discourse/app/controllers/static_controller.rb

class StaticController < ApplicationController

  skip_before_filter :check_xhr, :redirect_to_login_if_required
  skip_before_filter :verify_authenticity_token, only: [:enter]

  def show

    return redirect_to('/') if current_user && params[:id] == 'login'

    map = {
      "faq" => {redirect: "faq_url", topic_id: "guidelines_topic_id"},
      "tos" => {redirect: "tos_url", topic_id: "tos_topic_id"},
      "privacy" => {redirect: "privacy_policy_url", topic_id: "privacy_topic_id"}
    }

    @page = params[:id]

    if map.has_key?(@page)
      site_setting_key = map[@page][:redirect]
      url = SiteSetting.send(site_setting_key)
      return redirect_to(url) unless url.blank?
    end

    # The /guidelines route ALWAYS shows our FAQ, ignoring the faq_url site setting.
    @page = 'faq' if @page == 'guidelines'

    # Don't allow paths like ".." or "/" or anything hacky like that
    @page.gsub!(/[^a-z0-9\_\-]/, '')

    if map.has_key?(@page)
      @topic = Topic.find_by_id(SiteSetting.send(map[@page][:topic_id]))
      raise Discourse::NotFound unless @topic
      @body = @topic.posts.first.cooked
      @faq_overriden = !SiteSetting.faq_url.blank?
      render :show, layout: !request.xhr?, formats: [:html]
      return
    end

    raise Discourse::NotFound
  end

  # This method just redirects to a given url.
  # It's used when an ajax login was successful but we want the browser to see
  # a post of a login form so that it offers to remember your password.
  def enter
    params.delete(:username)
    params.delete(:password)

    redirect_to(
      if params[:redirect].blank? || params[:redirect].match(login_path)
        "/"
      else
        params[:redirect]
      end
    )
  end

  skip_before_filter :store_incoming_links, :verify_authenticity_token, only: [:cdn_asset]
  def cdn_asset
    path = File.expand_path(Rails.root + "public/assets/" + params[:path])

    # SECURITY what if path has /../
    unless path.start_with?(Rails.root.to_s + "/public/assets")
      raise Discourse::NotFound
    end

    expires_in 1.year, public: true
    response.headers["Access-Control-Allow-Origin"] = params[:origin]
    begin
      response.headers["Last-Modified"] = File.ctime(path).httpdate
    rescue Errno::ENOENT
      raise Discourse::NotFound
    end
    opts = {
      disposition: nil
    }
    opts[:type] = "application/x-javascript" if path =~ /\.js$/

    # we must disable acceleration otherwise NGINX strips
    # access control headers
    request.env['sendfile.type'] = ''
    send_file(path, opts)
  end
end
Initial release of Discourse 2013-02-05 14:16:51 -05:00			`class StaticController < ApplicationController`

Redirect all controllers to login if required We want to skip the filter for sessions controller so that we can login and we want to skip the filter for static pages because those should be visible to visitors. 2013-06-04 18:32:36 -04:00			`skip_before_filter :check_xhr, :redirect_to_login_if_required`
FIX: BAD CSRF on login. Don't check csrf in the fake login form since it doesn't actually do anything. 2013-08-27 11:30:58 -04:00			`skip_before_filter :verify_authenticity_token, only: [:enter]`
Initial release of Discourse 2013-02-05 14:16:51 -05:00
			`def show`

On sites with login_required enabled, after signup, don't show the /login page again 2013-10-30 16:37:22 -04:00			`return redirect_to('/') if current_user && params[:id] == 'login'`

work in progress, add custom faq link, ember router needs to know about this or the redirect trick will not work 2013-06-27 03:15:59 -04:00			`map = {`
Move FAQ, Terms of Service, and Privacy Policy into topics in the Staff category. First post of those topics will be rendered on their respective pages. Site settings and content are not used for these documents anymore. Translations of the default text is moved into the standard YML files. 2014-07-24 14:27:34 -04:00			`"faq" => {redirect: "faq_url", topic_id: "guidelines_topic_id"},`
			`"tos" => {redirect: "tos_url", topic_id: "tos_topic_id"},`
			`"privacy" => {redirect: "privacy_policy_url", topic_id: "privacy_topic_id"}`
work in progress, add custom faq link, ember router needs to know about this or the redirect trick will not work 2013-06-27 03:15:59 -04:00			`}`

