discourse/app/controllers/topics_controller.rb

# frozen_string_literal: true

class TopicsController < ApplicationController
  requires_login only: %i[
                   timings
                   destroy_timings
                   update
                   update_shared_draft
                   destroy
                   recover
                   status
                   invite
                   mute
                   unmute
                   set_notifications
                   move_posts
                   merge_topic
                   clear_pin
                   re_pin
                   status_update
                   timer
                   bulk
                   reset_new
                   change_post_owners
                   change_timestamps
                   archive_message
                   move_to_inbox
                   convert_topic
                   bookmark
                   publish
                   reset_bump_date
                   set_slow_mode
                 ]

  before_action :consider_user_for_promotion, only: :show

  skip_before_action :check_xhr, only: %i[show feed]

  def id_for_slug
    topic = Topic.find_by_slug(params[:slug])
    guardian.ensure_can_see!(topic)
    raise Discourse::NotFound unless topic
    render json: { slug: topic.slug, topic_id: topic.id, url: topic.url }
  end

  def show_by_external_id
    topic = Topic.find_by(external_id: params[:external_id])
    raise Discourse::NotFound unless topic
    guardian.ensure_can_see!(topic)
    redirect_to_correct_topic(topic, params[:post_number])
  end

  def show
    if params[:id].is_a?(Array)
      raise Discourse::InvalidParameters.new("Show only accepts a single ID")
    end

    flash["referer"] ||= request.referer[0..255] if request.referer

    # TODO: We'd like to migrate the wordpress feed to another url. This keeps up backwards
    # compatibility with existing installs.
    return wordpress if params[:best].present?

    # work around people somehow sending in arrays,
    # arrays are not supported
    params[:page] = begin
      params[:page].to_i
    rescue StandardError
      1
    end

    opts =
      params.slice(
        :username_filters,
        :filter,
        :page,
        :post_number,
        :show_deleted,
        :replies_to_post_number,
        :filter_upwards_post_id,
        :filter_top_level_replies,
      )
    username_filters = opts[:username_filters]

    opts[:print] = true if params[:print] == "true"
    opts[:username_filters] = username_filters.split(",") if username_filters.is_a?(String)

    # Special case: a slug with a number in front should look by slug first before looking
    # up that particular number
    if params[:id] && params[:id] =~ /\A\d+[^\d\\]+\z/
      topic = Topic.find_by_slug(params[:id])
      return redirect_to_correct_topic(topic, opts[:post_number]) if topic
    end

    if opts[:print]
      raise Discourse::InvalidAccess if SiteSetting.max_prints_per_hour_per_user.zero?
      begin
        unless @guardian.is_admin?
          RateLimiter.new(
            current_user,
            "print-topic-per-hour",
            SiteSetting.max_prints_per_hour_per_user,
            1.hour,
          ).performed!
        end
      rescue RateLimiter::LimitExceeded
        return render_json_error I18n.t("rate_limiter.slow_down")
      end
    end

    begin
      @topic_view = TopicView.new(params[:id] || params[:topic_id], current_user, opts)
    rescue Discourse::NotFound => ex
      if params[:id]
        topic = Topic.find_by_slug(params[:id])
        return redirect_to_correct_topic(topic, opts[:post_number]) if topic
      end

      raise ex
    rescue Discourse::NotLoggedIn => ex
      raise(SiteSetting.detailed_404 ? ex : Discourse::NotFound)
    rescue Discourse::InvalidAccess => ex
      # If the user can't see the topic, clean up notifications for it.
      Notification.remove_for(current_user.id, params[:topic_id]) if current_user

      deleted =
        guardian.can_see_topic?(ex.obj, false) ||
          (!guardian.can_see_topic?(ex.obj) && ex.obj&.access_topic_via_group && ex.obj.deleted_at)

      if SiteSetting.detailed_404
        if deleted
          raise Discourse::NotFound.new(
                  "deleted topic",
                  custom_message: "deleted_topic",
                  status: 410,
                  check_permalinks: true,
                  original_path: ex.obj.relative_url,
                )
        elsif !guardian.can_see_topic?(ex.obj) && group = ex.obj&.access_topic_via_group
          raise Discourse::InvalidAccess.new(
                  "not in group",
                  ex.obj,
                  custom_message: "not_in_group.title_topic",
                  custom_message_params: {
                    group: group.name,
                  },
                  group: serialize_data(group, BasicGroupSerializer, root: false),
                )
        end

        raise ex
      else
        raise Discourse::NotFound.new(
                nil,
                check_permalinks: deleted,
                original_path: ex.obj.relative_url,
              )
      end
    end

    page = params[:page]
    if (page < 0) || ((page - 1) * @topic_view.chunk_size >= @topic_view.topic.highest_post_number)
      raise Discourse::NotFound
    end

    discourse_expires_in 1.minute

    if slugs_do_not_match || (!request.format.json? && params[:slug].nil?)
      redirect_to_correct_topic(@topic_view.topic, opts[:post_number])
      return
    end

    track_visit_to_topic

    if should_track_visit_to_topic?
      @topic_view.draft = Draft.get(current_user, @topic_view.draft_key, @topic_view.draft_sequence)
    end

    response.headers["X-Robots-Tag"] = "noindex" unless @topic_view.topic.visible

    canonical_url UrlHelper.absolute_without_cdn(@topic_view.canonical_path)

