2013-02-05 14:16:51 -05:00
|
|
|
require 'current_user'
|
2013-02-13 06:04:43 -05:00
|
|
|
require 'canonical_url'
|
2013-02-05 14:16:51 -05:00
|
|
|
require_dependency 'discourse'
|
|
|
|
require_dependency 'custom_renderer'
|
|
|
|
require 'archetype'
|
|
|
|
require_dependency 'rate_limiter'
|
|
|
|
|
|
|
|
class ApplicationController < ActionController::Base
|
|
|
|
include CurrentUser
|
2013-02-25 11:42:20 -05:00
|
|
|
|
2013-02-13 06:04:43 -05:00
|
|
|
include CanonicalURL::ControllerExtensions
|
2013-02-05 14:16:51 -05:00
|
|
|
|
|
|
|
serialization_scope :guardian
|
|
|
|
|
|
|
|
protect_from_forgery
|
|
|
|
|
|
|
|
before_filter :inject_preview_style
|
|
|
|
before_filter :block_if_maintenance_mode
|
|
|
|
before_filter :check_restricted_access
|
|
|
|
before_filter :authorize_mini_profiler
|
|
|
|
before_filter :store_incoming_links
|
|
|
|
before_filter :preload_json
|
|
|
|
before_filter :check_xhr
|
2013-02-28 14:31:39 -05:00
|
|
|
before_filter :set_locale
|
2013-02-07 10:45:24 -05:00
|
|
|
|
2013-02-05 14:16:51 -05:00
|
|
|
rescue_from Exception do |exception|
|
2013-02-07 10:45:24 -05:00
|
|
|
unless [ ActiveRecord::RecordNotFound, ActionController::RoutingError,
|
2013-02-05 14:16:51 -05:00
|
|
|
ActionController::UnknownController, AbstractController::ActionNotFound].include? exception.class
|
2013-02-07 10:45:24 -05:00
|
|
|
begin
|
2013-02-05 14:16:51 -05:00
|
|
|
ErrorLog.report_async!(exception, self, request, current_user)
|
2013-02-07 10:45:24 -05:00
|
|
|
rescue
|
2013-02-05 14:16:51 -05:00
|
|
|
# dont care give up
|
|
|
|
end
|
|
|
|
end
|
|
|
|
raise
|
|
|
|
end
|
2013-02-07 10:45:24 -05:00
|
|
|
|
2013-02-05 14:16:51 -05:00
|
|
|
|
|
|
|
# Some exceptions
|
|
|
|
class RenderEmpty < Exception; end
|
|
|
|
|
|
|
|
# Render nothing unless we are an xhr request
|
|
|
|
rescue_from RenderEmpty do
|
|
|
|
render 'default/empty'
|
|
|
|
end
|
|
|
|
|
|
|
|
# If they hit the rate limiter
|
|
|
|
rescue_from RateLimiter::LimitExceeded do |e|
|
|
|
|
|
|
|
|
time_left = ""
|
|
|
|
if e.available_in < 1.minute.to_i
|
|
|
|
time_left = I18n.t("rate_limiter.seconds", count: e.available_in)
|
|
|
|
elsif e.available_in < 1.hour.to_i
|
2013-02-07 10:45:24 -05:00
|
|
|
time_left = I18n.t("rate_limiter.minutes", count: (e.available_in / 1.minute.to_i))
|
2013-02-05 14:16:51 -05:00
|
|
|
else
|
2013-02-07 10:45:24 -05:00
|
|
|
time_left = I18n.t("rate_limiter.hours", count: (e.available_in / 1.hour.to_i))
|
2013-02-05 14:16:51 -05:00
|
|
|
end
|
|
|
|
|
|
|
|
render json: {errors: [I18n.t("rate_limiter.too_many_requests", time_left: time_left)]}, status: 429
|
|
|
|
end
|
|
|
|
|
|
|
|
rescue_from Discourse::NotLoggedIn do |e|
|
|
|
|
raise e if Rails.env.test?
|
|
|
|
redirect_to root_path
|
|
|
|
end
|
|
|
|
|
|
|
|
rescue_from Discourse::NotFound do
|
2013-04-17 19:55:47 -04:00
|
|
|
if !request.format || request.format.html?
