discourse/app/controllers/post_action_users_controller.rb

# frozen_string_literal: true

class PostActionUsersController < ApplicationController
  INDEX_LIMIT = 200

  def index
    params.require(:post_action_type_id)
    params.require(:id)
    post_action_type_id = params[:post_action_type_id].to_i

    page = params[:page].to_i
    page_size = fetch_limit_from_params(default: INDEX_LIMIT, max: INDEX_LIMIT)

    # Find the post, and then determine if they can see the post (if deleted)
    post = Post.with_deleted.find_by(id: params[:id].to_i)
    guardian.ensure_can_see!(post)

    post_actions =
      post
        .post_actions
        .where(post_action_type_id: post_action_type_id)
        .includes(:user)
        .offset(page * page_size)
        .order("post_actions.created_at ASC")
        .limit(page_size)

    post_actions =
      DiscoursePluginRegistry.apply_modifier(:post_action_users_list, post_actions, post)

    if !guardian.can_see_post_actors?(post.topic, post_action_type_id)
      raise Discourse::InvalidAccess if current_user.blank?
      post_actions = post_actions.where(user_id: current_user.id)
    end

    action_type = PostActionType.types.key(post_action_type_id)
    total_count = post["#{action_type}_count"].to_i
    post_actions = post_actions.to_a
    data = {
      post_action_users:
        serialize_data(
          post_actions,
          PostActionUserSerializer,
          unknown_user_ids: current_user_muting_or_ignoring_users(post_actions.map(&:user_id)),
        ),
    }

    data[:total_rows_post_action_users] = total_count if total_count > page_size

    render_json_dump(data)
  end

  private

  def current_user_muting_or_ignoring_users(user_ids)
    return [] if current_user.blank?
    UserCommScreener.new(
      acting_user: current_user,
      target_user_ids: user_ids,
    ).actor_preventing_communication
  end
end
DEV: enable frozen string literal on all files This reduces chances of errors where consumers of strings mutate inputs and reduces memory usage of the app. Test suite passes now, but there may be some stuff left, so we will run a few sites on a branch prior to merging 2019-05-03 06:17:27 +08:00			`# frozen_string_literal: true`

FIX: You can click to see your own PMs from flags Also refactors post action users to be a new object type since they can have `post_url` which is not a field of a `User` 2015-10-01 00:28:13 +08:00			`class PostActionUsersController < ApplicationController`
SECURITY: Impose a upper bound on limit params in various controllers What is the problem here? In multiple controllers, we are accepting a `limit` params but do not impose any upper bound on the values being accepted. Without an upper bound, we may be allowing arbituary users from generating DB queries which may end up exhausing the resources on the server. What is the fix here? A new `fetch_limit_from_params` helper method is introduced in `ApplicationController` that can be used by controller actions to safely get the limit from the params as a default limit and maximum limit has to be set. When an invalid limit params is encountered, the server will respond with the 400 response code. 2023-07-28 19:53:46 +08:00			`INDEX_LIMIT = 200`

FIX: You can click to see your own PMs from flags Also refactors post action users to be a new object type since they can have `post_url` which is not a field of a `User` 2015-10-01 00:28:13 +08:00			`def index`
			`params.require(:post_action_type_id)`
			`params.require(:id)`
			`post_action_type_id = params[:post_action_type_id].to_i`