    # provide hint to crawlers only for now
    # we would like to give them a bit more signal about age of data
    if use_crawler_layout?
      if last_modified = @topic_view.posts&.map { |p| p.updated_at }&.max&.httpdate
        response.headers["Last-Modified"] = last_modified
      end
    end

    perform_show_response
  end

  def publish
    params.permit(:id, :destination_category_id)

    topic = Topic.find(params[:id])
    category = Category.find(params[:destination_category_id])

    raise Discourse::InvalidParameters if category.id == SiteSetting.shared_drafts_category.to_i

    guardian.ensure_can_publish_topic!(topic, category)
    topic = TopicPublisher.new(topic, current_user, category.id).publish!

    render_serialized(topic.reload, BasicTopicSerializer)
  end

  def wordpress
    params.require(:best)
    params.require(:topic_id)
    params.permit(
      :min_trust_level,
      :min_score,
      :min_replies,
      :bypass_trust_level_score,
      :only_moderator_liked,
    )

    begin
      opts = {
        best: params[:best].to_i,
        min_trust_level: params[:min_trust_level] ? params[:min_trust_level].to_i : 1,
        min_score: params[:min_score].to_i,
        min_replies: params[:min_replies].to_i,
        bypass_trust_level_score: params[:bypass_trust_level_score].to_i, # safe cause 0 means ignore
        only_moderator_liked: params[:only_moderator_liked].to_s == "true",
        exclude_hidden: true,
      }
    rescue NoMethodError
      raise Discourse::InvalidParameters
    end

    @topic_view = TopicView.new(params[:topic_id], current_user, opts)
    discourse_expires_in 1.minute

    wordpress_serializer =
      TopicViewWordpressSerializer.new(@topic_view, scope: guardian, root: false)
    render_json_dump(wordpress_serializer)
  end

  def post_ids
    params.require(:topic_id)
    params.permit(:post_number, :username_filters, :filter)

    options = {
      filter_post_number: params[:post_number],
      filter: params[:filter],
      skip_limit: true,
      asc: true,
      skip_custom_fields: true,
    }

    fetch_topic_view(options)
    render_json_dump(post_ids: @topic_view.posts.pluck(:id))
  end

  def posts
    params.require(:topic_id)
    params.permit(:post_ids, :post_number, :username_filters, :filter, :include_suggested)

    include_suggested = params[:include_suggested] == "true"

    options = {
      filter_post_number: params[:post_number],
      post_ids: params[:post_ids],
      asc: ActiveRecord::Type::Boolean.new.deserialize(params[:asc]),
      filter: params[:filter],
      include_suggested: include_suggested,
      include_related: include_suggested,
    }

    fetch_topic_view(options)

    render_json_dump(
      TopicViewPostsSerializer.new(
        @topic_view,
        scope: guardian,
        root: false,
        include_raw: !!params[:include_raw],
      ),
    )
  end

  def excerpts
    params.require(:topic_id)
    params.require(:post_ids)

    unless Array === params[:post_ids]
      render_json_error("Expecting post_ids to contain a list of posts ids")
      return
    end
    post_ids = params[:post_ids].map(&:to_i)

    if post_ids.length > 100
      render_json_error("Requested a chunk that is too big")
      return
    end

    @topic = Topic.with_deleted.where(id: params[:topic_id]).first
    guardian.ensure_can_see!(@topic)

    @posts =
      Post
        .where(hidden: false, deleted_at: nil, topic_id: @topic.id)
        .where("posts.id in (?)", post_ids)
        .joins("LEFT JOIN users u on u.id = posts.user_id")
        .pluck(:id, :cooked, :username, :action_code, :created_at)
        .map do |post_id, cooked, username, action_code, created_at|
          attrs = {
            post_id: post_id,
            username: username,
            excerpt: PrettyText.excerpt(cooked, 800, keep_emoji_images: true),
          }

          if action_code
            attrs[:action_code] = action_code
            attrs[:created_at] = created_at
          end

          attrs
        end

    render json: @posts.to_json
  end

  def destroy_timings
    topic_id = params[:topic_id].to_i

    if params[:last].to_s == "1"
      PostTiming.destroy_last_for(current_user, topic_id: topic_id)
    else
      PostTiming.destroy_for(current_user.id, [topic_id])
    end

    last_notification =
      Notification
        .where(user_id: current_user.id, topic_id: topic_id)
        .order(created_at: :desc)
        .limit(1)
        .first

    last_notification.update!(read: false) if last_notification

    render body: nil
  end

  def update_shared_draft
    topic = Topic.find_by(id: params[:id])
    guardian.ensure_can_edit!(topic)

    category = Category.find_by(id: params[:category_id].to_i)
    guardian.ensure_can_publish_topic!(topic, category)

    row_count = SharedDraft.where(topic_id: topic.id).update_all(category_id: category.id)
    SharedDraft.create(topic_id: topic.id, category_id: category.id) if row_count == 0

    render json: success_json
  end

  def update
    topic = Topic.find_by(id: params[:topic_id])
    guardian.ensure_can_edit!(topic)

    if params[:category_id] && (params[:category_id].to_i != topic.category_id.to_i)
      if topic.shared_draft
        topic.shared_draft.update(category_id: params[:category_id])
        params.delete(:category_id)
      else
        category = Category.find_by(id: params[:category_id])

