Discource-C
/
discourse
mirror of https://github.com/discourse/discourse.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
discourse/app/controllers/posts_controller.rb

Failed to ignore revisions in .git-blame-ignore-revs.

814 lines
25 KiB
Ruby
Raw Normal View History

DEV: enable frozen string literal on all files This reduces chances of errors where consumers of strings mutate inputs and reduces memory usage of the app. Test suite passes now, but there may be some stuff left, so we will run a few sites on a branch prior to merging
2019-05-02 18:17:27 -04:00
# frozen_string_literal: true
Initial release of Discourse
2013-02-05 14:16:51 -05:00
class PostsController < ApplicationController
Refactor requires login logic, reduce duplicate code This also corrects the positioning in the chain of the check and removes misuse of prepend_before_action
2018-01-31 23:17:59 -05:00
requires_login except: [
FEATURE: Staff members can lock posts Locking a post prevents it from being edited. This is useful if the user has posted something which has been edited out, and the staff members don't want them to be able to edit it back in again.
2018-01-25 15:38:40 -05:00
:show,
:replies,
:by_number,
FEATURE: allows to jump to a date in a topic
2018-07-19 10:00:13 -04:00
:by_date,
FEATURE: Staff members can lock posts Locking a post prevents it from being edited. This is useful if the user has posted something which has been edited out, and the staff members don't want them to be able to edit it back in again.
2018-01-25 15:38:40 -05:00
:short_link,
:reply_history,
:replyIids,
:revisions,
:latest_revision,
:expand_embed,
:markdown_id,
:markdown_num,
:cooked,
:latest,
:user_posts_feed
]
skip_before_action :preload_json, :check_xhr, only: [
:markdown_id,
:markdown_num,
:short_link,
:latest,
:user_posts_feed
]
route for markdown /md/topic_id/post_number
2013-04-30 02:29:57 -04:00
Fix /p/post/user route not saving referrals Make user id optional for /p/id/uid Add /posts/id/raw route for debugging failed post processing
2014-07-11 17:34:26 -04:00
def markdown_id
markdown Post.find(params[:id].to_i)
end
def markdown_num
FEATURE: support linking to a specific revision of a topic/post
2015-10-19 05:01:29 -04:00
if params[:revision].present?
post_revision = find_post_revision_from_topic_id
SECURITY: prefer render plain/html to render text where possible
2017-04-10 08:01:25 -04:00
render plain: post_revision.modifications[:raw].last
FEATURE: support linking to a specific revision of a topic/post
2015-10-19 05:01:29 -04:00
else
markdown Post.find_by(topic_id: params[:topic_id].to_i, post_number: (params[:post_number] || 1).to_i)
end
Fix /p/post/user route not saving referrals Make user id optional for /p/id/uid Add /posts/id/raw route for debugging failed post processing
2014-07-11 17:34:26 -04:00
end
def markdown(post)
route for markdown /md/topic_id/post_number
2013-04-30 02:29:57 -04:00
if post && guardian.can_see?(post)
SECURITY: prefer render plain/html to render text where possible
2017-04-10 08:01:25 -04:00
render plain: post.raw
route for markdown /md/topic_id/post_number
2013-04-30 02:29:57 -04:00
else
raise Discourse::NotFound
end
end
track incoming links, amend share link to include user fix pm styling
2013-04-24 04:05:35 -04:00
FEATURE: Latest posts endpoint at /posts.json
2015-01-24 00:04:14 -05:00
def latest
FEATURE: Enable pagination of /posts.json
2015-01-24 00:22:19 -05:00
params.permit(:before)
last_post_id = params[:before].to_i
last_post_id = Post.last.id if last_post_id <= 0
FEATURE: separate API endpoints for public and private posts
2016-03-21 06:22:36 -04:00
if params[:id] == "private_posts"
raise Discourse::NotFound if current_user.nil?
posts = Post.private_posts
Add rubocop to our build. (#5004)
2017-07-27 21:20:09 -04:00
.order(created_at: :desc)
.where('posts.id <= ?', last_post_id)
.where('posts.id > ?', last_post_id - 50)
.includes(topic: :category)
.includes(user: :primary_group)
.includes(:reply_to_user)
.limit(50)
FEATURE: separate API endpoints for public and private posts
2016-03-21 06:22:36 -04:00
rss_description = I18n.t("rss_description.private_posts")
else
posts = Post.public_posts
Add rubocop to our build. (#5004)
2017-07-27 21:20:09 -04:00
.order(created_at: :desc)
.where('posts.id <= ?', last_post_id)
.where('posts.id > ?', last_post_id - 50)
.includes(topic: :category)
.includes(user: :primary_group)
.includes(:reply_to_user)
.limit(50)
FEATURE: separate API endpoints for public and private posts
2016-03-21 06:22:36 -04:00
rss_description = I18n.t("rss_description.posts")
end
FEATURE: Latest posts endpoint at /posts.json
2015-01-24 00:04:14 -05:00
# Remove posts the user doesn't have permission to see
# This isn't leaking any information we weren't already through the post ID numbers
Don't error on posts#latest if a post does not have a topic
2015-10-16 07:44:48 -04:00
posts = posts.reject { |post| !guardian.can_see?(post) || post.topic.blank? }
FEATURE: Latest posts endpoint at /posts.json
2015-01-24 00:04:14 -05:00
counts = PostAction.counts_for(posts, current_user)
FEATURE: latest posts RSS feed
2015-06-09 07:39:03 -04:00
respond_to do |format|
format.rss do
@posts = posts
FEATURE: separate API endpoints for public and private posts
2016-03-21 06:22:36 -04:00
@title = "#{SiteSetting.title} - #{rss_description}"
FEATURE: latest posts RSS feed
2015-06-09 07:39:03 -04:00
@link = Discourse.base_url
FIX: update RSS description for public/private posts
2016-03-21 09:15:16 -04:00
@description = rss_description
FEATURE: latest posts RSS feed
2015-06-09 07:39:03 -04:00
render 'posts/latest', formats: [:rss]
end
format.json do
render_json_dump(serialize_data(posts,
PostSerializer,
scope: guardian,
FEATURE: separate API endpoints for public and private posts
2016-03-21 06:22:36 -04:00
root: params[:id],
FEATURE: latest posts RSS feed
2015-06-09 07:39:03 -04:00
add_raw: true,
FEATURE: Include topic title, category in posts.json
2015-09-01 20:45:09 -04:00
add_title: true,
FEATURE: latest posts RSS feed
2015-06-09 07:39:03 -04:00
all_post_actions: counts)
)
end
end
FEATURE: Latest posts endpoint at /posts.json
2015-01-24 00:04:14 -05:00
end
FEATURE: RSS feed for user posts and topics
2016-03-31 09:10:50 -04:00
def user_posts_feed
params.require(:username)
user = fetch_user_from_params
posts = Post.public_posts
Add rubocop to our build. (#5004)
2017-07-27 21:20:09 -04:00
.where(user_id: user.id)
.where(post_type: Post.types[:regular])
.order(created_at: :desc)
.includes(:user)
.includes(topic: :category)
.limit(50)
FEATURE: RSS feed for user posts and topics
2016-03-31 09:10:50 -04:00
posts = posts.reject { |post| !guardian.can_see?(post) || post.topic.blank? }
FEATURE: Show "Recently used devices" in user preferences (#6335) * FEATURE: Added MaxMindDb to resolve IP information. * FEATURE: Added browser detection based on user agent. * FEATURE: Added recently used devices in user preferences. * DEV: Added acceptance test for recently used devices. * UX: Do not show 'Show more' button if there aren't more tokens. * DEV: Fix unit tests. * DEV: Make changes after code review. * Add more detailed unit tests. * Improve logging messages. * Minor coding style fixes. * DEV: Use DropdownSelectBoxComponent and run Prettier. * DEV: Fix unit tests.
2018-10-09 10:21:41 -04:00
respond_to do |format|
format.rss do
@posts = posts
@title = "#{SiteSetting.title} - #{I18n.t("rss_description.user_posts", username: user.username)}"
@link = "#{Discourse.base_url}/u/#{user.username}/activity"
@description = I18n.t("rss_description.user_posts", username: user.username)
render 'posts/latest', formats: [:rss]
end
format.json do
render_json_dump(serialize_data(posts,
PostSerializer,
scope: guardian,
add_excerpt: true)
)
end
end
FEATURE: RSS feed for user posts and topics
2016-03-31 09:10:50 -04:00
end
FEATURE: Can click to expand hidden posts to see the good stuff!
2014-06-20 17:06:44 -04:00
def cooked
UX: display text & html parts alongside raw email in incoming email modal
2017-03-08 17:15:42 -05:00
render json: { cooked: find_post_from_params.cooked }
FEATURE: Can click to expand hidden posts to see the good stuff!
