From 57e140dc073203c99bf0ef625b2079aa4abe8bdd Mon Sep 17 00:00:00 2001
From: Sam <sam.saffron@gmail.com>
Date: Fri, 16 Feb 2018 08:00:06 +1100
Subject: [PATCH] FIX: oneboxing to private messages

---
 lib/oneboxer.rb                            | 16 ++++++++++++----
 spec/controllers/onebox_controller_spec.rb | 10 ++++++++++
 2 files changed, 22 insertions(+), 4 deletions(-)

diff --git a/lib/oneboxer.rb b/lib/oneboxer.rb
index 533a5f08c00..6c3027f17d7 100644
--- a/lib/oneboxer.rb
+++ b/lib/oneboxer.rb
@@ -173,8 +173,11 @@ module Oneboxer
       if route[:post_number].to_i > 1
         post = Post.find_by(topic_id: route[:topic_id], post_number: route[:post_number])
 
-        return unless post.present? && !post.hidden
-        return unless current_category&.id == post.topic.category_id || Guardian.new.can_see_post?(post)
+        return if !post || post.hidden || post.topic.private_message?
+
+        if current_category&.id != post.topic.category_id
+          return if !Guardian.new.can_see_post?(post)
+        end
 
         topic = post.topic
         excerpt = post.excerpt(SiteSetting.post_onebox_maxlength)
@@ -185,8 +188,13 @@ module Oneboxer
 
         PrettyText.cook(quote)
       else
-        return unless topic = Topic.find_by(id: route[:topic_id])
-        return unless current_category&.id == topic.category_id || Guardian.new.can_see_topic?(topic)
+        topic = Topic.find_by(id: route[:topic_id])
+
+        return if !topic || topic.private_message?
+
+        if current_category&.id != topic.category_id
+          return if !Guardian.new.can_see_topic?(topic)
+        end
 
         first_post = topic.ordered_posts.first
 
diff --git a/spec/controllers/onebox_controller_spec.rb b/spec/controllers/onebox_controller_spec.rb
index def998a6acc..b53090ec28a 100644
--- a/spec/controllers/onebox_controller_spec.rb
+++ b/spec/controllers/onebox_controller_spec.rb
@@ -129,6 +129,16 @@ describe OneboxController do
       expect(response.body).not_to include('blockquote')
     end
 
+    it 'does not allow onebox of PMs' do
+      user = log_in
+
+      post = create_post(archetype: 'private_message', target_usernames: [user.username])
+      url = Discourse.base_url + post.url
+
+      get :show, params: { url: url }, format: :json
+      expect(response.body).not_to include('blockquote')
+    end
+
     it 'allows onebox to public topics/posts in PM' do
       log_in