        if category || (params[:category_id].to_i == 0)
          begin
            guardian.ensure_can_move_topic_to_category!(category)
          rescue Discourse::InvalidAccess
            return(
              render_json_error I18n.t("category.errors.move_topic_to_category_disallowed"),
                                status: :forbidden
            )
          end
        else
          return render_json_error(I18n.t("category.errors.not_found"))
        end

        if category &&
             topic_tags = (params[:tags] || topic.tags.pluck(:name)).reject { |c| c.empty? }
          if topic_tags.present?
            allowed_tags =
              DiscourseTagging.filter_allowed_tags(guardian, category: category).map(&:name)

            invalid_tags = topic_tags - allowed_tags

            # Do not raise an error on a topic's hidden tags when not modifying tags
            if params[:tags].blank?
              invalid_tags.each do |tag_name|
                if DiscourseTagging.hidden_tag_names.include?(tag_name)
                  invalid_tags.delete(tag_name)
                end
              end
            end

            invalid_tags = Tag.where_name(invalid_tags).pluck(:name)

            if !invalid_tags.empty?
              if (invalid_tags & DiscourseTagging.hidden_tag_names).present?
                return render_json_error(I18n.t("category.errors.disallowed_tags_generic"))
              else
                return(
                  render_json_error(
                    I18n.t("category.errors.disallowed_topic_tags", tags: invalid_tags.join(", ")),
                  )
                )
              end
            end
          end
        end
      end
    end

    changes = {}

    PostRevisor.tracked_topic_fields.each_key { |f| changes[f] = params[f] if params.has_key?(f) }

    changes.delete(:title) if topic.title == changes[:title]
    changes.delete(:category_id) if topic.category_id.to_i == changes[:category_id].to_i

    if Tag.include_tags?
      topic_tags = topic.tags.map(&:name).sort
      changes.delete(:tags) if changes[:tags]&.sort == topic_tags
    end

    success = true

    if changes.length > 0
      bypass_bump = should_bypass_bump?(changes)

      first_post = topic.ordered_posts.first
      success =
        PostRevisor.new(first_post, topic).revise!(
          current_user,
          changes,
          validate_post: false,
          bypass_bump: bypass_bump,
          keep_existing_draft: params[:keep_existing_draft].to_s == "true",
        )

      topic.errors.add(:base, :unable_to_update) if !success && topic.errors.blank?
    end

    # this is used to return the title to the client as it may have been changed by "TextCleaner"
    success ? render_serialized(topic, BasicTopicSerializer) : render_json_error(topic)
  end

  def update_tags
    params.require(:tags)
    topic = Topic.find_by(id: params[:topic_id])
    guardian.ensure_can_edit_tags!(topic)

    success =
      PostRevisor.new(topic.first_post, topic).revise!(
        current_user,
        { tags: params[:tags] },
        validate_post: false,
      )

    success ? render_serialized(topic, BasicTopicSerializer) : render_json_error(topic)
  end

  def feature_stats
    params.require(:category_id)
    category_id = params[:category_id].to_i

    visible_topics = Topic.listable_topics.visible

    render json: {
             pinned_in_category_count:
               visible_topics
                 .where(category_id: category_id)
                 .where(pinned_globally: false)
                 .where.not(pinned_at: nil)
                 .count,
             pinned_globally_count:
               visible_topics.where(pinned_globally: true).where.not(pinned_at: nil).count,
             banner_count: Topic.listable_topics.where(archetype: Archetype.banner).count,
           }
  end

  def status
    params.require(:status)
    params.require(:enabled)
    params.permit(:until)

    status = params[:status]
    topic_id = params[:topic_id].to_i
    enabled = params[:enabled] == "true"

    check_for_status_presence(:status, status)
    @topic =
      if params[:category_id]
        Topic.find_by(id: topic_id, category_id: params[:category_id].to_i)
      else
        Topic.find_by(id: topic_id)
      end

    status_opts = { until: params[:until].presence }

    if status == "visible"
      status_opts[:visibility_reason_id] = (
        if enabled
          Topic.visibility_reasons[:manually_relisted]
        else
          Topic.visibility_reasons[:manually_unlisted]
        end
      )
    end

    case status
    when "closed"
      guardian.ensure_can_close_topic!(@topic)
    when "archived"
      guardian.ensure_can_archive_topic!(@topic)
    when "visible"
      guardian.ensure_can_toggle_topic_visibility!(@topic)
    when "pinned"
      guardian.ensure_can_pin_unpin_topic!(@topic)
    else
      guardian.ensure_can_moderate!(@topic)
    end