2014-06-20 17:06:44 -04:00
end
further optimize raw email feature
2014-10-17 15:18:29 -04:00
def raw_email
UX: display text & html parts alongside raw email in incoming email modal
2017-03-08 17:15:42 -05:00
params.require(:id)
FIX: staff members should be able to see raw email of deleted posts
2016-08-01 17:55:22 -04:00
post = Post.unscoped.find(params[:id].to_i)
FIX: users can see the raw email source of their own posts
2014-11-12 08:49:42 -05:00
guardian.ensure_can_view_raw_email!(post)
UX: display text & html parts alongside raw email in incoming email modal
2017-03-08 17:15:42 -05:00
text, html = Email.extract_parts(post.raw_email)
render json: { raw_email: post.raw_email, text_part: text, html_part: html }
further optimize raw email feature
2014-10-17 15:18:29 -04:00
end
track incoming links, amend share link to include user fix pm styling
2013-04-24 04:05:35 -04:00
def short_link
post = Post.find(params[:post_id].to_i)
Fix /p/post/user route not saving referrals Make user id optional for /p/id/uid Add /posts/id/raw route for debugging failed post processing
2014-07-11 17:34:26 -04:00
# Stuff the user in the request object, because that's what IncomingLink wants
if params[:user_id]
user = User.find(params[:user_id].to_i)
request['u'] = user.username_lower if user
end
SECURITY: Don't leak topic title in the redirect
2015-02-04 14:49:05 -05:00
guardian.ensure_can_see!(post)
FIX: post short link on subfolder installs
2016-11-01 15:20:04 -04:00
redirect_to path(post.url)
track incoming links, amend share link to include user fix pm styling
2013-04-24 04:05:35 -04:00
end
Initial release of Discourse
2013-02-05 14:16:51 -05:00
def create
`NewPostManager` determines whether to queue a post or not
2015-03-31 12:58:56 -04:00
@manager_params = create_params
FEATURE: min_first_post_typing_time If a user spends less than 3 seconds typing first post they will automatically enter the approval queue
2015-08-03 20:55:59 -04:00
@manager_params[:first_post_checks] = !is_api?
`NewPostManager` determines whether to queue a post or not
2015-03-31 12:58:56 -04:00
manager = NewPostManager.new(current_user, @manager_params)
Initial release of Discourse
2013-02-05 14:16:51 -05:00
`NewPostManager` determines whether to queue a post or not
2015-03-31 12:58:56 -04:00
if is_api?
memoized_payload = DistributedMemoizer.memoize(signature_for(@manager_params), 120) do
result = manager.perform
MultiJson.dump(serialize_data(result, NewPostResultSerializer, root: false))
end
FIX: dupe protection is API only now make optional later on (was introduced for wordpress plugin)
2014-07-14 01:59:58 -04:00
`NewPostManager` determines whether to queue a post or not
2015-03-31 12:58:56 -04:00
parsed_payload = JSON.parse(memoized_payload)
backwards_compatible_json(parsed_payload, parsed_payload['success'])
FIX: dupe protection is API only now make optional later on (was introduced for wordpress plugin)
2014-07-14 01:59:58 -04:00
else
`NewPostManager` determines whether to queue a post or not
2015-03-31 12:58:56 -04:00
result = manager.perform
json = serialize_data(result, NewPostResultSerializer, root: false)
backwards_compatible_json(json, result.success?)
FIX: dupe protection is API only now make optional later on (was introduced for wordpress plugin)
2014-07-14 01:59:58 -04:00
end
end
Initial release of Discourse
2013-02-05 14:16:51 -05:00
def update
Enabled strong_parameters across all models/controllers. All models are now using ActiveModel::ForbiddenAttributesProtection, which shifts the responsibility for parameter whitelisting for mass-assignments from the model to the controller. attr_accessible has been disabled and removed as this functionality replaces that. The require_parameters method in the ApplicationController has been removed in favor of strong_parameters' #require method. It is important to note that there is still some refactoring required to get all parameters to pass through #require and #permit so that we can guarantee that parameter values are scalar. Currently strong_parameters, in most cases, is only being utilized to require parameters and to whitelist the few places that do mass-assignments.
2013-06-06 03:14:32 -04:00
params.require(:post)
Fix all the trailing whitespace
2013-02-07 10:45:24 -05:00
BUGFIX: staff can now edit delted posts fixes #1343 This was way easier than mucking with the UI
2014-01-06 02:12:51 -05:00
post = Post.where(id: params[:id])
post = post.with_deleted if guardian.is_staff?
post = post.first
FIX: Staff was getting 500 when editing post in deleted topic
2015-11-13 11:35:04 -05:00
raise Discourse::NotFound if post.blank?
Can edit category descriptions, they show up in a `title` attribute
2013-02-21 18:09:56 -05:00
post.image_sizes = params[:image_sizes] if params[:image_sizes].present?
Add post_edit_time_limit site setting to limit the how long a post can be edited and deleted by the author. Default is 1 year.
2014-01-07 10:32:09 -05:00
DEV: Prefer `public_send` over `send`.
2019-05-06 21:27:05 -04:00
if !guardian.public_send("can_edit?", post) &&
post.user_id == current_user.id &&
FEATURE: New post editing period for >= tl2 users (#8070) * FEATURE: Add tl2 threshold for editing new posts * Adds a new setting and for tl2 editing posts (30 days same as old value) * Sets the tl0/tl1 editing period as 1 day * FIX: Spec uses wrong setting * Fix site setting on guardian spec * FIX: post editing period specs * Avoid shared examples * Use update_columns to avoid callbacks on user during tests
2019-09-06 07:44:12 -04:00
post.edit_time_limit_expired?(current_user)
DEV: Prefer `public_send` over `send`.
2019-05-06 21:27:05 -04:00
UX: Warn users if the post that's currently edited has changed. (#6498)
2018-10-17 09:35:32 -04:00
return render_json_error(I18n.t('too_late_to_edit'))
Add post_edit_time_limit site setting to limit the how long a post can be edited and deleted by the author. Default is 1 year.
2014-01-07 10:32:09 -05:00
end
Can edit category descriptions, they show up in a `title` attribute
2013-02-21 18:09:56 -05:00
guardian.ensure_can_edit!(post)
LOTS of changes to properly handle post/topic revisions FIX: history revision can now properly be hidden FIX: PostRevision serializer is now entirely dynamic to properly handle hidden revisions FIX: default history modal to "side by side" view on mobile FIX: properly hiden which revision has been hidden UX: inline category/user/wiki/post_type changes with the revision details FEATURE: new '/posts/:post_id/revisions/latest' endpoint to retrieve latest revision UX: do not show the hide/show revision button on mobile (no room for them) UX: remove CSS transitions on the buttons in the history modal FIX: PostRevisor now handles all the changes that might create new revisions FIX: PostRevision.ensure_consistency! was wrong due to off by 1 mistake... refactored topic's callbacks for better readability extracted 'PostRevisionGuardian'
2014-10-27 17:06:43 -04:00
changes = {
raw: params[:post][:raw],
edit_reason: params[:post][:edit_reason]
}
match the create api with the update api ... so api is more consistent
2013-03-27 02:49:23 -04:00
UX: Warn users if the post that's currently edited has changed. (#6498)
2018-10-17 09:35:32 -04:00
raw_old = params[:post][:raw_old]
if raw_old.present? && raw_old != post.raw
return render_json_error(I18n.t('edit_conflict'), status: 409)
end
LOTS of changes to properly handle post/topic revisions FIX: history revision can now properly be hidden FIX: PostRevision serializer is now entirely dynamic to properly handle hidden revisions FIX: default history modal to "side by side" view on mobile FIX: properly hiden which revision has been hidden UX: inline category/user/wiki/post_type changes with the revision details FEATURE: new '/posts/:post_id/revisions/latest' endpoint to retrieve latest revision UX: do not show the hide/show revision button on mobile (no room for them) UX: remove CSS transitions on the buttons in the history modal FIX: PostRevisor now handles all the changes that might create new revisions FIX: PostRevision.ensure_consistency! was wrong due to off by 1 mistake... refactored topic's callbacks for better readability extracted 'PostRevisionGuardian'
2014-10-27 17:06:43 -04:00
# to stay consistent with the create api, we allow for title & category changes here
- FEATURE: revamped poll plugin - add User.staff scope - inject MessageBus into Ember views (so it can be used by the poll plugin) - REFACTOR: use more accurate is_first_post? method instead of post_number == 1 - FEATURE: add support for JSON-typed custom fields - FEATURE: allow plugins to add validation - FEATURE: add post_custom_fields to PostSerializer - FEATURE: allow plugins to whitelist post_custom_fields - FIX: don't bump when post did not save successfully - FEATURE: polls are supported in any post - FEATURE: allow for multiple polls in the same post - FEATURE: multiple choice polls - FEATURE: rating polls - FEATURE: new dialect allowing users to preview polls in the composer
2015-04-23 13:33:29 -04:00
if post.is_first_post?
