about summary refs log tree commit diff
diff options
context:
space:
mode:
authorEugen Rochko <eugen@zeonfederated.com>2017-01-06 00:21:12 +0100
committerEugen Rochko <eugen@zeonfederated.com>2017-01-06 00:29:12 +0100
commit7b9f8766e88dceb9519085deada3fa673e4c015b (patch)
treea8d70a85796fe1e8027ad77ca1a84fe69caf9cef
parent9f21eb6064c6cdc2bc8606e5d18173655797c233 (diff)
Fix #416 - Generate random unique 14-byte (19 characters) shortcodes
for local attachments, use them in URLs. Check status privacy
before redirecting to actual file.
-rw-r--r--app/controllers/media_controller.rb3
-rw-r--r--app/models/media_attachment.rb18
-rw-r--r--db/migrate/20170105224407_add_shortcode_to_media_attachments.rb14
-rw-r--r--db/schema.rb4
4 files changed, 37 insertions, 2 deletions
diff --git a/app/controllers/media_controller.rb b/app/controllers/media_controller.rb
index 6f1f7ec48..488c4f944 100644
--- a/app/controllers/media_controller.rb
+++ b/app/controllers/media_controller.rb
@@ -10,6 +10,7 @@ class MediaController < ApplicationController
   private
 
   def set_media_attachment
-    @media_attachment = MediaAttachment.where.not(status_id: nil).find(params[:id])
+    @media_attachment = MediaAttachment.where.not(status_id: nil).find_by!(shortcode: params[:id])
+    raise ActiveRecord::RecordNotFound unless @media_attachment.status.permitted?(current_account)
   end
 end
diff --git a/app/models/media_attachment.rb b/app/models/media_attachment.rb
index 2a5d23739..ecbed03e3 100644
--- a/app/models/media_attachment.rb
+++ b/app/models/media_attachment.rb
@@ -16,6 +16,7 @@ class MediaAttachment < ApplicationRecord
 
   validates :account, presence: true
 
+  scope :local, -> { where(remote_url: '') }
   default_scope { order('id asc') }
 
   def local?
@@ -38,6 +39,12 @@ class MediaAttachment < ApplicationRecord
     image? ? 'image' : 'video'
   end
 
+  def to_param
+    shortcode
+  end
+
+  before_create :set_shortcode
+
   class << self
     private
 
@@ -62,4 +69,15 @@ class MediaAttachment < ApplicationRecord
       end
     end
   end
+
+  private
+
+  def set_shortcode
+    return unless local?
+
+    loop do
+      self.shortcode = SecureRandom.urlsafe_base64(14)
+      break if MediaAttachment.find_by(shortcode: shortcode).nil?
+    end
+  end
 end
diff --git a/db/migrate/20170105224407_add_shortcode_to_media_attachments.rb b/db/migrate/20170105224407_add_shortcode_to_media_attachments.rb
new file mode 100644
index 000000000..2685ae150
--- /dev/null
+++ b/db/migrate/20170105224407_add_shortcode_to_media_attachments.rb
@@ -0,0 +1,14 @@
+class AddShortcodeToMediaAttachments < ActiveRecord::Migration[5.0]
+  def up
+    add_column :media_attachments, :shortcode, :string, null: true, default: nil
+    add_index :media_attachments, :shortcode, unique: true
+
+    # Migrate old links
+    MediaAttachment.local.update_all('shortcode = id')
+  end
+
+  def down
+  	remove_index :media_attachments, :shortcode
+  	remove_column :media_attachments, :shortcode
+  end
+end
diff --git a/db/schema.rb b/db/schema.rb
index b9236d42f..a535c5fdb 100644
--- a/db/schema.rb
+++ b/db/schema.rb
@@ -10,7 +10,7 @@
 #
 # It's strongly recommended that you check this file into your version control system.
 
-ActiveRecord::Schema.define(version: 20161222204147) do
+ActiveRecord::Schema.define(version: 20170105224407) do
 
   # These are extensions that must be enabled in order to support this database
   enable_extension "plpgsql"
@@ -95,6 +95,8 @@ ActiveRecord::Schema.define(version: 20161222204147) do
     t.integer  "account_id"
     t.datetime "created_at",                     null: false
     t.datetime "updated_at",                     null: false
+    t.string   "shortcode"
+    t.index ["shortcode"], name: "index_media_attachments_on_shortcode", unique: true, using: :btree
     t.index ["status_id"], name: "index_media_attachments_on_status_id", using: :btree
   end