Move FAQ, Terms of Service, and Privacy Policy into topics in the Staff category. First post of those topics will be rendered on their respective pages. Site settings and content are not used for these documents anymore. Translations of the default text is moved into the standard YML files. 2014-07-24 14:27:34 -04:00			`@page = params[:id]`
Initial release of Discourse 2013-02-05 14:16:51 -05:00
Move FAQ, Terms of Service, and Privacy Policy into topics in the Staff category. First post of those topics will be rendered on their respective pages. Site settings and content are not used for these documents anymore. Translations of the default text is moved into the standard YML files. 2014-07-24 14:27:34 -04:00			`if map.has_key?(@page)`
			`site_setting_key = map[@page][:redirect]`
work in progress, add custom faq link, ember router needs to know about this or the redirect trick will not work 2013-06-27 03:15:59 -04:00			`url = SiteSetting.send(site_setting_key)`
			`return redirect_to(url) unless url.blank?`
			`end`
tos and privacy urls redirect based on site settings 2013-06-18 10:52:04 -04:00
FEATURE: /guidelines route will always show our FAQ, ignoring the faq_url site setting 2014-07-10 12:58:34 -04:00			`# The /guidelines route ALWAYS shows our FAQ, ignoring the faq_url site setting.`
Move FAQ, Terms of Service, and Privacy Policy into topics in the Staff category. First post of those topics will be rendered on their respective pages. Site settings and content are not used for these documents anymore. Translations of the default text is moved into the standard YML files. 2014-07-24 14:27:34 -04:00			`@page = 'faq' if @page == 'guidelines'`
FEATURE: /guidelines route will always show our FAQ, ignoring the faq_url site setting 2014-07-10 12:58:34 -04:00
Initial release of Discourse 2013-02-05 14:16:51 -05:00			`# Don't allow paths like ".." or "/" or anything hacky like that`
Move FAQ, Terms of Service, and Privacy Policy into topics in the Staff category. First post of those topics will be rendered on their respective pages. Site settings and content are not used for these documents anymore. Translations of the default text is moved into the standard YML files. 2014-07-24 14:27:34 -04:00			`@page.gsub!(/[^a-z0-9\_\-]/, '')`
Initial release of Discourse 2013-02-05 14:16:51 -05:00
Move FAQ, Terms of Service, and Privacy Policy into topics in the Staff category. First post of those topics will be rendered on their respective pages. Site settings and content are not used for these documents anymore. Translations of the default text is moved into the standard YML files. 2014-07-24 14:27:34 -04:00			`if map.has_key?(@page)`
			`@topic = Topic.find_by_id(SiteSetting.send(map[@page][:topic_id]))`
			`raise Discourse::NotFound unless @topic`
			`@body = @topic.posts.first.cooked`
FEATURE: /guidelines route will always show our FAQ, ignoring the faq_url site setting 2014-07-10 12:58:34 -04:00			`@faq_overriden = !SiteSetting.faq_url.blank?`
Move FAQ, Terms of Service, and Privacy Policy into topics in the Staff category. First post of those topics will be rendered on their respective pages. Site settings and content are not used for these documents anymore. Translations of the default text is moved into the standard YML files. 2014-07-24 14:27:34 -04:00			`render :show, layout: !request.xhr?, formats: [:html]`
Initial release of Discourse 2013-02-05 14:16:51 -05:00			`return`
			`end`

get rid of nonsense 404.html correct 404 handling for invalid pages 2013-05-19 20:29:49 -04:00			`raise Discourse::NotFound`
Initial release of Discourse 2013-02-05 14:16:51 -05:00			`end`

Support for browser password managers, but doesn't quite work in IE 2013-03-13 10:22:56 -04:00			`# This method just redirects to a given url.`
			`# It's used when an ajax login was successful but we want the browser to see`
			`# a post of a login form so that it offers to remember your password.`
			`def enter`
			`params.delete(:username)`
			`params.delete(:password)`

Redirect to root after login if no path provided If we do not do this, then people that login from /login will just be redirected back to the login page. We'd rather have them see the root path. 2013-06-04 18:34:54 -04:00			`redirect_to(`
			`if params[:redirect].blank? \|\| params[:redirect].match(login_path)`
Refactor routes in order to be compatible with Rails 4 2013-07-01 14:00:06 -04:00			`"/"`
Redirect to root after login if no path provided If we do not do this, then people that login from /login will just be redirected back to the login page. We'd rather have them see the root path. 2013-06-04 18:34:54 -04:00			`else`
			`params[:redirect]`
			`end`
			`)`
			`end`
BUGFIX: re-enable CDN js debugging in a robust way May be disabled if needed via site setting 2014-05-18 18:46:09 -04:00
FIX: do not store incoming links on avatars or uploads 2014-07-25 01:10:06 -04:00			`skip_before_filter :store_incoming_links, :verify_authenticity_token, only: [:cdn_asset]`
BUGFIX: re-enable CDN js debugging in a robust way May be disabled if needed via site setting 2014-05-18 18:46:09 -04:00			`def cdn_asset`
FIX: allow for subdirectorys for cdn assets 2014-07-10 03:29:38 -04:00			`path = File.expand_path(Rails.root + "public/assets/" + params[:path])`

			`# SECURITY what if path has /../`
			`unless path.start_with?(Rails.root.to_s + "/public/assets")`
			`raise Discourse::NotFound`
			`end`

BUGFIX: re-enable CDN js debugging in a robust way May be disabled if needed via site setting 2014-05-18 18:46:09 -04:00			`expires_in 1.year, public: true`
			`response.headers["Access-Control-Allow-Origin"] = params[:origin]`
FIX: set last modified date on CDN assets 2014-07-08 00:48:20 -04:00			`begin`
			`response.headers["Last-Modified"] = File.ctime(path).httpdate`
			`rescue Errno::ENOENT`
			`raise Discourse::NotFound`
			`end`
BUGFIX: re-enable CDN js debugging in a robust way May be disabled if needed via site setting 2014-05-18 18:46:09 -04:00			`opts = {`
			`disposition: nil`
			`}`
			`opts[:type] = "application/x-javascript" if path =~ /\.js$/`
FIX: disable x accl redirect for CDN assets We need to keep headers in tact 2014-07-10 02:32:06 -04:00
			`# we must disable acceleration otherwise NGINX strips`
			`# access control headers`
FIX: remove hardcoding from middleware stack so we can control it 2014-07-10 03:01:21 -04:00			`request.env['sendfile.type'] = ''`
BUGFIX: re-enable CDN js debugging in a robust way May be disabled if needed via site setting 2014-05-18 18:46:09 -04:00			`send_file(path, opts)`
			`end`
Fix all the trailing whitespace 2013-02-07 10:45:24 -05:00			`end`