LOTS of changes to properly handle post/topic revisions FIX: history revision can now properly be hidden FIX: PostRevision serializer is now entirely dynamic to properly handle hidden revisions FIX: default history modal to "side by side" view on mobile FIX: properly hiden which revision has been hidden UX: inline category/user/wiki/post_type changes with the revision details FEATURE: new '/posts/:post_id/revisions/latest' endpoint to retrieve latest revision UX: do not show the hide/show revision button on mobile (no room for them) UX: remove CSS transitions on the buttons in the history modal FIX: PostRevisor now handles all the changes that might create new revisions FIX: PostRevision.ensure_consistency! was wrong due to off by 1 mistake... refactored topic's callbacks for better readability extracted 'PostRevisionGuardian'
2014-10-27 17:06:43 -04:00
changes[:title] = params[:title] if params[:title]
changes[:category_id] = params[:post][:category_id] if params[:post][:category_id]
SECURITY: ensure users have permission when moving categories
2018-03-01 20:13:04 -05:00
if changes[:category_id] && changes[:category_id].to_i != post.topic.category_id.to_i
category = Category.find_by(id: changes[:category_id])
if category || (changes[:category_id].to_i == 0)
FEATURE: per-category approval settings (#5778) - disallow moving topics to a category that requires topic approval
2018-07-12 22:51:08 -04:00
guardian.ensure_can_move_topic_to_category!(category)
SECURITY: ensure users have permission when moving categories
2018-03-01 20:13:04 -05:00
else
return render_json_error(I18n.t('category.errors.not_found'))
end
end
match the create api with the update api ... so api is more consistent
2013-03-27 02:49:23 -04:00
end
FIX: Moderation actions can have their messages removed
2015-07-28 16:58:56 -04:00
# We don't need to validate edits to small action posts by staff
opts = {}
if post.post_type == Post.types[:small_action] && current_user.staff?
opts[:skip_validations] = true
end
FIX: Staff was getting 500 when editing post in deleted topic
2015-11-13 11:35:04 -05:00
topic = post.topic
topic = Topic.with_deleted.find(post.topic_id) if guardian.is_staff?
revisor = PostRevisor.new(post, topic)
FIX: move topic links and quoted posts extraction to the PostRevisor
2015-08-14 13:33:32 -04:00
revisor.revise!(current_user, changes, opts)
Initial release of Discourse
2013-02-05 14:16:51 -05:00
LOTS of changes to properly handle post/topic revisions FIX: history revision can now properly be hidden FIX: PostRevision serializer is now entirely dynamic to properly handle hidden revisions FIX: default history modal to "side by side" view on mobile FIX: properly hiden which revision has been hidden UX: inline category/user/wiki/post_type changes with the revision details FEATURE: new '/posts/:post_id/revisions/latest' endpoint to retrieve latest revision UX: do not show the hide/show revision button on mobile (no room for them) UX: remove CSS transitions on the buttons in the history modal FIX: PostRevisor now handles all the changes that might create new revisions FIX: PostRevision.ensure_consistency! was wrong due to off by 1 mistake... refactored topic's callbacks for better readability extracted 'PostRevisionGuardian'
2014-10-27 17:06:43 -04:00
return render_json_error(post) if post.errors.present?
FIX: Staff was getting 500 when editing post in deleted topic
2015-11-13 11:35:04 -05:00
return render_json_error(topic) if topic.errors.present?
Initial release of Discourse
2013-02-05 14:16:51 -05:00
Can edit category descriptions, they show up in a `title` attribute
2013-02-21 18:09:56 -05:00
post_serializer = PostSerializer.new(post, scope: guardian, root: false)
FIX: Staff was getting 500 when editing post in deleted topic
2015-11-13 11:35:04 -05:00
post_serializer.draft_sequence = DraftSequence.current(current_user, topic.draft_key)
link_counts = TopicLink.counts_for(guardian, topic, [post])
Can edit category descriptions, they show up in a `title` attribute
2013-02-21 18:09:56 -05:00
post_serializer.single_post_link_counts = link_counts[post.id] if link_counts.present?
- FEATURE: revamped poll plugin - add User.staff scope - inject MessageBus into Ember views (so it can be used by the poll plugin) - REFACTOR: use more accurate is_first_post? method instead of post_number == 1 - FEATURE: add support for JSON-typed custom fields - FEATURE: allow plugins to add validation - FEATURE: add post_custom_fields to PostSerializer - FEATURE: allow plugins to whitelist post_custom_fields - FIX: don't bump when post did not save successfully - FEATURE: polls are supported in any post - FEATURE: allow for multiple polls in the same post - FEATURE: multiple choice polls - FEATURE: rating polls - FEATURE: new dialect allowing users to preview polls in the composer
2015-04-23 13:33:29 -04:00
result = { post: post_serializer.as_json }
Can edit category descriptions, they show up in a `title` attribute
2013-02-21 18:09:56 -05:00
if revisor.category_changed.present?
UI still a tad rough, but we have a first pass of secure categories
2013-05-10 02:47:47 -04:00
result[:category] = BasicCategorySerializer.new(revisor.category_changed, scope: guardian, root: false).as_json
Can edit category descriptions, they show up in a `title` attribute
2013-02-21 18:09:56 -05:00
end
render_json_dump(result)
Initial release of Discourse
2013-02-05 14:16:51 -05:00
end
better revision history
2013-12-11 21:41:34 -05:00
def show
Removes unnecessary instance vars.
2014-02-24 12:03:29 -05:00
post = find_post_from_params
display_post(post)
better revision history
2013-12-11 21:41:34 -05:00
end
Initial release of Discourse
2013-02-05 14:16:51 -05:00
def by_number
Removes unnecessary instance vars.
2014-02-24 12:03:29 -05:00
post = find_post_from_params_by_number
display_post(post)
Initial release of Discourse
2013-02-05 14:16:51 -05:00
end
FEATURE: allows to jump to a date in a topic
2018-07-19 10:00:13 -04:00
def by_date
post = find_post_from_params_by_date
display_post(post)
end
Show the entire history of replies above a post when you expend "in reply to"
2013-08-06 17:42:36 -04:00
def reply_history
Adds tests for PostsController#replies.
2014-02-20 11:38:13 -05:00
post = find_post_from_params
FEATURE: Allow expanded posts to return user custom fields
2018-11-13 12:16:50 -05:00
reply_history = post.reply_history(params[:max_replies].to_i, guardian)
user_custom_fields = {}
if (added_fields = User.whitelisted_user_custom_fields(guardian)).present?
user_custom_fields = User.custom_fields_for_ids(reply_history.pluck(:user_id), added_fields)
end
render_serialized(
reply_history,
PostSerializer,
user_custom_fields: user_custom_fields
)
Show the entire history of replies above a post when you expend "in reply to"
2013-08-06 17:42:36 -04:00
end
FEATURE: Added 'select +below' and 'select +all replies' options to selecting posts
2017-12-13 16:12:06 -05:00
def reply_ids
post = find_post_from_params
render json: post.reply_ids(guardian).to_json
end
FEATURE: Add option to delete all replies of flagged post
2018-04-20 17:05:51 -04:00
def all_reply_ids
post = find_post_from_params
render json: post.reply_ids(guardian, only_replies_to_single_post: false).to_json
end
Initial release of Discourse
2013-02-05 14:16:51 -05:00
def destroy
Can edit deleted posts.
2013-02-08 17:49:15 -05:00
post = find_post_from_params
FEATURE: rate limit post deletions to 50 per day
2018-06-28 07:08:58 -04:00
unless current_user.staff?
FIX: post deletions rate limit per day was not working
2018-06-28 09:51:27 -04:00
RateLimiter.new(current_user, "delete_post_per_min", SiteSetting.max_post_deletions_per_minute, 1.minute).performed!
RateLimiter.new(current_user, "delete_post_per_day", SiteSetting.max_post_deletions_per_day, 1.day).performed!
FEATURE: rate limit post deletions to 50 per day
2018-06-28 07:08:58 -04:00
end
Add post_edit_time_limit site setting to limit the how long a post can be edited and deleted by the author. Default is 1 year.
2014-01-07 10:32:09 -05:00
Give regular users a delete button. If they click it, their post will be revised to say it was deleted.
2013-02-07 15:12:55 -05:00
guardian.ensure_can_delete!(post)
PostDestroyer to replace callbacks for destroying
2013-03-18 17:52:29 -04:00
Add rubocop to our build. (#5004)
2017-07-27 21:20:09 -04:00
destroyer = PostDestroyer.new(current_user, post, context: params[:context])
PostDestroyer to replace callbacks for destroying
2013-03-18 17:52:29 -04:00
destroyer.destroy
Fix all the errors to get our tests green on Rails 5.1.
2017-08-31 00:06:56 -04:00
render body: nil
Give regular users a delete button. If they click it, their post will be revised to say it was deleted.
2013-02-07 15:12:55 -05:00
end
Interface for expanding OP contents
2014-04-01 17:45:16 -04:00
def expand_embed
Add rubocop to our build. (#5004)
2017-07-27 21:20:09 -04:00
render json: { cooked: TopicEmbed.expanded_for(find_post_from_params) }
Adds better reusable error message support. Added to fetching remote posts. /cc @riking
2014-04-02 13:22:10 -04:00
rescue
render_json_error I18n.t('errors.embed.load_from_remote')
Interface for expanding OP contents
2014-04-01 17:45:16 -04:00
end
Give regular users a delete button. If they click it, their post will be revised to say it was deleted.