UX: cap likes 2 (#5237) 2017-11-15 08:28:54 +08:00			`page = params[:page].to_i`
SECURITY: Impose a upper bound on limit params in various controllers What is the problem here? In multiple controllers, we are accepting a `limit` params but do not impose any upper bound on the values being accepted. Without an upper bound, we may be allowing arbituary users from generating DB queries which may end up exhausing the resources on the server. What is the fix here? A new `fetch_limit_from_params` helper method is introduced in `ApplicationController` that can be used by controller actions to safely get the limit from the params as a default limit and maximum limit has to be set. When an invalid limit params is encountered, the server will respond with the 400 response code. 2023-07-28 19:53:46 +08:00			`page_size = fetch_limit_from_params(default: INDEX_LIMIT, max: INDEX_LIMIT)`
UX: cap likes 2 (#5237) 2017-11-15 08:28:54 +08:00
FEATURE: Allow category group moderators to delete topics (#11069) * FEATURE - allow category group moderators to delete topics * Allow individual posts to be deleted * DEV - refactor for new `can_moderate_topic?` method 2020-11-06 01:18:26 +08:00			`# Find the post, and then determine if they can see the post (if deleted)`
DEV: Add post_action_users_list modifier for PostActionUsersController (#25740) This commit adds another plugin modifier related to post actions, similar to ae24e04a5ed1921908c8cf1926245fed40aee562. This will be used to exclude users who liked _and_ reacted to the post, since now in discourse-reactions we make a Like when a user reacts too. This will affect the display of the post footer. 2024-02-20 07:48:09 +08:00			`post = Post.with_deleted.find_by(id: params[:id].to_i)`
FIX: You can click to see your own PMs from flags Also refactors post action users to be a new object type since they can have `post_url` which is not a field of a `User` 2015-10-01 00:28:13 +08:00			`guardian.ensure_can_see!(post)`
FIX: you should always be allowed to see actions you created 2017-06-03 02:23:56 +08:00
FIX: You can click to see your own PMs from flags Also refactors post action users to be a new object type since they can have `post_url` which is not a field of a `User` 2015-10-01 00:28:13 +08:00			`post_actions =`
			`post`
			`.post_actions`
			`.where(post_action_type_id: post_action_type_id)`
			`.includes(:user)`
UX: cap likes 2 (#5237) 2017-11-15 08:28:54 +08:00			`.offset(page * page_size)`
UX: pluralize "likes/read this" When expending the number of likes/reads, the text wasn't handling proper pluralization that might be useful in locales that requires it. 2019-12-14 05:18:28 +08:00			`.order("post_actions.created_at ASC")`
UX: cap likes 2 (#5237) 2017-11-15 08:28:54 +08:00			`.limit(page_size)`
FIX: You can click to see your own PMs from flags Also refactors post action users to be a new object type since they can have `post_url` which is not a field of a `User` 2015-10-01 00:28:13 +08:00
DEV: Add post_action_users_list modifier for PostActionUsersController (#25740) This commit adds another plugin modifier related to post actions, similar to ae24e04a5ed1921908c8cf1926245fed40aee562. This will be used to exclude users who liked _and_ reacted to the post, since now in discourse-reactions we make a Like when a user reacts too. This will affect the display of the post footer. 2024-02-20 07:48:09 +08:00			`post_actions =`
			`DiscoursePluginRegistry.apply_modifier(:post_action_users_list, post_actions, post)`

FIX: you should always be allowed to see actions you created 2017-06-03 02:23:56 +08:00			`if !guardian.can_see_post_actors?(post.topic, post_action_type_id)`
DEV: Add post_action_users_list modifier for PostActionUsersController (#25740) This commit adds another plugin modifier related to post actions, similar to ae24e04a5ed1921908c8cf1926245fed40aee562. This will be used to exclude users who liked _and_ reacted to the post, since now in discourse-reactions we make a Like when a user reacts too. This will affect the display of the post footer. 2024-02-20 07:48:09 +08:00			`raise Discourse::InvalidAccess if current_user.blank?`
FIX: you should always be allowed to see actions you created 2017-06-03 02:23:56 +08:00			`post_actions = post_actions.where(user_id: current_user.id)`
			`end`

