Support `embeddable_host` values that contain a HTTP/HTTPs protocol

This commit is contained in:
Robin Ward 2014-02-12 15:55:44 -05:00
parent 6ceb4f2656
commit a963dd9081
5 changed files with 29 additions and 7 deletions

View File

@ -48,8 +48,8 @@ class EmbedController < ApplicationController
def ensure_embeddable def ensure_embeddable
if !(Rails.env.development? && current_user.try(:admin?)) if !(Rails.env.development? && current_user.try(:admin?))
raise Discourse::InvalidAccess.new('embeddable host not set') if SiteSetting.embeddable_host.blank? raise Discourse::InvalidAccess.new('embeddable host not set') if SiteSetting.normalized_embeddable_host.blank?
raise Discourse::InvalidAccess.new('invalid referer host') if URI(request.referer || '').host != SiteSetting.embeddable_host raise Discourse::InvalidAccess.new('invalid referer host') if URI(request.referer || '').host != SiteSetting.normalized_embeddable_host
end end
response.headers['X-Frame-Options'] = "ALLOWALL" response.headers['X-Frame-Options'] = "ALLOWALL"

View File

@ -56,6 +56,11 @@ class SiteSetting < ActiveRecord::Base
@anonymous_menu_items ||= Set.new Discourse.anonymous_filters.map(&:to_s) @anonymous_menu_items ||= Set.new Discourse.anonymous_filters.map(&:to_s)
end end
def self.normalized_embeddable_host
return embeddable_host if embeddable_host.blank?
embeddable_host.sub(/^https?\:\/\//, '')
end
def self.anonymous_homepage def self.anonymous_homepage
top_menu_items.map { |item| item.name } top_menu_items.map { |item| item.name }
.select { |item| anonymous_menu_items.include?(item) } .select { |item| anonymous_menu_items.include?(item) }

View File

@ -12,7 +12,7 @@ class TopicRetriever
private private
def invalid_host? def invalid_host?
SiteSetting.embeddable_host != URI(@embed_url).host SiteSetting.normalized_embeddable_host != URI(@embed_url).host
rescue URI::InvalidURIError rescue URI::InvalidURIError
# An invalid URI is an invalid host # An invalid URI is an invalid host
true true

View File

@ -7,13 +7,13 @@ describe TopicRetriever do
let(:topic_retriever) { TopicRetriever.new(embed_url) } let(:topic_retriever) { TopicRetriever.new(embed_url) }
it "does not call perform_retrieve when embeddable_host is not set" do it "does not call perform_retrieve when embeddable_host is not set" do
SiteSetting.expects(:embeddable_host).returns(nil) SiteSetting.stubs(:embeddable_host).returns(nil)
topic_retriever.expects(:perform_retrieve).never topic_retriever.expects(:perform_retrieve).never
topic_retriever.retrieve topic_retriever.retrieve
end end
it "does not call perform_retrieve when embeddable_host is different than the host of the URL" do it "does not call perform_retrieve when embeddable_host is different than the host of the URL" do
SiteSetting.expects(:embeddable_host).returns("eviltuna.com") SiteSetting.stubs(:embeddable_host).returns("eviltuna.com")
topic_retriever.expects(:perform_retrieve).never topic_retriever.expects(:perform_retrieve).never
topic_retriever.retrieve topic_retriever.retrieve
end end
@ -26,7 +26,7 @@ describe TopicRetriever do
context "with a valid host" do context "with a valid host" do
before do before do
SiteSetting.expects(:embeddable_host).returns("eviltrout.com") SiteSetting.stubs(:embeddable_host).returns("eviltrout.com")
end end
it "calls perform_retrieve if it hasn't been retrieved recently" do it "calls perform_retrieve if it hasn't been retrieved recently" do

View File

@ -30,6 +30,23 @@ describe SiteSetting do
end end
end end
describe "normalized_embeddable_host" do
it 'returns the `embeddable_host` value' do
SiteSetting.stubs(:embeddable_host).returns("eviltrout.com")
SiteSetting.normalized_embeddable_host.should == "eviltrout.com"
end
it 'strip http from `embeddable_host` value' do
SiteSetting.stubs(:embeddable_host).returns("http://eviltrout.com")
SiteSetting.normalized_embeddable_host.should == "eviltrout.com"
end
it 'strip https from `embeddable_host` value' do
SiteSetting.stubs(:embeddable_host).returns("https://eviltrout.com")
SiteSetting.normalized_embeddable_host.should == "eviltrout.com"
end
end
describe 'topic_title_length' do describe 'topic_title_length' do
it 'returns a range of min/max topic title length' do it 'returns a range of min/max topic title length' do
SiteSetting.topic_title_length.should == SiteSetting.topic_title_length.should ==