2013-02-07 15:12:55 -05:00
def recover
Can edit deleted posts.
2013-02-08 17:49:15 -05:00
post = find_post_from_params
FIX: post deletions rate limit per day was not working
2018-06-28 09:51:27 -04:00
unless current_user.staff?
RateLimiter.new(current_user, "delete_post_per_min", SiteSetting.max_post_deletions_per_minute, 1.minute).performed!
RateLimiter.new(current_user, "delete_post_per_day", SiteSetting.max_post_deletions_per_day, 1.day).performed!
end
Give regular users a delete button. If they click it, their post will be revised to say it was deleted.
2013-02-07 15:12:55 -05:00
guardian.ensure_can_recover_post!(post)
allow end user to recover a post they delete automatically delete stubs after 1 day
2013-07-22 03:48:24 -04:00
destroyer = PostDestroyer.new(current_user, post)
destroyer.recover
post.reload
FIX: Recovering a deleted post was not updating a topic's statistics
2013-07-09 12:15:55 -04:00
allow end user to recover a post they delete automatically delete stubs after 1 day
2013-07-22 03:48:24 -04:00
render_post_json(post)
Initial release of Discourse
2013-02-05 14:16:51 -05:00
end
def destroy_many
Enabled strong_parameters across all models/controllers. All models are now using ActiveModel::ForbiddenAttributesProtection, which shifts the responsibility for parameter whitelisting for mass-assignments from the model to the controller. attr_accessible has been disabled and removed as this functionality replaces that. The require_parameters method in the ApplicationController has been removed in favor of strong_parameters' #require method. It is important to note that there is still some refactoring required to get all parameters to pass through #require and #permit so that we can guarantee that parameter values are scalar. Currently strong_parameters, in most cases, is only being utilized to require parameters and to whitelist the few places that do mass-assignments.
2013-06-06 03:14:32 -04:00
params.require(:post_ids)
FEATURE: defer flags when deleting child replies (#7111)
2019-03-06 04:02:25 -05:00
agree_with_first_reply_flag = (params[:agree_with_first_reply_flag] || true).to_s == "true"
Initial release of Discourse
2013-02-05 14:16:51 -05:00
FIX: Guarantee order to correctly defer replies in review queue (#8426) Our code used to approve the first flagged post and ignore the rest in some specific conditions.
2019-12-03 02:39:10 -05:00
posts = Post.where(id: post_ids_including_replies).order(:id)
Initial release of Discourse
2013-02-05 14:16:51 -05:00
raise Discourse::InvalidParameters.new(:post_ids) if posts.blank?
# Make sure we can delete the posts
Add rubocop to our build. (#5004)
2017-07-27 21:20:09 -04:00
posts.each { |p| guardian.ensure_can_delete!(p) }
Initial release of Discourse
2013-02-05 14:16:51 -05:00
Post.transaction do
FEATURE: defer flags when deleting child replies (#7111)
2019-03-06 04:02:25 -05:00
posts.each_with_index do |p, i|
PostDestroyer.new(current_user, p, defer_flags: !(agree_with_first_reply_flag && i == 0)).destroy
end
Initial release of Discourse
2013-02-05 14:16:51 -05:00
end
Fix all the errors to get our tests green on Rails 5.1.
2017-08-31 00:06:56 -04:00
render body: nil
Initial release of Discourse
2013-02-05 14:16:51 -05:00
end
FEATURE: Allow staff users to merge posts.
2016-03-21 19:31:56 -04:00
def merge_posts
params.require(:post_ids)
posts = Post.where(id: params[:post_ids]).order(:id)
raise Discourse::InvalidParameters.new(:post_ids) if posts.pluck(:id) == params[:post_ids]
PostMerger.new(current_user, posts).merge
Fix all the errors to get our tests green on Rails 5.1.
2017-08-31 00:06:56 -04:00
render body: nil
FEATURE: Allow staff users to merge posts.
2016-03-21 19:31:56 -04:00
end
Initial release of Discourse
2013-02-05 14:16:51 -05:00
# Direct replies to this post
def replies
Can edit deleted posts.
2013-02-08 17:49:15 -05:00
post = find_post_from_params
FIX: whispers should not be revealed in reply to, or reply expansion FEATURE: mark whisper as experimental FIX: badges should never apply to whispers
2015-09-24 20:15:58 -04:00
replies = post.replies.secured(guardian)
FEATURE: Allow expanded posts to return user custom fields
2018-11-13 12:16:50 -05:00
user_custom_fields = {}
if (added_fields = User.whitelisted_user_custom_fields(guardian)).present?
user_custom_fields = User.custom_fields_for_ids(replies.pluck(:user_id), added_fields)
end
render_serialized(replies, PostSerializer, user_custom_fields: user_custom_fields)
Initial release of Discourse
2013-02-05 14:16:51 -05:00
end
better revision history
2013-12-11 21:41:34 -05:00
def revisions
FIX: Do not leak information about post revisions. (#6536)
2018-10-31 10:47:00 -04:00
post = find_post_from_params
raise Discourse::NotFound if post.hidden && !guardian.can_view_hidden_post_revisions?
better revision history
2013-12-11 21:41:34 -05:00
post_revision = find_post_revision_from_params
post_revision_serializer = PostRevisionSerializer.new(post_revision, scope: guardian, root: false)
render_json_dump(post_revision_serializer)
end
LOTS of changes to properly handle post/topic revisions FIX: history revision can now properly be hidden FIX: PostRevision serializer is now entirely dynamic to properly handle hidden revisions FIX: default history modal to "side by side" view on mobile FIX: properly hiden which revision has been hidden UX: inline category/user/wiki/post_type changes with the revision details FEATURE: new '/posts/:post_id/revisions/latest' endpoint to retrieve latest revision UX: do not show the hide/show revision button on mobile (no room for them) UX: remove CSS transitions on the buttons in the history modal FIX: PostRevisor now handles all the changes that might create new revisions FIX: PostRevision.ensure_consistency! was wrong due to off by 1 mistake... refactored topic's callbacks for better readability extracted 'PostRevisionGuardian'
2014-10-27 17:06:43 -04:00
def latest_revision
FIX: Do not leak information about post revisions. (#6536)
2018-10-31 10:47:00 -04:00
post = find_post_from_params
raise Discourse::NotFound if post.hidden && !guardian.can_view_hidden_post_revisions?
LOTS of changes to properly handle post/topic revisions FIX: history revision can now properly be hidden FIX: PostRevision serializer is now entirely dynamic to properly handle hidden revisions FIX: default history modal to "side by side" view on mobile FIX: properly hiden which revision has been hidden UX: inline category/user/wiki/post_type changes with the revision details FEATURE: new '/posts/:post_id/revisions/latest' endpoint to retrieve latest revision UX: do not show the hide/show revision button on mobile (no room for them) UX: remove CSS transitions on the buttons in the history modal FIX: PostRevisor now handles all the changes that might create new revisions FIX: PostRevision.ensure_consistency! was wrong due to off by 1 mistake... refactored topic's callbacks for better readability extracted 'PostRevisionGuardian'
2014-10-27 17:06:43 -04:00
post_revision = find_latest_post_revision_from_params
post_revision_serializer = PostRevisionSerializer.new(post_revision, scope: guardian, root: false)
render_json_dump(post_revision_serializer)
end
FEATURE: ability to hide or show specific post revisions
2014-10-13 04:18:49 -04:00
def hide_revision
post_revision = find_post_revision_from_params
LOTS of changes to properly handle post/topic revisions FIX: history revision can now properly be hidden FIX: PostRevision serializer is now entirely dynamic to properly handle hidden revisions FIX: default history modal to "side by side" view on mobile FIX: properly hiden which revision has been hidden UX: inline category/user/wiki/post_type changes with the revision details FEATURE: new '/posts/:post_id/revisions/latest' endpoint to retrieve latest revision UX: do not show the hide/show revision button on mobile (no room for them) UX: remove CSS transitions on the buttons in the history modal FIX: PostRevisor now handles all the changes that might create new revisions FIX: PostRevision.ensure_consistency! was wrong due to off by 1 mistake... refactored topic's callbacks for better readability extracted 'PostRevisionGuardian'
2014-10-27 17:06:43 -04:00
guardian.ensure_can_hide_post_revision!(post_revision)
FEATURE: ability to hide or show specific post revisions
2014-10-13 04:18:49 -04:00
post_revision.hide!