UX: cap likes 2 (#5237) 2017-11-15 08:28:54 +08:00			`action_type = PostActionType.types.key(post_action_type_id)`
FIX: Do not raise an error if the post action type is nil (#9458) 2020-04-18 01:23:33 +08:00			`total_count = post["#{action_type}_count"].to_i`
DEV: Add post_action_users_list modifier for PostActionUsersController (#25740) This commit adds another plugin modifier related to post actions, similar to ae24e04a5ed1921908c8cf1926245fed40aee562. This will be used to exclude users who liked _and_ reacted to the post, since now in discourse-reactions we make a Like when a user reacts too. This will affect the display of the post footer. 2024-02-20 07:48:09 +08:00			`post_actions = post_actions.to_a`
FEATURE: Don't display muted/ignored users under "who liked" (#10084) * FEATURE: Don't display muted/ignored users under "who liked" Previously, if you clicked on the heart icon below a post it would show you the avatar for a user even if you ignored or muted them. This commit will instead display a (?) icon. The count of likes will remain correct, but you needn't be reminded of the person you preferred not to see. * Use a circle instead of (?) for unknown user 2020-06-19 22:44:21 +08:00			`data = {`
			`post_action_users:`
			`serialize_data(`
DEV: Add post_action_users_list modifier for PostActionUsersController (#25740) This commit adds another plugin modifier related to post actions, similar to ae24e04a5ed1921908c8cf1926245fed40aee562. This will be used to exclude users who liked _and_ reacted to the post, since now in discourse-reactions we make a Like when a user reacts too. This will affect the display of the post footer. 2024-02-20 07:48:09 +08:00			`post_actions,`
FEATURE: Don't display muted/ignored users under "who liked" (#10084) * FEATURE: Don't display muted/ignored users under "who liked" Previously, if you clicked on the heart icon below a post it would show you the avatar for a user even if you ignored or muted them. This commit will instead display a (?) icon. The count of likes will remain correct, but you needn't be reminded of the person you preferred not to see. * Use a circle instead of (?) for unknown user 2020-06-19 22:44:21 +08:00			`PostActionUserSerializer,`
DEV: Add post_action_users_list modifier for PostActionUsersController (#25740) This commit adds another plugin modifier related to post actions, similar to ae24e04a5ed1921908c8cf1926245fed40aee562. This will be used to exclude users who liked _and_ reacted to the post, since now in discourse-reactions we make a Like when a user reacts too. This will affect the display of the post footer. 2024-02-20 07:48:09 +08:00			`unknown_user_ids: current_user_muting_or_ignoring_users(post_actions.map(&:user_id)),`
FEATURE: Don't display muted/ignored users under "who liked" (#10084) * FEATURE: Don't display muted/ignored users under "who liked" Previously, if you clicked on the heart icon below a post it would show you the avatar for a user even if you ignored or muted them. This commit will instead display a (?) icon. The count of likes will remain correct, but you needn't be reminded of the person you preferred not to see. * Use a circle instead of (?) for unknown user 2020-06-19 22:44:21 +08:00			`),`
			`}`
UX: cap likes 2 (#5237) 2017-11-15 08:28:54 +08:00
			`data[:total_rows_post_action_users] = total_count if total_count > page_size`

			`render_json_dump(data)`
FIX: You can click to see your own PMs from flags Also refactors post action users to be a new object type since they can have `post_url` which is not a field of a `User` 2015-10-01 00:28:13 +08:00			`end`
DEV: Add post_action_users_list modifier for PostActionUsersController (#25740) This commit adds another plugin modifier related to post actions, similar to ae24e04a5ed1921908c8cf1926245fed40aee562. This will be used to exclude users who liked _and_ reacted to the post, since now in discourse-reactions we make a Like when a user reacts too. This will affect the display of the post footer. 2024-02-20 07:48:09 +08:00
			`private`

			`def current_user_muting_or_ignoring_users(user_ids)`
			`return [] if current_user.blank?`
			`UserCommScreener.new(`
			`acting_user: current_user,`
			`target_user_ids: user_ids,`
			`).actor_preventing_communication`
			`end`
FIX: You can click to see your own PMs from flags Also refactors post action users to be a new object type since they can have `post_url` which is not a field of a `User` 2015-10-01 00:28:13 +08:00			`end`