    @topic.update_status(status, enabled, current_user, status_opts)

    render json:
             success_json.merge!(
               topic_status_update:
                 TopicTimerSerializer.new(TopicTimer.find_by(topic: @topic), root: false),
             )
  end

  def mute
    toggle_mute
  end

  def unmute
    toggle_mute
  end

  def timer
    params.permit(:time, :based_on_last_post, :category_id)
    params.require(:status_type)

    status_type =
      begin
        TopicTimer.types.fetch(params[:status_type].to_sym)
      rescue StandardError
        invalid_param(:status_type)
      end
    based_on_last_post = params[:based_on_last_post]
    params.require(:duration_minutes) if based_on_last_post

    topic = Topic.find_by(id: params[:topic_id])
    guardian.ensure_can_moderate!(topic)

    guardian.ensure_can_delete!(topic) if TopicTimer.destructive_types.values.include?(status_type)

    options = { by_user: current_user, based_on_last_post: based_on_last_post }

    options.merge!(category_id: params[:category_id]) if !params[:category_id].blank?
    if params[:duration_minutes].present?
      options.merge!(duration_minutes: params[:duration_minutes].to_i)
    end
    options.merge!(duration: params[:duration].to_i) if params[:duration].present?

    begin
      topic_timer = topic.set_or_create_timer(status_type, params[:time], **options)
    rescue ActiveRecord::RecordInvalid => e
      return render_json_error(e.message)
    end

    if topic.save
      render json:
               success_json.merge!(
                 execute_at: topic_timer&.execute_at,
                 duration_minutes: topic_timer&.duration_minutes,
                 based_on_last_post: topic_timer&.based_on_last_post,
                 closed: topic.closed,
                 category_id: topic_timer&.category_id,
               )
    else
      render_json_error(topic)
    end
  end

  def make_banner
    topic = Topic.find_by(id: params[:topic_id].to_i)
    guardian.ensure_can_banner_topic!(topic)

    topic.make_banner!(current_user)

    render body: nil
  end

  def remove_banner
    topic = Topic.find_by(id: params[:topic_id].to_i)
    guardian.ensure_can_banner_topic!(topic)

    topic.remove_banner!(current_user)

    render body: nil
  end

  def remove_bookmarks
    topic = Topic.find(params[:topic_id].to_i)
    BookmarkManager.new(current_user).destroy_for_topic(topic)
    render body: nil
  end

  def archive_message
    toggle_archive_message(true)
  end

  def move_to_inbox
    toggle_archive_message(false)
  end

  def toggle_archive_message(archive)
    topic = Topic.find(params[:id].to_i)

    group_id = nil

    group_ids = current_user.groups.pluck(:id)
    if group_ids.present?
      allowed_groups =
        topic.allowed_groups.where("topic_allowed_groups.group_id IN (?)", group_ids).pluck(:id)

      allowed_groups.each do |id|
        if archive
          GroupArchivedMessage.archive!(id, topic, acting_user_id: current_user.id)

          group_id = id
        else
          GroupArchivedMessage.move_to_inbox!(id, topic, acting_user_id: current_user.id)
        end
      end
    end

    if topic.allowed_users.include?(current_user)
      if archive
        UserArchivedMessage.archive!(current_user.id, topic)
      else
        UserArchivedMessage.move_to_inbox!(current_user.id, topic)
      end
    end

    if group_id
      name = Group.find_by(id: group_id).try(:name)
      render_json_dump(group_name: name)
    else
      render body: nil
    end
  end

  def bookmark
    topic = Topic.find(params[:topic_id].to_i)

    bookmark_manager = BookmarkManager.new(current_user)
    bookmark_manager.create_for(bookmarkable_id: topic.id, bookmarkable_type: "Topic")

    return render_json_error(bookmark_manager, status: 400) if bookmark_manager.errors.any?

    render body: nil
  end

  def destroy
    topic = Topic.with_deleted.find_by(id: params[:id])
    force_destroy = ActiveModel::Type::Boolean.new.cast(params[:force_destroy])

    if force_destroy
      if !topic
        raise Discourse::InvalidAccess
      elsif !guardian.can_permanently_delete?(topic)
        return render_json_error topic.cannot_permanently_delete_reason(current_user), status: 403
      end
    else
      guardian.ensure_can_delete!(topic)
    end

    PostDestroyer.new(
      current_user,
      topic.ordered_posts.with_deleted.first,
      context: params[:context],
      force_destroy: force_destroy,
    ).destroy

    render body: nil
  rescue Discourse::InvalidAccess
    render_json_error I18n.t("delete_topic_failed")
  end

  def recover
    topic = Topic.where(id: params[:topic_id]).with_deleted.first
    guardian.ensure_can_recover_topic!(topic)

    first_post = topic.posts.with_deleted.order(:post_number).first
    PostDestroyer.new(current_user, first_post, context: params[:context]).recover

    render body: nil
  end

  def excerpt
    render body: nil
  end

  def remove_allowed_user
    params.require(:username)
    topic = Topic.find_by(id: params[:topic_id])
    raise Discourse::NotFound unless topic
    user = User.find_by(username: params[:username])
    raise Discourse::NotFound unless user

    guardian.ensure_can_remove_allowed_users!(topic, user)

    if topic.remove_allowed_user(current_user, user)
      render json: success_json
    else
      render json: failed_json, status: 422
    end
  end

  def remove_allowed_group
    params.require(:name)
    topic = Topic.find_by(id: params[:topic_id])
    guardian.ensure_can_remove_allowed_users!(topic)

    if topic.remove_allowed_group(current_user, params[:name])
      render json: success_json
    else
      render json: failed_json, status: 422
    end
  end

  def invite_group
    group = Group.find_by(name: params[:group])
    raise Discourse::NotFound if !group

    topic = Topic.find_by(id: params[:topic_id])
    raise Discourse::NotFound if !topic

    if !pm_has_slots?(topic)
      return(
        render_json_error(
          I18n.t(
            "pm_reached_recipients_limit",
            recipients_limit: SiteSetting.max_allowed_message_recipients,
          ),
        )
      )
    end

    if topic.private_message?
      guardian.ensure_can_invite_group_to_private_message!(group, topic)
      topic.invite_group(current_user, group)
      render_json_dump BasicGroupSerializer.new(group, scope: guardian, root: "group")
    else
      render json: failed_json, status: 422
    end
  end

  def invite
    topic = Topic.find_by(id: params[:topic_id])
    raise Discourse::NotFound if !topic

    return render_json_error(I18n.t("topic_invite.not_pm")) if !topic.private_message?