LOTS of changes to properly handle post/topic revisions FIX: history revision can now properly be hidden FIX: PostRevision serializer is now entirely dynamic to properly handle hidden revisions FIX: default history modal to "side by side" view on mobile FIX: properly hiden which revision has been hidden UX: inline category/user/wiki/post_type changes with the revision details FEATURE: new '/posts/:post_id/revisions/latest' endpoint to retrieve latest revision UX: do not show the hide/show revision button on mobile (no room for them) UX: remove CSS transitions on the buttons in the history modal FIX: PostRevisor now handles all the changes that might create new revisions FIX: PostRevision.ensure_consistency! was wrong due to off by 1 mistake... refactored topic's callbacks for better readability extracted 'PostRevisionGuardian'
2014-10-27 17:06:43 -04:00
post = find_post_from_params
post.public_version -= 1
post.save
Fix all the errors to get our tests green on Rails 5.1.
2017-08-31 00:06:56 -04:00
render body: nil
FEATURE: ability to hide or show specific post revisions
2014-10-13 04:18:49 -04:00
end
def show_revision
post_revision = find_post_revision_from_params
LOTS of changes to properly handle post/topic revisions FIX: history revision can now properly be hidden FIX: PostRevision serializer is now entirely dynamic to properly handle hidden revisions FIX: default history modal to "side by side" view on mobile FIX: properly hiden which revision has been hidden UX: inline category/user/wiki/post_type changes with the revision details FEATURE: new '/posts/:post_id/revisions/latest' endpoint to retrieve latest revision UX: do not show the hide/show revision button on mobile (no room for them) UX: remove CSS transitions on the buttons in the history modal FIX: PostRevisor now handles all the changes that might create new revisions FIX: PostRevision.ensure_consistency! was wrong due to off by 1 mistake... refactored topic's callbacks for better readability extracted 'PostRevisionGuardian'
2014-10-27 17:06:43 -04:00
guardian.ensure_can_show_post_revision!(post_revision)
FEATURE: ability to hide or show specific post revisions
2014-10-13 04:18:49 -04:00
post_revision.show!
LOTS of changes to properly handle post/topic revisions FIX: history revision can now properly be hidden FIX: PostRevision serializer is now entirely dynamic to properly handle hidden revisions FIX: default history modal to "side by side" view on mobile FIX: properly hiden which revision has been hidden UX: inline category/user/wiki/post_type changes with the revision details FEATURE: new '/posts/:post_id/revisions/latest' endpoint to retrieve latest revision UX: do not show the hide/show revision button on mobile (no room for them) UX: remove CSS transitions on the buttons in the history modal FIX: PostRevisor now handles all the changes that might create new revisions FIX: PostRevision.ensure_consistency! was wrong due to off by 1 mistake... refactored topic's callbacks for better readability extracted 'PostRevisionGuardian'
2014-10-27 17:06:43 -04:00
post = find_post_from_params
post.public_version += 1
post.save
Fix all the errors to get our tests green on Rails 5.1.
2017-08-31 00:06:56 -04:00
render body: nil
FEATURE: ability to hide or show specific post revisions
2014-10-13 04:18:49 -04:00
end
FEATURE: revert post to a specific revision
2016-03-09 10:40:49 -05:00
def revert
raise Discourse::NotFound unless guardian.is_staff?
post_id = params[:id] || params[:post_id]
revision = params[:revision].to_i
raise Discourse::InvalidParameters.new(:revision) if revision < 2
post_revision = PostRevision.find_by(post_id: post_id, number: revision)
raise Discourse::NotFound unless post_revision
post = find_post_from_params
raise Discourse::NotFound if post.blank?
post_revision.post = post
guardian.ensure_can_see!(post_revision)
guardian.ensure_can_edit!(post)
return render_json_error(I18n.t('revert_version_same')) if post_revision.modifications["raw"].blank? && post_revision.modifications["title"].blank? && post_revision.modifications["category_id"].blank?
topic = Topic.with_deleted.find(post.topic_id)
changes = {}
changes[:raw] = post_revision.modifications["raw"][0] if post_revision.modifications["raw"].present? && post_revision.modifications["raw"][0] != post.raw
if post.is_first_post?
changes[:title] = post_revision.modifications["title"][0] if post_revision.modifications["title"].present? && post_revision.modifications["title"][0] != topic.title
changes[:category_id] = post_revision.modifications["category_id"][0] if post_revision.modifications["category_id"].present? && post_revision.modifications["category_id"][0] != topic.category.id
end
return render_json_error(I18n.t('revert_version_same')) unless changes.length > 0
changes[:edit_reason] = "reverted to version ##{post_revision.number.to_i - 1}"
revisor = PostRevisor.new(post, topic)
revisor.revise!(current_user, changes)
return render_json_error(post) if post.errors.present?
return render_json_error(topic) if topic.errors.present?
post_serializer = PostSerializer.new(post, scope: guardian, root: false)
post_serializer.draft_sequence = DraftSequence.current(current_user, topic.draft_key)
Fix all the errors to get our tests green on Rails 5.1.
2017-08-31 00:06:56 -04:00
FEATURE: revert post to a specific revision
2016-03-09 10:40:49 -05:00
link_counts = TopicLink.counts_for(guardian, topic, [post])
post_serializer.single_post_link_counts = link_counts[post.id] if link_counts.present?
result = { post: post_serializer.as_json }
if post.is_first_post?
result[:topic] = BasicTopicSerializer.new(topic, scope: guardian, root: false).as_json if post_revision.modifications["title"].present?
result[:category_id] = post_revision.modifications["category_id"][0] if post_revision.modifications["category_id"].present?
end
render_json_dump(result)
end
FEATURE: Staff members can lock posts Locking a post prevents it from being edited. This is useful if the user has posted something which has been edited out, and the staff members don't want them to be able to edit it back in again.
2018-01-25 15:38:40 -05:00
def locked
post = find_post_from_params
locker = PostLocker.new(post, current_user)
params[:locked] === "true" ? locker.lock : locker.unlock
render_json_dump(locked: post.locked?)
end
FEATURE: Let staff add custom post notices. (#7377)
2019-04-19 10:53:58 -04:00
def notice
raise Discourse::NotFound unless guardian.is_staff?
post = find_post_from_params
if params[:notice].present?
DEV: Replace magic values (#8398) Follow-up to 35942f7c7c9510161c42018543ac609254dafdbd.
2019-11-25 07:32:19 -05:00
post.custom_fields[Post::NOTICE_TYPE] = Post.notices[:custom]
post.custom_fields[Post::NOTICE_ARGS] = PrettyText.cook(params[:notice], features: { onebox: false })
FEATURE: Let staff add custom post notices. (#7377)
2019-04-19 10:53:58 -04:00
post.save_custom_fields
else
post.delete_post_notices
end
render body: nil
end
Improving bookmarks part 1 (#8466) Note: All of this functionality is hidden behind a hidden, default false, site setting called `enable_bookmarks_with_reminders`. Also, any feedback on Ember code would be greatly appreciated! This is part 1 of the bookmark improvements. The next PR will address the backend logic to send reminder notifications for bookmarked posts to users. This PR adds the following functionality: * We are adding a new `bookmarks` table and `Bookmark` model to make the bookmarks a first-class citizen and to allow attaching reminders to them. * Posts now have a new button in their actions menu that has the icon of an actual book * Clicking the button opens the new bookmark modal. * Both name and the reminder type are optional. * If you close the modal without doing anything, the bookmark is saved with no reminder. * If you click the Cancel button, no bookmark is saved at all. * All of the reminder type tiles are dynamic and the times they show will be based on your user timezone set in your profile (this should already be set for you). * If for some reason a user does not have their timezone set they will not be able to set a reminder, but they will still be able to create a bookmark. * A bookmark can be deleted by clicking on the book icon again which will be red if the post is bookmarked. This PR does NOT do anything to migrate or change existing bookmarks in the form of `PostActions`, the two features live side-by-side here. Also this does nothing to the topic bookmarking.
2019-12-10 23:04:02 -05:00
def destroy_bookmark
params.require(:post_id)
FEATURE: Edit bookmark reminders from post and explicit delete button (#9455) There is now an explicit "Delete Bookmark" button in the edit modal. A confirmation is shown before deleting. Along with this, when the bookmarked post icon is clicked the modal is now shown instead of just deleting the bookmark. Also, the "Delete Bookmark" button from the user bookmark list now confirms the action. Add a `d d` shortcut in the modal to delete the bookmark.
2020-04-19 23:30:04 -04:00
bookmark_id = Bookmark.where(post_id: params[:post_id], user_id: current_user.id).pluck_first(:id)
result = BookmarkManager.new(current_user).destroy(bookmark_id)
FEATURE: Allow custom date + time for bookmark reminders (#9185) A custom date and time can now be selected for a bookmark reminder The reminder will not happen at the exact time but rather at the next 5 minute interval of the bookmark reminder schedule. This PR also fixes issues with bulk deleting topic bookmarks.
2020-03-11 20:52:15 -04:00
FEATURE: Edit bookmark reminders from post and explicit delete button (#9455) There is now an explicit "Delete Bookmark" button in the edit modal. A confirmation is shown before deleting. Along with this, when the bookmarked post icon is clicked the modal is now shown instead of just deleting the bookmark. Also, the "Delete Bookmark" button from the user bookmark list now confirms the action. Add a `d d` shortcut in the modal to delete the bookmark.
