FIX: allow local oneboxes to public topics/posts in PM

lib/oneboxer.rb

@@ -165,14 +165,16 @@ module Oneboxer
 
     def self.local_topic_html(url, route, opts)
       return unless current_user = User.find_by(id: opts[:user_id])
-      return unless current_category = Category.find_by(id: opts[:category_id])
-      return unless Guardian.new(current_user).can_see_category?(current_category)
+
+      if current_category = Category.find_by(id: opts[:category_id])
+        return unless Guardian.new(current_user).can_see_category?(current_category)
+      end
 
       if route[:post_number].to_i > 1
         post = Post.find_by(topic_id: route[:topic_id], post_number: route[:post_number])
 
         return unless post.present? && !post.hidden
-        return unless current_category.id == post.topic.category_id || Guardian.new.can_see_post?(post)
+        return unless current_category&.id == post.topic.category_id || Guardian.new.can_see_post?(post)
 
         topic = post.topic
         excerpt = post.excerpt(SiteSetting.post_onebox_maxlength)
@@ -184,7 +186,7 @@ module Oneboxer
         PrettyText.cook(quote)
       else
         return unless topic = Topic.find_by(id: route[:topic_id])
-        return unless current_category.id == topic.category_id || Guardian.new.can_see_topic?(topic)
+        return unless current_category&.id == topic.category_id || Guardian.new.can_see_topic?(topic)
 
         first_post = topic.ordered_posts.first
 

spec/controllers/onebox_controller_spec.rb

@@ -100,35 +100,45 @@ describe OneboxController do
     describe "local onebox" do
 
       it 'does not cache local oneboxes' do
-        post1 = create_post
-        url = Discourse.base_url + post1.url
+        post = create_post
+        url = Discourse.base_url + post.url
 
-        get :show, params: { url: url, category_id: post1.topic.category_id }, format: :json
+        get :show, params: { url: url, category_id: post.topic.category_id }, format: :json
         expect(response.body).to include('blockquote')
 
-        post1.trash!
+        post.trash!
 
-        get :show, params: { url: url, category_id: post1.topic.category_id }, format: :json
+        get :show, params: { url: url, category_id: post.topic.category_id }, format: :json
         expect(response.body).not_to include('blockquote')
       end
     end
 
-  end
+    it 'does not onebox when you have no permission on category' do
+      log_in
 
-  it 'does not onebox when you have no permission on category' do
-    log_in
+      post = create_post
+      url = Discourse.base_url + post.url
 
-    post1 = create_post
-    url = Discourse.base_url + post1.url
+      get :show, params: { url: url, category_id: post.topic.category_id }, format: :json
+      expect(response.body).to include('blockquote')
 
-    get :show, params: { url: url, category_id: post1.topic.category_id }, format: :json
-    expect(response.body).to include('blockquote')
+      post.topic.category.set_permissions(staff: :full)
+      post.topic.category.save
 
-    post1.topic.category.set_permissions(staff: :full)
-    post1.topic.category.save
+      get :show, params: { url: url, category_id: post.topic.category_id }, format: :json
+      expect(response.body).not_to include('blockquote')
+    end
+
+    it 'allows onebox to public topics/posts in PM' do
+      log_in
+
+      post = create_post
+      url = Discourse.base_url + post.url
+
+      get :show, params: { url: url }, format: :json
+      expect(response.body).to include('blockquote')
+    end
 
-    get :show, params: { url: url, category_id: post1.topic.category_id }, format: :json
-    expect(response.body).not_to include('blockquote')
   end
 
 end