FIX: oneboxing to private messages

2024-11-22 08:36:42 +08:00 · 2018-02-16 08:00:06 +11:00 · 2018-02-16 08:00:06 +11:00 · 57e140dc07
commit 57e140dc07
parent 67526907cd
2 changed files with 22 additions and 4 deletions
--- a/lib/oneboxer.rb
+++ b/lib/oneboxer.rb
@ -173,8 +173,11 @@ module Oneboxer
      if route[:post_number].to_i > 1
        post = Post.find_by(topic_id: route[:topic_id], post_number: route[:post_number])

-        return unless post.present? && !post.hidden
-        return unless current_category&.id == post.topic.category_id || Guardian.new.can_see_post?(post)
+        return if !post || post.hidden || post.topic.private_message?
+
+        if current_category&.id != post.topic.category_id
+          return if !Guardian.new.can_see_post?(post)
+        end

        topic = post.topic
        excerpt = post.excerpt(SiteSetting.post_onebox_maxlength)
@ -185,8 +188,13 @@ module Oneboxer

        PrettyText.cook(quote)
      else
-        return unless topic = Topic.find_by(id: route[:topic_id])
-        return unless current_category&.id == topic.category_id || Guardian.new.can_see_topic?(topic)
+        topic = Topic.find_by(id: route[:topic_id])
+
+        return if !topic || topic.private_message?
+
+        if current_category&.id != topic.category_id
+          return if !Guardian.new.can_see_topic?(topic)
+        end

        first_post = topic.ordered_posts.first

--- a/spec/controllers/onebox_controller_spec.rb
+++ b/spec/controllers/onebox_controller_spec.rb
@ -129,6 +129,16 @@ describe OneboxController do
      expect(response.body).not_to include('blockquote')
    end

+    it 'does not allow onebox of PMs' do
+      user = log_in
+
+      post = create_post(archetype: 'private_message', target_usernames: [user.username])
+      url = Discourse.base_url + post.url
+
+      get :show, params: { url: url }, format: :json
+      expect(response.body).not_to include('blockquote')
+    end
+
    it 'allows onebox to public topics/posts in PM' do
      log_in