2020-04-19 23:30:04 -04:00
render json: success_json.merge(result)
Improving bookmarks part 1 (#8466) Note: All of this functionality is hidden behind a hidden, default false, site setting called `enable_bookmarks_with_reminders`. Also, any feedback on Ember code would be greatly appreciated! This is part 1 of the bookmark improvements. The next PR will address the backend logic to send reminder notifications for bookmarked posts to users. This PR adds the following functionality: * We are adding a new `bookmarks` table and `Bookmark` model to make the bookmarks a first-class citizen and to allow attaching reminders to them. * Posts now have a new button in their actions menu that has the icon of an actual book * Clicking the button opens the new bookmark modal. * Both name and the reminder type are optional. * If you close the modal without doing anything, the bookmark is saved with no reminder. * If you click the Cancel button, no bookmark is saved at all. * All of the reminder type tiles are dynamic and the times they show will be based on your user timezone set in your profile (this should already be set for you). * If for some reason a user does not have their timezone set they will not be able to set a reminder, but they will still be able to create a bookmark. * A bookmark can be deleted by clicking on the book icon again which will be red if the post is bookmarked. This PR does NOT do anything to migrate or change existing bookmarks in the form of `PostActions`, the two features live side-by-side here. Also this does nothing to the topic bookmarking.
2019-12-10 23:04:02 -05:00
end
Wiki Post
2014-05-13 08:53:11 -04:00
def wiki
post = find_post_from_params
FEATURE: allow users to wikify their own posts based on trust level
2016-01-11 10:26:00 -05:00
guardian.ensure_can_wiki!(post)
Add rubocop to our build. (#5004)
2017-07-27 21:20:09 -04:00
post.revise(current_user, wiki: params[:wiki])
Wiki Post
2014-05-13 08:53:11 -04:00
Fix all the errors to get our tests green on Rails 5.1.
2017-08-31 00:06:56 -04:00
render body: nil
Wiki Post
2014-05-13 08:53:11 -04:00
end
FEATURE: add new 'convert to staff message' in post wrench menu
2014-09-10 17:08:33 -04:00
def post_type
guardian.ensure_can_change_post_type!
post = find_post_from_params
Add rubocop to our build. (#5004)
2017-07-27 21:20:09 -04:00
post.revise(current_user, post_type: params[:post_type].to_i)
FEATURE: add new 'convert to staff message' in post wrench menu
2014-09-10 17:08:33 -04:00
Fix all the errors to get our tests green on Rails 5.1.
2017-08-31 00:06:56 -04:00
render body: nil
FEATURE: add new 'convert to staff message' in post wrench menu
2014-09-10 17:08:33 -04:00
end
FEATURE: add 'rebake post' in post wrench menu
2014-09-11 10:04:40 -04:00
def rebake
guardian.ensure_can_rebake!
post = find_post_from_params
FEATURE: Invalidate broken images cache on Rebuild HTML action
2018-12-26 12:52:07 -05:00
post.rebake!(invalidate_oneboxes: true, invalidate_broken_images: true)
FEATURE: add 'rebake post' in post wrench menu
2014-09-11 10:04:40 -04:00
Fix all the errors to get our tests green on Rails 5.1.
2017-08-31 00:06:56 -04:00
render body: nil
FEATURE: add 'rebake post' in post wrench menu
2014-09-11 10:04:40 -04:00
end
FEATURE: staff option to unhide a post
2014-09-22 12:55:13 -04:00
def unhide
post = find_post_from_params
guardian.ensure_can_unhide!(post)
post.unhide!
Fix all the errors to get our tests green on Rails 5.1.
2017-08-31 00:06:56 -04:00
render body: nil
FEATURE: staff option to unhide a post
2014-09-22 12:55:13 -04:00
end
FEATURE: show the user's flagged/deleted posts
2014-07-16 15:04:55 -04:00
def flagged_posts
params.permit(:offset, :limit)
guardian.ensure_can_see_flagged_posts!
user = fetch_user_from_params
offset = [params[:offset].to_i, 0].max
limit = [(params[:limit] || 60).to_i, 100].min
FIX: Moderators shouldn't be able to see secure deleted posts
2015-04-13 11:48:31 -04:00
posts = user_posts(guardian, user.id, offset: offset, limit: limit)
Add rubocop to our build. (#5004)
2017-07-27 21:20:09 -04:00
.where(id: PostAction.where(post_action_type_id: PostActionType.notify_flag_type_ids)
FIX: only show agreed abd deferred flags on user's profile
2014-10-09 10:10:16 -04:00
.where(disagreed_at: nil)
FEATURE: show the user's flagged/deleted posts
2014-07-16 15:04:55 -04:00
.select(:post_id))
REFACTOR: Merge different templates from rendering user stream items
2017-06-20 14:41:41 -04:00
render_serialized(posts, AdminUserActionSerializer)
FEATURE: show the user's flagged/deleted posts
2014-07-16 15:04:55 -04:00
end
def deleted_posts
params.permit(:offset, :limit)
guardian.ensure_can_see_deleted_posts!
user = fetch_user_from_params
offset = [params[:offset].to_i, 0].max
limit = [(params[:limit] || 60).to_i, 100].min
FIX: Moderators shouldn't be able to see secure deleted posts
2015-04-13 11:48:31 -04:00
posts = user_posts(guardian, user.id, offset: offset, limit: limit).where.not(deleted_at: nil)
FEATURE: show the user's flagged/deleted posts
2014-07-16 15:04:55 -04:00
REFACTOR: Merge different templates from rendering user stream items
2017-06-20 14:41:41 -04:00
render_serialized(posts, AdminUserActionSerializer)
FEATURE: show the user's flagged/deleted posts
2014-07-16 15:04:55 -04:00
end
Can edit deleted posts.
2013-02-08 17:49:15 -05:00
protected
`NewPostManager` determines whether to queue a post or not
2015-03-31 12:58:56 -04:00
# We can't break the API for making posts. The new, queue supporting API
# doesn't return the post as the root JSON object, but as a nested object.
# If a param is present it uses that result structure.
def backwards_compatible_json(json_obj, success)
Convert `Discourse.Post` to ES6 and use Store model - Includes acceptance tests for composer (post, edit) - Supports acceptance testing of bootbox
2015-04-01 14:18:46 -04:00
json_obj.symbolize_keys!
FEATURE: min_first_post_typing_time If a user spends less than 3 seconds typing first post they will automatically enter the approval queue
2015-08-03 20:55:59 -04:00
if params[:nested_post].blank? && json_obj[:errors].blank? && json_obj[:action] != :enqueued
Convert `Discourse.Post` to ES6 and use Store model - Includes acceptance tests for composer (post, edit) - Supports acceptance testing of bootbox
2015-04-01 14:18:46 -04:00
json_obj = json_obj[:post]
end
SECURITY: don't grant same privileges to user_api and api access User API is no longer gets bypasses that standard API gets. Only bypasses are CSRF and XHR requirements.
2016-12-15 20:05:20 -05:00
if !success && GlobalSetting.try(:verbose_api_logging) && (is_api? || is_user_api?)
Option for verbose logging when API calls to create posts fail
2016-04-12 12:10:23 -04:00
Rails.logger.error "Error creating post via API:\n\n#{json_obj.inspect}"
end
`NewPostManager` determines whether to queue a post or not
2015-03-31 12:58:56 -04:00
render json: json_obj, status: (!!success) ? 200 : 422
end
better revision history
2013-12-11 21:41:34 -05:00
def find_post_revision_from_params
post_id = params[:id] || params[:post_id]
revision = params[:revision].to_i
raise Discourse::InvalidParameters.new(:revision) if revision < 2
Perform the where(...).first to find_by(...) refactoring. This refactoring was automated using the command: bundle exec "ruby refactorings/where_dot_first_to_find_by/app.rb"
2014-05-06 09:41:59 -04:00
post_revision = PostRevision.find_by(post_id: post_id, number: revision)
LOTS of changes to properly handle post/topic revisions FIX: history revision can now properly be hidden FIX: PostRevision serializer is now entirely dynamic to properly handle hidden revisions FIX: default history modal to "side by side" view on mobile FIX: properly hiden which revision has been hidden UX: inline category/user/wiki/post_type changes with the revision details FEATURE: new '/posts/:post_id/revisions/latest' endpoint to retrieve latest revision UX: do not show the hide/show revision button on mobile (no room for them) UX: remove CSS transitions on the buttons in the history modal FIX: PostRevisor now handles all the changes that might create new revisions FIX: PostRevision.ensure_consistency! was wrong due to off by 1 mistake... refactored topic's callbacks for better readability extracted 'PostRevisionGuardian'
2014-10-27 17:06:43 -04:00
raise Discourse::NotFound unless post_revision
BUGFIX: history link doesn't work on deleted posts
2014-02-04 14:05:50 -05:00
post_revision.post = find_post_from_params
LOTS of changes to properly handle post/topic revisions FIX: history revision can now properly be hidden FIX: PostRevision serializer is now entirely dynamic to properly handle hidden revisions FIX: default history modal to "side by side" view on mobile FIX: properly hiden which revision has been hidden UX: inline category/user/wiki/post_type changes with the revision details FEATURE: new '/posts/:post_id/revisions/latest' endpoint to retrieve latest revision UX: do not show the hide/show revision button on mobile (no room for them) UX: remove CSS transitions on the buttons in the history modal FIX: PostRevisor now handles all the changes that might create new revisions FIX: PostRevision.ensure_consistency! was wrong due to off by 1 mistake... refactored topic's callbacks for better readability extracted 'PostRevisionGuardian'
2014-10-27 17:06:43 -04:00
guardian.ensure_can_see!(post_revision)
BUGFIX: history link doesn't work on deleted posts
2014-02-04 14:05:50 -05:00
LOTS of changes to properly handle post/topic revisions FIX: history revision can now properly be hidden FIX: PostRevision serializer is now entirely dynamic to properly handle hidden revisions FIX: default history modal to "side by side" view on mobile FIX: properly hiden which revision has been hidden UX: inline category/user/wiki/post_type changes with the revision details FEATURE: new '/posts/:post_id/revisions/latest' endpoint to retrieve latest revision UX: do not show the hide/show revision button on mobile (no room for them) UX: remove CSS transitions on the buttons in the history modal FIX: PostRevisor now handles all the changes that might create new revisions FIX: PostRevision.ensure_consistency! was wrong due to off by 1 mistake... refactored topic's callbacks for better readability extracted 'PostRevisionGuardian'
2014-10-27 17:06:43 -04:00
post_revision
end
def find_latest_post_revision_from_params
post_id = params[:id] || params[:post_id]
finder = PostRevision.where(post_id: post_id).order(:number)
finder = finder.where(hidden: false) unless guardian.is_staff?
