discourse/app/controllers/drafts_controller.rb
David Taylor 4e178d5c0d
SECURITY: Respect topic permissions when loading draft metadata
Co-authored-by: Sam Saffron <sam.saffron@gmail.com>
2020-03-23 11:54:36 +00:00

35 lines
651 B
Ruby

# frozen_string_literal: true
class DraftsController < ApplicationController
requires_login
skip_before_action :check_xhr, :preload_json
def index
params.require(:username)
params.permit(:offset)
params.permit(:limit)
user = fetch_user_from_params
unless user == current_user
raise Discourse::InvalidAccess
end
opts = {
user: user,
offset: params[:offset],
limit: params[:limit]
}
stream = Draft.stream(opts)
render json: {
drafts: stream ? serialize_data(stream, DraftSerializer) : [],
no_results_help: I18n.t("user_activity.no_drafts.self")
}
end
end