    if !pm_has_slots?(topic)
      return(
        render_json_error(
          I18n.t(
            "pm_reached_recipients_limit",
            recipients_limit: SiteSetting.max_allowed_message_recipients,
          ),
        )
      )
    end

    guardian.ensure_can_invite_to!(topic)

    username_or_email = params[:user] ? fetch_username : fetch_email
    group_ids =
      Group.lookup_groups(group_ids: params[:group_ids], group_names: params[:group_names]).pluck(
        :id,
      )

    begin
      if topic.invite(current_user, username_or_email, group_ids, params[:custom_message])
        if user = User.find_by_username_or_email(username_or_email)
          render_json_dump BasicUserSerializer.new(user, scope: guardian, root: "user")
        else
          render json: success_json
        end
      else
        json = failed_json

        unless topic.private_message?
          group_names =
            topic
              .category
              .visible_group_names(current_user)
              .where(automatic: false)
              .pluck(:name)
              .join(", ")

          if group_names.present?
            json.merge!(errors: [I18n.t("topic_invite.failed_to_invite", group_names: group_names)])
          end
        end

        render json: json, status: 422
      end
    rescue Topic::UserExists, Topic::NotAllowed => e
      render json: { errors: [e.message] }, status: 422
    end
  end

  def set_notifications
    user =
      if is_api? && @guardian.is_admin? &&
           (params[:username].present? || params[:external_id].present?)
        fetch_user_from_params
      else
        current_user
      end

    topic = Topic.find(params[:topic_id].to_i)
    TopicUser.change(user, topic.id, notification_level: params[:notification_level].to_i)
    render json: success_json
  end

  def merge_topic
    topic_id = params.require(:topic_id)
    destination_topic_id = params.require(:destination_topic_id)
    params.permit(:participants)
    params.permit(:chronological_order)
    params.permit(:archetype)

    raise Discourse::InvalidAccess if params[:archetype] == "private_message" && !guardian.is_staff?

    topic = Topic.find_by(id: topic_id)
    guardian.ensure_can_move_posts!(topic)

    destination_topic = Topic.find_by(id: destination_topic_id)
    guardian.ensure_can_create_post_on_topic!(destination_topic)

    args = {}
    args[:destination_topic_id] = destination_topic_id.to_i
    args[:chronological_order] = params[:chronological_order] == "true"

    if params[:archetype].present?
      args[:archetype] = params[:archetype]
      args[:participants] = params[:participants] if params[:participants].present? &&
        params[:archetype] == "private_message"
    end

    acting_user = current_user
    hijack(info: "merging topic #{topic_id.inspect} into #{destination_topic_id.inspect}") do
      destination_topic = topic.move_posts(acting_user, topic.posts.pluck(:id), args)
      render_topic_changes(destination_topic)
    end
  end

  def move_posts
    post_ids = params.require(:post_ids)
    topic_id = params.require(:topic_id)
    params.permit(:category_id)
    params.permit(:tags)
    params.permit(:participants)
    params.permit(:chronological_order)
    params.permit(:archetype)

    topic = Topic.with_deleted.find_by(id: topic_id)
    guardian.ensure_can_move_posts!(topic)

    if params[:title].present?
      # when creating a new topic, ensure the 1st post is a regular post
      if Post.where(topic: topic, id: post_ids).order(:post_number).pick(:post_type) !=
           Post.types[:regular]
        return(
          render_json_error(
            "When moving posts to a new topic, the first post must be a regular post.",
          )
        )
      end

      if params[:category_id].present?
        guardian.ensure_can_create_topic_on_category!(params[:category_id])
      end
    end

    destination_topic = move_posts_to_destination(topic)
    render_topic_changes(destination_topic)
  rescue ActiveRecord::RecordInvalid, ActiveRecord::RecordNotSaved => ex
    render_json_error(ex)
  end

  def change_post_owners
    params.require(:post_ids)
    params.require(:topic_id)
    params.require(:username)

    guardian.ensure_can_change_post_owner!

    begin
      PostOwnerChanger.new(
        post_ids: params[:post_ids].to_a,
        topic_id: params[:topic_id].to_i,
        new_owner: User.find_by(username: params[:username]),
        acting_user: current_user,
      ).change_owner!
      render json: success_json
    rescue ArgumentError
      render json: failed_json, status: 422
    end
  end

  def change_timestamps
    topic_id = params.require(:topic_id).to_i
    timestamp = params.require(:timestamp).to_f

    guardian.ensure_can_change_post_timestamps!

    topic = Topic.with_deleted.find(topic_id)
    previous_timestamp = topic.first_post.created_at

    begin
      TopicTimestampChanger.new(topic: topic, timestamp: timestamp).change!