post_revision = finder.last
raise Discourse::NotFound unless post_revision
post_revision.post = find_post_from_params
better revision history
2013-12-11 21:41:34 -05:00
guardian.ensure_can_see!(post_revision)
LOTS of changes to properly handle post/topic revisions FIX: history revision can now properly be hidden FIX: PostRevision serializer is now entirely dynamic to properly handle hidden revisions FIX: default history modal to "side by side" view on mobile FIX: properly hiden which revision has been hidden UX: inline category/user/wiki/post_type changes with the revision details FEATURE: new '/posts/:post_id/revisions/latest' endpoint to retrieve latest revision UX: do not show the hide/show revision button on mobile (no room for them) UX: remove CSS transitions on the buttons in the history modal FIX: PostRevisor now handles all the changes that might create new revisions FIX: PostRevision.ensure_consistency! was wrong due to off by 1 mistake... refactored topic's callbacks for better readability extracted 'PostRevisionGuardian'
2014-10-27 17:06:43 -04:00
better revision history
2013-12-11 21:41:34 -05:00
post_revision
end
All parameters for #create in PostsController pass through strong_parameters. We are now explicitly whitelisting all parameters for Post creation. A nice side-effect is that it cleans up the #create action in PostsController. We can now trust that all parameters entering PostCreator are of a safe scalar type.
2013-06-07 03:52:03 -04:00
FEATURE: support linking to a specific revision of a topic/post
2015-10-19 05:01:29 -04:00
def find_post_revision_from_topic_id
post = Post.find_by(topic_id: params[:topic_id].to_i, post_number: (params[:post_number] || 1).to_i)
raise Discourse::NotFound unless guardian.can_see?(post)
revision = params[:revision].to_i
raise Discourse::NotFound if revision < 2
post_revision = PostRevision.find_by(post_id: post.id, number: revision)
raise Discourse::NotFound unless post_revision
post_revision.post = post
guardian.ensure_can_see!(post_revision)
post_revision
end
All parameters for #create in PostsController pass through strong_parameters. We are now explicitly whitelisting all parameters for Post creation. A nice side-effect is that it cleans up the #create action in PostsController. We can now trust that all parameters entering PostCreator are of a safe scalar type.
2013-06-07 03:52:03 -04:00
private
FIX: Moderators shouldn't be able to see secure deleted posts
2015-04-13 11:48:31 -04:00
def user_posts(guardian, user_id, opts)
posts = Post.includes(:user, :topic, :deleted_by, :user_actions)
Add rubocop to our build. (#5004)
2017-07-27 21:20:09 -04:00
.where(user_id: user_id)
.with_deleted
.order(created_at: :desc)
FIX: Moderators shouldn't be able to see secure deleted posts
2015-04-13 11:48:31 -04:00
if guardian.user.moderator?
# Awful hack, but you can't seem to remove the `default_scope` when joining
# So instead I grab the topics separately
topic_ids = posts.dup.pluck(:topic_id)
topics = Topic.where(id: topic_ids).with_deleted.where.not(archetype: 'private_message')
topics = topics.secured(guardian)
posts = posts.where(topic_id: topics.pluck(:id))
end
posts.offset(opts[:offset])
Add rubocop to our build. (#5004)
2017-07-27 21:20:09 -04:00
.limit(opts[:limit])
FEATURE: show the user's flagged/deleted posts
2014-07-16 15:04:55 -04:00
end
better revision history
2013-12-11 21:41:34 -05:00
def create_params
permitted = [
:raw,
:topic_id,
:archetype,
:category,
Rename 'target usernames' with 'target recipients' in Composer (#8606) * Reapply "Rename 'target usernames' with 'target recipients' in Composer" This reverts commit 9fe11d0fc33850d46d4e1261ba6f66f187652613 which reverted ebb288dc2cec966fd26ee46f10e1e4d8a596ba5a. * DEV: Add test for replying to PM
2020-01-07 08:33:48 -05:00
# TODO remove together with 'targetUsername' deprecations
better revision history
2013-12-11 21:41:34 -05:00
:target_usernames,
Rename 'target usernames' with 'target recipients' in Composer (#8606) * Reapply "Rename 'target usernames' with 'target recipients' in Composer" This reverts commit 9fe11d0fc33850d46d4e1261ba6f66f187652613 which reverted ebb288dc2cec966fd26ee46f10e1e4d8a596ba5a. * DEV: Add test for replying to PM
2020-01-07 08:33:48 -05:00
:target_recipients,
better revision history
2013-12-11 21:41:34 -05:00
:reply_to_post_number,
FEATURE: track statistics around post creation - how long were people typing? - how long was composer open? - how many drafts were created? - correct, draft saved to go away after you continue typing store in Post.find(xyz).post_stat
2015-08-03 00:29:04 -04:00
:auto_track,
:typing_duration_msecs,
Allow an (optional) post-creation time to be submitted. (#4205) * Allow an (optional) post-creation time to be submitted. This should allow a new post to be created with an initial date/time specified by the caller, which will be useful for people writing importers.. * Only allow `created_at` to be submitted via the API. This addresses the previous concern.
2016-05-22 04:54:03 -04:00
:composer_open_duration_msecs,
FIX: draft not clearing when replying to new topic This amends our API so we provide it with the draft key when saving a post this means post creator can clean up the draft consistently even if we are doing fancy stuff like replying to a new topic or new pm or whatever. There will be some followup work to clean it up so client never calls destroy on draft during normal operation and the #create/#update endpoints takes care of it every time
2019-11-26 02:23:10 -05:00
:visible,
:draft_key
better revision history
2013-12-11 21:41:34 -05:00
]
FEATURE: Allow complex post params from plugin (#8598)
2019-12-20 11:37:12 -05:00
Post.plugin_permitted_create_params.each do |key, value|
if value[:plugin].enabled?
permitted << case value[:type]
when :string
key.to_sym
when :array
{ key => [] }
when :hash
{ key => {} }
end
end
Add 'Post.permitted_create_params' to allow plugins to add new params when creating a post
2017-08-11 22:10:45 -04:00
end
better revision history
2013-12-11 21:41:34 -05:00
# param munging for WordPress
params[:auto_track] = !(params[:auto_track].to_s == "false") if params[:auto_track]
FEATURE: Add toggle topic visibility button in popup menu.
2016-07-27 05:50:13 -04:00
params[:visible] = (params[:unlist_topic].to_s == "false") if params[:unlist_topic]
better revision history
2013-12-11 21:41:34 -05:00
missing spot where old api was used
2016-08-25 20:58:34 -04:00
if is_api?
better revision history
2013-12-11 21:41:34 -05:00
# php seems to be sending this incorrectly, don't fight with it
params[:skip_validations] = params[:skip_validations].to_s == "true"
permitted << :skip_validations
Support for creating embedded topics via API
2014-04-03 14:42:26 -04:00
Allow optional import_mode param for posts in api (#4952)
2017-08-17 07:53:04 -04:00
params[:import_mode] = params[:import_mode].to_s == "true"
permitted << :import_mode
Support for creating embedded topics via API
2014-04-03 14:42:26 -04:00
# We allow `embed_url` via the API
permitted << :embed_url
Allow an (optional) post-creation time to be submitted. (#4205) * Allow an (optional) post-creation time to be submitted. This should allow a new post to be created with an initial date/time specified by the caller, which will be useful for people writing importers.. * Only allow `created_at` to be submitted via the API. This addresses the previous concern.
