 14:36:46 -04:00
FEATURE: New 'Reviewable' model to make reviewable items generic Includes support for flags, reviewable users and queued posts, with REST API backwards compatibility. Co-Authored-By: romanrizzi <romanalejandro@gmail.com> Co-Authored-By: jjaffeux <j.jaffeux@gmail.com> 2019-01-03 12:03:01 -05:00			`stream = UserAction.stream(opts).to_a`
DEV: Apply syntax_tree formatting to `app/*` 2023-01-09 07:20:10 -05:00			`render_serialized(stream, UserActionSerializer, root: "user_actions")`
Initial release of Discourse 2013-02-05 14:16:51 -05:00			`end`

			`def show`
introduce strong_parameters 2013-05-26 21:02:58 -04:00			`params.require(:id)`
SECURITY: User action route was returning too much data 2014-08-29 13:46:50 -04:00			`render_serialized(UserAction.stream_item(params[:id], guardian), UserActionSerializer)`
Initial release of Discourse 2013-02-05 14:16:51 -05:00			`end`

BUGFIX: 404 on /users/:user/private-messages 2014-05-12 06:02:32 -04:00			`def private_messages`
			`# DO NOT REMOVE`
FEATURE: split up group PMS on user page 2015-12-09 19:39:33 -05:00			`# TODO should preload messages to avoid extra http req`
BUGFIX: 404 on /users/:user/private-messages 2014-05-12 06:02:32 -04:00			`end`

FIX: Sanitize parameters provided to user actions Currently, providing things like `filter[%24acunetix]=1` to `UserActionsController#index` will throw an exception because instead of getting a string as expected, we get a hash instead. This patch simply uses `#permit` from strong parameters properly: first we apply it on the whole parameters, this way it filters the keys we’re interested in. By doing this, if the value is a hash for example, the whole key/value pair will be ignored completely. 2022-02-22 06:02:04 -05:00			`private`

			`def user_actions_params`
			`@user_actions_params \|\|= params.permit(:username, :filter, :offset, :acting_username, :limit)`
			`end`
Initial release of Discourse 2013-02-05 14:16:51 -05:00			`end`