mirror of
https://github.com/discourse/discourse.git
synced 2024-11-26 03:53:44 +08:00
e871865a61
Currently, providing things like `filter[%24acunetix]=1` to `UserActionsController#index` will throw an exception because instead of getting a string as expected, we get a hash instead. This patch simply uses `#permit` from strong parameters properly: first we apply it on the whole parameters, this way it filters the keys we’re interested in. By doing this, if the value is a hash for example, the whole key/value pair will be ignored completely.
46 lines
1.4 KiB
Ruby
46 lines
1.4 KiB
Ruby
# frozen_string_literal: true
|
|
|
|
class UserActionsController < ApplicationController
|
|
def index
|
|
user_actions_params.require(:username)
|
|
|
|
user = fetch_user_from_params(include_inactive: current_user.try(:staff?) || (current_user && SiteSetting.show_inactive_accounts))
|
|
offset = [0, user_actions_params[:offset].to_i].max
|
|
action_types = (user_actions_params[:filter] || "").split(",").map(&:to_i)
|
|
limit = user_actions_params.fetch(:limit, 30).to_i
|
|
|
|
raise Discourse::NotFound unless guardian.can_see_profile?(user)
|
|
raise Discourse::NotFound unless guardian.can_see_user_actions?(user, action_types)
|
|
|
|
opts = {
|
|
user_id: user.id,
|
|
user: user,
|
|
offset: offset,
|
|
limit: limit,
|
|
action_types: action_types,
|
|
guardian: guardian,
|
|
ignore_private_messages: params[:filter].blank?,
|
|
acting_username: params[:acting_username]
|
|
}
|
|
|
|
stream = UserAction.stream(opts).to_a
|
|
render_serialized(stream, UserActionSerializer, root: 'user_actions')
|
|
end
|
|
|
|
def show
|
|
params.require(:id)
|
|
render_serialized(UserAction.stream_item(params[:id], guardian), UserActionSerializer)
|
|
end
|
|
|
|
def private_messages
|
|
# DO NOT REMOVE
|
|
# TODO should preload messages to avoid extra http req
|
|
end
|
|
|
|
private
|
|
|
|
def user_actions_params
|
|
@user_actions_params ||= params.permit(:username, :filter, :offset, :acting_username, :limit)
|
|
end
|
|
end
|