2016-05-22 04:54:03 -04:00
# We allow `created_at` via the API
permitted << :created_at
better revision history
2013-12-11 21:41:34 -05:00
end
allow skipping the validations on creation if its an api call AND skip_validations is specified this allows wordpress plugin to post very very short titles or titles that would otherwise be disallowed
2013-07-01 22:22:56 -04:00
Revert "Revert "FEATURE: Can create warnings for users via PM"" This reverts commit 1c7559380c145136726028ae9f2aeea6f351eb78.
2014-09-08 11:11:56 -04:00
result = params.permit(*permitted).tap do |whitelisted|
whitelisted[:image_sizes] = params[:image_sizes]
# TODO this does not feel right, we should name what meta_data is allowed
whitelisted[:meta_data] = params[:meta_data]
end
# Staff are allowed to pass `is_warning`
if current_user.staff?
params.permit(:is_warning)
result[:is_warning] = (params[:is_warning] == "true")
`NewPostManager` determines whether to queue a post or not
2015-03-31 12:58:56 -04:00
else
result[:is_warning] = false
All parameters for #create in PostsController pass through strong_parameters. We are now explicitly whitelisting all parameters for Post creation. A nice side-effect is that it cleans up the #create action in PostsController. We can now trust that all parameters entering PostCreator are of a safe scalar type.
2013-06-07 03:52:03 -04:00
end
Revert "Revert "FEATURE: Can create warnings for users via PM"" This reverts commit 1c7559380c145136726028ae9f2aeea6f351eb78.
2014-09-08 11:11:56 -04:00
FEATURE: Allow admins to reply without topic bump
2018-08-09 20:48:30 -04:00
if params[:no_bump] == "true"
raise Discourse::InvalidParameters.new(:no_bump) unless guardian.can_skip_bump?
result[:no_bump] = true
end
FEATURE: Shared Drafts This feature can be enabled by choosing a destination for the `shared drafts category` site setting. * Staff members can create shared drafts, choosing a destination category for the topic when it is published. * Shared Drafts can be viewed in their category, or above the topic list for the destination category where it will end up. * When the shared draft is ready, it can be published to the appropriate category by clicking a button on the topic view. * When published, Drafts change their timestamps to the current time, and any edits to the original post are removed.
2018-03-13 15:59:12 -04:00
if params[:shared_draft] == 'true'
raise Discourse::InvalidParameters.new(:shared_draft) unless guardian.can_create_shared_draft?
result[:shared_draft] = true
end
FIX: return an error if a user tries to whisper This commit fixes a bug where a user creates a whisper post via the api but is posted as a regular message because they don't have access to whisper. Now a 403 unauthorized will be returned instead of the whisper param just being ignored for regular users. Staff users should not be affected by this change. https://meta.discourse.org/t/a-whisper-is-posted-as-a-message-if-the-user-is-not-staff-moderator-admin-when-using-the-api/116601
2019-05-07 13:34:15 -04:00
if params[:whisper] == "true"
raise Discourse::InvalidAccess.new("invalid_whisper_access", nil, custom_message: "invalid_whisper_access") unless guardian.can_create_whisper?
FEATURE: Whisper posts
2015-09-10 16:01:23 -04:00
result[:post_type] = Post.types[:whisper]
end
Replace Hash#keys.each with Hash#each_key for some perf boost
2015-04-18 07:53:53 -04:00
PostRevisor.tracked_topic_fields.each_key do |f|
Extensibility for tracking changes to a topic
2015-01-27 12:13:45 -05:00
params.permit(f => [])
result[f] = params[f] if params.has_key?(f)
end
A common, extensible interface for sending topic columns across the wire This allows plugins to specify topic columns to serialize and save in the database via the composer when creating topics and editing their first posts.
2015-01-06 14:53:12 -05:00
Add post parameters so plugins like akismet can use it for spam prevention.
2015-01-29 13:09:35 -05:00
# Stuff we can use in spam prevention plugins
result[:ip_address] = request.remote_ip
result[:user_agent] = request.user_agent
result[:referrer] = request.env["HTTP_REFERER"]
Rename 'target usernames' with 'target recipients' in Composer (#8606) * Reapply "Rename 'target usernames' with 'target recipients' in Composer" This reverts commit 9fe11d0fc33850d46d4e1261ba6f66f187652613 which reverted ebb288dc2cec966fd26ee46f10e1e4d8a596ba5a. * DEV: Add test for replying to PM
2020-01-07 08:33:48 -05:00
if recipients = result[:target_usernames]
Discourse.deprecate("`target_usernames` is deprecated, use `target_recipients` instead.", output_in_test: true)
else
recipients = result[:target_recipients]
end
if recipients
FIX: when creating new PM username/groupname should be case-insensitive (take 2) https://meta.discourse.org/t/case-sensitivity-in-links-to-groupname/147596 https://meta.discourse.org/t/remove-case-sensitive-in-adding-users-to-a-message/151275
2020-05-25 12:04:05 -04:00
recipients = recipients.split(",").map(&:downcase)
groups = Group.messageable(current_user).where('lower(name) in (?)', recipients).pluck('name')
Rename 'target usernames' with 'target recipients' in Composer (#8606) * Reapply "Rename 'target usernames' with 'target recipients' in Composer" This reverts commit 9fe11d0fc33850d46d4e1261ba6f66f187652613 which reverted ebb288dc2cec966fd26ee46f10e1e4d8a596ba5a. * DEV: Add test for replying to PM
2020-01-07 08:33:48 -05:00
recipients -= groups
emails = recipients.select { |user| user.match(/@/) }
recipients -= emails
result[:target_usernames] = recipients.join(",")
Support for sending PMs to email addresses (#4988) * Added support for sending PMs to email addresses. * Made changes after review. * Added settings validator. * Fixed tests.
2017-08-28 12:07:30 -04:00
result[:target_emails] = emails.join(",")
FEATURE: First class messages to groups, you can select a group as a target of a message
2015-12-01 23:49:43 -05:00
result[:target_group_names] = groups.join(",")
end
Fix all the errors to get our tests green on Rails 5.1.
2017-08-31 00:06:56 -04:00
result.permit!
result.to_h
better revision history
2013-12-11 21:41:34 -05:00
end
`NewPostManager` determines whether to queue a post or not
2015-03-31 12:58:56 -04:00
def signature_for(args)
DEV: enable frozen string literal on all files This reduces chances of errors where consumers of strings mutate inputs and reduces memory usage of the app. Test suite passes now, but there may be some stuff left, so we will run a few sites on a branch prior to merging
2019-05-02 18:17:27 -04:00
+"post##" << Digest::SHA1.hexdigest(args
Fix all the errors to get our tests green on Rails 5.1.
2017-08-31 00:06:56 -04:00
.to_h
`NewPostManager` determines whether to queue a post or not
2015-03-31 12:58:56 -04:00
.to_a
.concat([["user", current_user.id]])
Add rubocop to our build. (#5004)
2017-07-27 21:20:09 -04:00
.sort { |x, y| x[0] <=> y[0] }.join do |x, y|
`NewPostManager` determines whether to queue a post or not
2015-03-31 12:58:56 -04:00
"#{x}:#{y}"
end)
end
PostsController refactoring.
2014-02-21 11:12:43 -05:00
def display_post(post)
post.revert_to(params[:version].to_i) if params[:version].present?
render_post_json(post)
end
def find_post_from_params
by_id_finder = Post.where(id: params[:id] || params[:post_id])
find_post_using(by_id_finder)
end
def find_post_from_params_by_number
by_number_finder = Post.where(topic_id: params[:topic_id], post_number: params[:post_number])
find_post_using(by_number_finder)
end
FEATURE: allows to jump to a date in a topic
2018-07-19 10:00:13 -04:00
def find_post_from_params_by_date
by_date_finder = TopicView.new(params[:topic_id], current_user)
.filtered_posts
.where("created_at >= ?", Time.zone.parse(params[:date]))
.order("created_at ASC")
.limit(1)
find_post_using(by_date_finder)
end
PostsController refactoring.
2014-02-21 11:12:43 -05:00
def find_post_using(finder)
# Include deleted posts if the user is staff
finder = finder.with_deleted if current_user.try(:staff?)
post = finder.first
FIX: Removed a line by accident, broke tests
2017-10-23 14:49:14 -04:00
raise Discourse::NotFound unless post
BUGFIX: could not see the revisions of a post in a deleted topic
2014-05-12 10:30:10 -04:00
# load deleted topic
post.topic = Topic.with_deleted.find(post.topic_id) if current_user.try(:staff?)
FIX: Show the deleted icon if the quote expands a deleted topic
2017-10-23 13:41:41 -04:00
raise Discourse::NotFound unless post.topic
PostsController refactoring.
2014-02-21 11:12:43 -05:00
guardian.ensure_can_see!(post)
post
end
Initial release of Discourse
2013-02-05 14:16:51 -05:00
end