      StaffActionLogger.new(current_user).log_topic_timestamps_changed(
        topic,
        Time.zone.at(timestamp),
        previous_timestamp,
      )

      render json: success_json
    rescue ActiveRecord::RecordInvalid, TopicTimestampChanger::InvalidTimestampError
      render json: failed_json, status: 422
    end
  end

  def clear_pin
    topic = Topic.find_by(id: params[:topic_id].to_i)
    guardian.ensure_can_see!(topic)
    topic.clear_pin_for(current_user)
    render body: nil
  end

  def re_pin
    topic = Topic.find_by(id: params[:topic_id].to_i)
    guardian.ensure_can_see!(topic)
    topic.re_pin_for(current_user)
    render body: nil
  end

  def timings
    allowed_params = topic_params

    topic_id = allowed_params[:topic_id].to_i
    topic_time = allowed_params[:topic_time].to_i
    timings = allowed_params[:timings].to_h || {}

    # ensure we capture current user for the block
    user = current_user

    hijack do
      PostTiming.process_timings(
        user,
        topic_id,
        topic_time,
        timings.map { |post_number, t| [post_number.to_i, t.to_i] },
        mobile: view_context.mobile_view?,
      )
      render body: nil
    end
  end

  def feed
    raise Discourse::NotFound if !Post.exists?(topic_id: params[:topic_id])

    begin
      @topic_view = TopicView.new(params[:topic_id])
    rescue Discourse::NotLoggedIn
      raise Discourse::NotFound
    rescue Discourse::InvalidAccess => ex
      deleted =
        guardian.can_see_topic?(ex.obj, false) ||
          (!guardian.can_see_topic?(ex.obj) && ex.obj&.access_topic_via_group && ex.obj.deleted_at)

      raise Discourse::NotFound.new(
              nil,
              check_permalinks: deleted,
              original_path: ex.obj.relative_url,
            )
    end

    discourse_expires_in 1.minute

    response.headers["X-Robots-Tag"] = "noindex, nofollow"
    render "topics/show", formats: [:rss]
  end

  def bulk
    if params[:topic_ids].present?
      unless Array === params[:topic_ids]
        raise Discourse::InvalidParameters.new("Expecting topic_ids to contain a list of topic ids")
      end
      topic_ids = params[:topic_ids].map { |t| t.to_i }
    elsif params[:filter] == "unread"
      topic_ids = bulk_unread_topic_ids
    else
      raise ActionController::ParameterMissing.new(:topic_ids)
    end

    operation =
      params
        .require(:operation)
        .permit(
          :type,
          :group,
          :category_id,
          :notification_level_id,
          :message,
          *DiscoursePluginRegistry.permitted_bulk_action_parameters,
          tags: [],
        )
        .to_h
        .symbolize_keys

    raise ActionController::ParameterMissing.new(:operation_type) if operation[:type].blank?

    operator = TopicsBulkAction.new(current_user, topic_ids, operation, group: operation[:group])
    hijack(info: "topics bulk action #{operation[:type]}") do
      changed_topic_ids = operator.perform!
      render_json_dump topic_ids: changed_topic_ids
    end
  end

  def private_message_reset_new
    topic_query = TopicQuery.new(current_user, limit: false)

    if params[:topic_ids].present?
      unless Array === params[:topic_ids]
        raise Discourse::InvalidParameters.new("Expecting topic_ids to contain a list of topic ids")
      end

      topic_scope =
        topic_query.private_messages_for(current_user, :all).where(
          "topics.id IN (?)",
          params[:topic_ids].map(&:to_i),
        )
    else
      params.require(:inbox)
      inbox = params[:inbox].to_s
      filter = private_message_filter(topic_query, inbox)
      topic_scope = topic_query.filter_private_message_new(current_user, filter)
    end

    topic_ids =
      TopicsBulkAction.new(current_user, topic_scope.pluck(:id), type: "dismiss_topics").perform!

    render json: success_json.merge(topic_ids: topic_ids)
  end

  def reset_new
    topic_scope =
      if current_user.new_new_view_enabled?
        if (params[:dismiss_topics] && params[:dismiss_posts])
          TopicQuery.new(current_user).new_and_unread_results(limit: false)
        elsif params[:dismiss_topics]
          TopicQuery.new(current_user).new_results(limit: false)
        elsif params[:dismiss_posts]
          TopicQuery.new(current_user).unread_results(limit: false)
        else
          Topic.none
        end
      else
        TopicQuery.new(current_user).new_results(limit: false)
      end
    if tag_name = params[:tag_id]
      tag_name = DiscourseTagging.visible_tags(guardian).where(name: tag_name).pluck(:name).first
    end

    topic_scope =
      if params[:category_id].present?
        category_id = params[:category_id].to_i

        category_ids =
          if ActiveModel::Type::Boolean.new.cast(params[:include_subcategories])
            Category.subcategory_ids(category_id)
          else
            [category_id]
          end

