discourse/app/controllers/embed_controller.rb

193 lines
5.3 KiB
Ruby

# frozen_string_literal: true
class EmbedController < ApplicationController
include TopicQueryParams
skip_before_action :check_xhr, :preload_json, :verify_authenticity_token
before_action :prepare_embeddable, except: [:info]
before_action :ensure_api_request, only: [:info]
layout "embed"
rescue_from Discourse::InvalidAccess do
if current_user.try(:admin?)
@setup_url = "#{Discourse.base_url}/admin/customize/embedding"
@show_reason = true
@hosts = EmbeddableHost.all
end
render "embed_error", status: 400
end
def topics
discourse_expires_in 1.minute
unless SiteSetting.embed_topics_list?
render "embed_topics_error", status: 400
return
end
if @embed_id = params[:discourse_embed_id]
raise Discourse::InvalidParameters.new(:embed_id) unless @embed_id =~ /\Ade\-[a-zA-Z0-9]+\z/
end
if @embed_class = params[:embed_class]
unless @embed_class =~ /\A[a-zA-Z0-9\-_]+\z/
raise Discourse::InvalidParameters.new(:embed_class)
end
end
response.headers["X-Robots-Tag"] = "noindex, indexifembedded"
if params.has_key?(:template) && params[:template] == "complete"
@template = "complete"
else
@template = "basic"
end
list_options = build_topic_list_options
if params.has_key?(:per_page)
list_options[:per_page] = [params[:per_page].to_i, SiteSetting.embed_topic_limit_per_page].min
end
if params[:allow_create]
@allow_create = true
create_url_params = {}
create_url_params[:category_id] = params[:category] if params[:category].present?
create_url_params[:tags] = params[:tags] if params[:tags].present?
@create_url = "#{Discourse.base_url}/new-topic?#{create_url_params.to_query}"
end
topic_query = TopicQuery.new(current_user, list_options)
top_period = params[:top_period]
begin
TopTopic.validate_period(top_period)
valid_top_period = true
rescue Discourse::InvalidParameters
valid_top_period = false
end
@list =
if valid_top_period
topic_query.list_top_for(top_period)
else
topic_query.list_latest
end
end
def comments
embed_url = params[:embed_url]
embed_username = params[:discourse_username]
embed_topic_id = params[:topic_id]&.to_i
unless embed_topic_id || EmbeddableHost.url_allowed?(embed_url)
raise Discourse::InvalidAccess.new("invalid embed host")
end
topic_id = nil
if embed_url.present?
topic_id = TopicEmbed.topic_id_for_embed(embed_url)
else
topic_id = params[:topic_id].to_i
end
if topic_id
@topic_view =
TopicView.new(
topic_id,
current_user,
limit: SiteSetting.embed_post_limit,
only_regular: true,
exclude_first: true,
exclude_deleted_users: true,
exclude_hidden: true,
)
raise Discourse::NotFound if @topic_view.blank?
@posts_left = 0
@second_post_url = "#{@topic_view.topic.url}/2"
@reply_count = @topic_view.filtered_posts.count - 1
@reply_count = 0 if @reply_count < 0
@posts_left = @reply_count - SiteSetting.embed_post_limit if @reply_count >
SiteSetting.embed_post_limit
elsif embed_url.present?
Jobs.enqueue(
:retrieve_topic,
user_id: current_user.try(:id),
embed_url: embed_url,
author_username: embed_username,
referer: request.env["HTTP_REFERER"],
)
render "loading"
end
discourse_expires_in 1.minute
end
def info
embed_url = params.require(:embed_url)
@topic_embed = TopicEmbed.where(embed_url: embed_url).first
raise Discourse::NotFound if @topic_embed.nil?
render_serialized(@topic_embed, TopicEmbedSerializer, root: false)
end
def count
embed_urls = params[:embed_url]
by_url = {}
if embed_urls.present?
urls = embed_urls.map { |u| u.sub(/#discourse-comments\z/, "").sub(%r{/\z}, "") }
topic_embeds = TopicEmbed.where(embed_url: urls).includes(:topic).references(:topic)
topic_embeds.each do |te|
url = te.embed_url
url = "#{url}#discourse-comments" if params[:embed_url].exclude?(url)
if te.topic.present?
by_url[url] = I18n.t("embed.replies", count: te.topic.posts_count - 1)
else
by_url[url] = I18n.t("embed.replies", count: 0)
end
end
end
render json: { counts: by_url }, callback: params[:callback]
end
private
def prepare_embeddable
response.headers.delete("X-Frame-Options")
embeddable_host = EmbeddableHost.record_for_url(request.referer)
@embeddable_css_class =
if params[:class_name]
" class=\"#{CGI.escapeHTML(params[:class_name])}\""
elsif embeddable_host.present? && embeddable_host.class_name.present?
Discourse.deprecate(
"class_name field of EmbeddableHost has been deprecated. Prefer passing class_name as a parameter.",
since: "3.1.0.beta1",
drop_from: "3.2",
)
" class=\"#{CGI.escapeHTML(embeddable_host.class_name)}\""
else
""
end
@data_referer =
if SiteSetting.embed_any_origin? && @data_referer.blank?
"*"
else
request.referer
end
end
def ensure_api_request
raise Discourse::InvalidAccess.new("api key not set") if !is_api?
end
end