jaculabilis/danbooru
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
Files
c9acbbdf9e2bdb0f68e2e23e64de3d601424bdd5
danbooru/app/controllers/forum_topics_controller.rb
r888888888 abce4d2551 Raise error on unpermitted params. 
Fail loudly if we forget to whitelist a param instead of silently
ignoring it.

misc models: convert to strong params.

artist commentaries: convert to strong params.

* Disallow changing or setting post_id to a nonexistent post.

artists: convert to strong params.

* Disallow setting `is_banned` in create/update actions. Changing it
  this way instead of with the ban/unban actions would leave the artist in
  a partially banned state.

bans: convert to strong params.

* Disallow changing the user_id after the ban has been created.

comments: convert to strong params.

favorite groups: convert to strong params.

news updates: convert to strong params.

post appeals: convert to strong params.

post flags: convert to strong params.

* Disallow users from setting the `is_deleted` / `is_resolved` flags.

ip bans: convert to strong params.

user feedbacks: convert to strong params.

* Disallow users from setting `disable_dmail_notification` when creating feedbacks.
* Disallow changing the user_id after the feedback has been created.

notes: convert to strong params.

wiki pages: convert to strong params.

* Also fix non-Builders being able to delete wiki pages.

saved searches: convert to strong params.

pools: convert to strong params.

* Disallow setting `post_count` or `is_deleted` in create/update actions.

janitor trials: convert to strong params.

post disapprovals: convert to strong params.

* Factor out quick-mod bar to shared partial.
* Fix quick-mod bar to use `Post#is_approvable?` to determine visibility
  of Approve button.

dmail filters: convert to strong params.

password resets: convert to strong params.

user name change requests: convert to strong params.

posts: convert to strong params.

users: convert to strong params.

* Disallow setting password_hash, last_logged_in_at, last_forum_read_at,
  has_mail, and dmail_filter_attributes[user_id].

* Remove initialize_default_image_size (dead code).

uploads: convert to strong params.

* Remove `initialize_status` because status already defaults to pending
  in the database.

tag aliases/implications: convert to strong params.

tags: convert to strong params.

forum posts: convert to strong params.

* Disallow changing the topic_id after creating the post.
* Disallow setting is_deleted (destroy/undelete actions should be used instead).
* Remove is_sticky / is_locked (nonexistent attributes).

forum topics: convert to strong params.

* merges https://github.com/evazion/danbooru/tree/wip-rails-5.1
* lock pg gem to 0.21 (1.0.0 is incompatible with rails 5.1.4)
* switch to factorybot and change all references

Co-authored-by: r888888888 <r888888888@gmail.com>
Co-authored-by: evazion <noizave@gmail.com>

add diffs
2018-04-06 18:09:57 -07:00

169 lines
4.7 KiB
Ruby
Raw Blame History

class ForumTopicsController < ApplicationController
respond_to :html, :xml, :json
before_action :member_only, :except => [:index, :show]
before_action :moderator_only, :only => [:new_merge, :create_merge]
before_action :normalize_search, :only => :index
before_action :load_topic, :only => [:edit, :show, :update, :destroy, :undelete, :new_merge, :create_merge, :subscribe, :unsubscribe]
before_action :check_min_level, :only => [:show, :edit, :update, :new_merge, :create_merge, :destroy, :undelete, :subscribe, :unsubscribe]
skip_before_action :api_check
def new
@forum_topic = ForumTopic.new
@forum_topic.original_post = ForumPost.new
respond_with(@forum_topic)
end
def edit
check_privilege(@forum_topic)
respond_with(@forum_topic)
end
def index
params[:search] ||= {}
params[:search][:order] ||= "sticky" if request.format == Mime::Type.lookup("text/html")
@query = ForumTopic.active.search(search_params)
@forum_topics = @query.paginate(params[:page], :limit => per_page, :search_count => params[:search])
respond_with(@forum_topics) do |format|
format.html do
@forum_topics = @forum_topics.includes(:creator, :updater).load
end
format.atom do
@forum_topics = @forum_topics.includes(:creator, :original_post).load
end
format.json do
render :json => @forum_topics.to_json
end
format.xml do
render :xml => @forum_topics.to_xml(:root => "forum-topics")
end
end
end
def show
if request.format == Mime::Type.lookup("text/html")
@forum_topic.mark_as_read!(CurrentUser.user)
end
@forum_posts = ForumPost.search(:topic_id => @forum_topic.id).reorder("forum_posts.id").paginate(params[:page])
respond_with(@forum_topic) do |format|
format.atom do
@forum_posts = @forum_posts.reverse_order.includes(:creator).load
end
end
end
def create
@forum_topic = ForumTopic.create(forum_topic_params(:create))
respond_with(@forum_topic)
end
def update
check_privilege(@forum_topic)
@forum_topic.update(forum_topic_params(:update))
respond_with(@forum_topic)
end
def destroy
check_privilege(@forum_topic)
@forum_topic.delete!
@forum_topic.create_mod_action_for_delete
flash[:notice] = "Topic deleted"
respond_with(@forum_topic)
end
def undelete
check_privilege(@forum_topic)
@forum_topic.undelete!
@forum_topic.create_mod_action_for_undelete
flash[:notice] = "Topic undeleted"
respond_with(@forum_topic)
end
def mark_all_as_read
CurrentUser.user.update_attribute(:last_forum_read_at, Time.now)
ForumTopicVisit.prune!(CurrentUser.user)
redirect_to forum_topics_path, :notice => "All topics marked as read"
end
def new_merge
end
def create_merge
@merged_topic = ForumTopic.find(params[:merged_id])
@forum_topic.merge(@merged_topic)
redirect_to forum_topic_path(@merged_topic)
end
def subscribe
subscription = ForumSubscription.where(:forum_topic_id => @forum_topic.id, :user_id => CurrentUser.user.id).first
unless subscription
ForumSubscription.create(:forum_topic_id => @forum_topic.id, :user_id => CurrentUser.user.id, :last_read_at => @forum_topic.updated_at)
end
respond_with(@forum_topic)
end
def unsubscribe
subscription = ForumSubscription.where(:forum_topic_id => @forum_topic.id, :user_id => CurrentUser.user.id).first
if subscription
subscription.destroy
end
respond_with(@forum_topic)
end
private
def per_page
params[:limit] || 40
end
def normalize_search
if params[:title_matches]
params[:search] ||= {}
params[:search][:title_matches] = params.delete(:title_matches)
end
if params[:title]
params[:search] ||= {}
params[:search][:title] = params.delete(:title)
end
end
def check_privilege(forum_topic)
if !forum_topic.editable_by?(CurrentUser.user)
raise User::PrivilegeError
end
end
def load_topic
@forum_topic = ForumTopic.find(params[:id])
end
def check_min_level
if CurrentUser.user.level < @forum_topic.min_level
respond_with(@forum_topic) do |fmt|
fmt.html do
flash[:notice] = "Access denied"
redirect_to forum_topics_path
end
fmt.json do
render json: nil, :status => 403
end
fmt.xml do
render xml: nil, :status => 403
end
end
return false
end
end
def forum_topic_params(context)
permitted_params = [:title, :category_id, { original_post_attributes: %i[id body] }]
permitted_params += %i[is_sticky is_locked min_level] if CurrentUser.is_moderator?
params.require(:forum_topic).permit(permitted_params)
end
end
Reference in New Issue View Git Blame Copy Permalink