        category_ids &= guardian.allowed_category_ids
        if category_ids.blank?
          scope = topic_scope.none
        else
          scope = topic_scope.where(category_id: category_ids)
          scope = scope.joins(:tags).where(tags: { name: tag_name }) if tag_name
        end
        scope
      elsif tag_name.present?
        topic_scope.joins(:tags).where(tags: { name: tag_name })
      else
        if params[:tracked].to_s == "true"
          TopicQuery.tracked_filter(topic_scope, current_user.id)
        else
          current_user.user_stat.update_column(:new_since, Time.zone.now)
          topic_scope
        end
      end

    if params[:topic_ids].present?
      unless Array === params[:topic_ids]
        raise Discourse::InvalidParameters.new("Expecting topic_ids to contain a list of topic ids")
      end

      topic_ids = params[:topic_ids].map(&:to_i)
      topic_scope = topic_scope.where(id: topic_ids)
    end

    dismissed_topic_ids = []
    dismissed_post_topic_ids = []

    if !current_user.new_new_view_enabled? || params[:dismiss_topics]
      dismissed_topic_ids =
        TopicsBulkAction.new(current_user, topic_scope.pluck(:id), type: "dismiss_topics").perform!
    end

    if params[:dismiss_posts]
      if params[:untrack]
        dismissed_post_topic_ids =
          TopicsBulkAction.new(
            current_user,
            topic_scope.pluck(:id),
            type: "change_notification_level",
            notification_level_id: NotificationLevels.topic_levels[:regular],
          ).perform!
      else
        dismissed_post_topic_ids =
          TopicsBulkAction.new(current_user, topic_scope.pluck(:id), type: "dismiss_posts").perform!
      end
    end

    render_json_dump topic_ids: dismissed_topic_ids.concat(dismissed_post_topic_ids).uniq
  end

  def convert_topic
    params.require(:id)
    params.require(:type)

    topic = Topic.find_by(id: params[:id])
    guardian.ensure_can_convert_topic!(topic)

    topic =
      if params[:type] == "public"
        topic.convert_to_public_topic(current_user, category_id: params[:category_id])
      else
        topic.convert_to_private_message(current_user)
      end

    topic.valid? ? render_topic_changes(topic) : render_json_error(topic)
  end

  def reset_bump_date
    params.require(:id)
    params.permit(:post_id)

    guardian.ensure_can_update_bumped_at!

    topic = Topic.find_by(id: params[:id])
    raise Discourse::NotFound.new unless topic

    topic.reset_bumped_at(params[:post_id])
    render body: nil
  end

  def set_slow_mode
    topic = Topic.find(params[:topic_id])
    slow_mode_type = TopicTimer.types[:clear_slow_mode]
    timer = TopicTimer.find_by(topic: topic, status_type: slow_mode_type)

    guardian.ensure_can_moderate!(topic)
    topic.update!(slow_mode_seconds: params[:seconds])
    enabled = params[:seconds].to_i > 0

    time = enabled && params[:enabled_until].present? ? params[:enabled_until] : nil

    topic.set_or_create_timer(slow_mode_type, time, by_user: timer&.user)

    StaffActionLogger.new(current_user).log_topic_slow_mode(
      topic,
      enabled:,
      seconds: params[:seconds],
      until: time,
    )

    head :ok
  end

  private

  def topic_params
    params.permit(:topic_id, :topic_time, timings: {})
  end

  def fetch_topic_view(options)
    if (username_filters = params[:username_filters]).present?
      options[:username_filters] = username_filters.split(",")
    end

    @topic_view = TopicView.new(params[:topic_id], current_user, options)
  end

  def toggle_mute
    @topic = Topic.find_by(id: params[:topic_id].to_i)
    guardian.ensure_can_see!(@topic)

    @topic.toggle_mute(current_user)
    render body: nil
  end

  def consider_user_for_promotion
    Promotion.new(current_user).review if current_user.present?
  end

  def should_bypass_bump?(changes)
    (changes[:category_id].present? && SiteSetting.disable_category_edit_notifications) ||
      (changes[:tags].present? && SiteSetting.disable_tags_edit_notifications)
  end

  def slugs_do_not_match
    if SiteSetting.slug_generation_method != "encoded"
      params[:slug] && @topic_view.topic.slug != params[:slug]
    else
      params[:slug] && CGI.unescape(@topic_view.topic.slug) != params[:slug]
    end
  end

  def redirect_to_correct_topic(topic, post_number = nil)
    begin
      guardian.ensure_can_see!(topic)
    rescue Discourse::InvalidAccess => ex
      raise(SiteSetting.detailed_404 ? ex : Discourse::NotFound)
    end

    # Allow plugins to append allowed query parameters, so they aren't scrubbed on redirect to proper topic URL
    additional_allowed_query_parameters =
      DiscoursePluginRegistry.apply_modifier(
        :redirect_to_correct_topic_additional_query_parameters,
        [],
      )

    opts =
      params.slice(
        *%i[page print filter_top_level_replies preview_theme_id].concat(
          additional_allowed_query_parameters,
        ),
      )
    opts.delete(:page) if params[:page] == 0

    url = topic.relative_url
    url << "/#{post_number}" if post_number.to_i > 0
    url << ".json" if request.format.json?

    opts.each do |k, v|
      s = url.include?("?") ? "&" : "?"
      url << "#{s}#{k}=#{v}"
    end

    redirect_to url, status: 301
  end

  def track_visit_to_topic
    topic_id = @topic_view.topic.id
    ip = request.remote_ip
    user_id = (current_user.id if current_user)

    if !request.format.json?
      hash = {
        referer: request.referer || flash[:referer],
        host: request.host,
        current_user: current_user,
        topic_id: @topic_view.topic.id,
        post_number: @topic_view.current_post_number,
        username: request["u"],
        ip_address: request.remote_ip,
      }
      # defer this way so we do not capture the whole controller
      # in the closure
      TopicsController.defer_add_incoming_link(hash)
    end

    TopicsController.defer_track_visit(topic_id, user_id) if should_track_visit_to_topic?
  end

  def self.defer_track_visit(topic_id, user_id)
    Scheduler::Defer.later "Track Visit" do
      TopicUser.track_visit!(topic_id, user_id)
    end
  end

  def self.defer_topic_view(topic_id, ip, user_id = nil)
    Scheduler::Defer.later "Topic View" do
      topic = Topic.find_by(id: topic_id)
      next if topic.blank?
      next if topic.shared_draft?

      # We need to make sure that we aren't allowing recording
      # random topic views against topics the user cannot see.
      user = User.find_by(id: user_id) if user_id.present?
      next if user_id.present? && user.blank?
      next if !Guardian.new(user).can_see_topic?(topic)

      TopicViewItem.add(topic_id, ip, user_id)
    end
  end

  def self.defer_add_incoming_link(hash)
    Scheduler::Defer.later "Track Link" do
      IncomingLink.add(hash)
    end
  end

  def should_track_visit_to_topic?
    !!((!request.format.json? || params[:track_visit]) && current_user)
  end

  def perform_show_response
    if request.head?
      head :ok
      return
    end

    if params[:replies_to_post_number] || params[:filter_upwards_post_id] ||
         params[:filter_top_level_replies] || @topic_view.next_page.present?
      @topic_view.include_suggested = false
      @topic_view.include_related = false
    end

    topic_view_serializer =
      TopicViewSerializer.new(
        @topic_view,
        scope: guardian,
        root: false,
        include_raw: !!params[:include_raw],
      )

    respond_to do |format|
      format.html do
        @tags = SiteSetting.tagging_enabled ? @topic_view.topic.tags.visible(guardian) : []
        @breadcrumbs = helpers.categories_breadcrumb(@topic_view.topic) || []
        @description_meta =
          @topic_view.topic.excerpt.present? ? @topic_view.topic.excerpt : @topic_view.summary
        store_preloaded("topic_#{@topic_view.topic.id}", MultiJson.dump(topic_view_serializer))
        render :show
      end

      format.json { render_json_dump(topic_view_serializer) }
    end
  end

  def render_topic_changes(dest_topic)
    if dest_topic.present?
      render json: { success: true, url: dest_topic.relative_url }
    else
      render json: { success: false }
    end
  end

  def move_posts_to_destination(topic)
    args = {}
    args[:title] = params[:title] if params[:title].present?
    args[:destination_topic_id] = params[:destination_topic_id].to_i if params[
      :destination_topic_id
    ].present?
    args[:tags] = params[:tags] if params[:tags].present?
    args[:chronological_order] = params[:chronological_order] == "true"

    if params[:archetype].present?
      args[:archetype] = params[:archetype]
      args[:participants] = params[:participants] if params[:participants].present? &&
        params[:archetype] == "private_message"
    else
      args[:category_id] = params[:category_id].to_i if params[:category_id].present?
    end

    topic.move_posts(current_user, post_ids_including_replies, args)
  end

  def check_for_status_presence(key, attr)
    invalid_param(key) if %w[pinned pinned_globally visible closed archived].exclude?(attr)
  end

  def invalid_param(key)
    raise Discourse::InvalidParameters.new(key.to_sym)
  end

  def fetch_username
    params.require(:user)
    params[:user]
  end

  def fetch_email
    params.require(:email)
    params[:email]
  end

  def pm_has_slots?(pm)
    guardian.is_staff? || !pm.reached_recipients_limit?
  end

  def bulk_unread_topic_ids
    topic_query = TopicQuery.new(current_user)

    if inbox = params[:private_message_inbox]
      filter = private_message_filter(topic_query, inbox)
      topic_query.options[:limit] = false
      topics = topic_query.filter_private_messages_unread(current_user, filter)
    else
      topics =
        TopicQuery.unread_filter(
          topic_query.joined_topic_user,
          whisperer: guardian.is_whisperer?,
        ).listable_topics

      topics = TopicQuery.tracked_filter(topics, current_user.id) if params[:tracked].to_s == "true"

      if params[:category_id]
        category_ids =
          if params[:include_subcategories]
            Category.subcategory_ids(params[:category_id].to_i)
          else
            params[:category_id]
          end

        topics = topics.where(category_id: category_ids)
      end

      if params[:tag_name].present?
        topics = topics.joins(:tags).where("tags.name": params[:tag_name])
      end
    end

    topics.pluck(:id)
  end

  def private_message_filter(topic_query, inbox)
    case inbox
    when "group"
      group_name = params[:group_name]
      group = Group.find_by("lower(name) = ?", group_name)
      raise Discourse::NotFound if !group
      raise Discourse::NotFound if !guardian.can_see_group_messages?(group)
      topic_query.options[:group_name] = group_name
      :group
    when "user"
      :user
    else
      :all
    end
  end
end