|
2013-02-05 14:16:51 -05:00
|
|
|
# for now do a simple remap, we may look at cleaner ways of doing the render
|
2013-04-30 02:29:57 -04:00
|
|
|
#
|
|
|
|
# Sam: I am confused about this, we need a comment that explains why this is conditional
|
2013-02-05 14:16:51 -05:00
|
|
|
raise ActiveRecord::RecordNotFound
|
|
|
|
else
|
2013-02-11 15:47:28 -05:00
|
|
|
render file: 'public/404', formats: [:html], layout: false, status: 404
|
2013-02-05 14:16:51 -05:00
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
rescue_from Discourse::InvalidAccess do
|
2013-02-11 15:47:28 -05:00
|
|
|
render file: 'public/403', formats: [:html], layout: false, status: 403
|
2013-02-05 14:16:51 -05:00
|
|
|
end
|
|
|
|
|
2013-02-28 14:31:39 -05:00
|
|
|
|
|
|
|
def set_locale
|
|
|
|
I18n.locale = SiteSetting.default_locale
|
|
|
|
end
|
|
|
|
|
2013-02-05 14:16:51 -05:00
|
|
|
def store_preloaded(key, json)
|
|
|
|
@preloaded ||= {}
|
2013-02-25 11:42:20 -05:00
|
|
|
# I dislike that there is a gsub as opposed to a gsub!
|
|
|
|
# but we can not be mucking with user input, I wonder if there is a way
|
2013-02-11 01:28:21 -05:00
|
|
|
# to inject this safty deeper in the library or even in AM serializer
|
|
|
|
@preloaded[key] = json.gsub("</", "<\\/")
|
2013-02-05 14:16:51 -05:00
|
|
|
end
|
|
|
|
|
|
|
|
# If we are rendering HTML, preload the session data
|
|
|
|
def preload_json
|
2013-03-24 17:25:24 -04:00
|
|
|
if request.format && request.format.html?
|
2013-02-05 14:16:51 -05:00
|
|
|
if guardian.current_user
|
|
|
|
guardian.current_user.sync_notification_channel_position
|
|
|
|
end
|
|
|
|
|
|
|
|
store_preloaded("site", Site.cached_json)
|
|
|
|
|
|
|
|
if current_user.present?
|
|
|
|
store_preloaded("currentUser", MultiJson.dump(CurrentUserSerializer.new(current_user, root: false)))
|
|
|
|
end
|
|
|
|
store_preloaded("siteSettings", SiteSetting.client_settings_json)
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
|
|
def inject_preview_style
|
|
|
|
style = request['preview-style']
|
2013-02-07 10:45:24 -05:00
|
|
|
session[:preview_style] = style if style
|
2013-02-05 14:16:51 -05:00
|
|
|
end
|
|
|
|
|
|
|
|
def guardian
|
|
|
|
@guardian ||= Guardian.new(current_user)
|
|
|
|
end
|
|
|
|
|
|
|
|
# This is odd, but it seems that in Rails `render json: obj` is about
|
|
|
|
# 20% slower than calling MultiJSON.dump ourselves. I'm not sure why
|
2013-02-07 10:45:24 -05:00
|
|
|
# Rails doesn't call MultiJson.dump when you pass it json: obj but
|
2013-02-05 14:16:51 -05:00
|
|
|
# it seems we don't need whatever Rails is doing.
|
|
|
|
def render_serialized(obj, serializer, opts={})
|
|
|
|
|
|
|
|
# If it's an array, apply the serializer as an each_serializer to the elements
|
|
|
|
serializer_opts = {scope: guardian}.merge!(opts)
|
|
|
|
if obj.is_a?(Array)
|
|
|
|
serializer_opts[:each_serializer] = serializer
|
|
|
|
render_json_dump(ActiveModel::ArraySerializer.new(obj, serializer_opts).as_json)
|
2013-02-07 10:45:24 -05:00
|
|
|
else
|
2013-02-05 14:16:51 -05:00
|
|
|
render_json_dump(serializer.new(obj, serializer_opts).as_json)
|
|
|
|
end
|
|
|
|
|
|
|
|
end
|
|
|
|
|
|
|
|
def render_json_dump(obj)
|
|
|
|
render json: MultiJson.dump(obj)
|
|
|
|
end
|
|
|
|
|
2013-02-06 11:55:54 -05:00
|
|
|
def can_cache_content?
|
|
|
|
# Don't cache unless we're in production mode
|
2013-04-11 02:24:08 -04:00
|
|
|
return false unless Rails.env.production? || Rails.env == "profile"
|
2013-02-06 11:55:54 -05:00
|
|
|
|
|
|
|
# Don't cache logged in users
|
|
|
|
return false if current_user.present?
|
|
|
|
|
|
|
|
# Don't cache if there's restricted access
|
2013-03-01 12:45:25 -05:00
|
|
|
return false if SiteSetting.access_password.present?
|
2013-02-06 11:55:54 -05:00
|
|
|
|
|
|
|
true
|
|
|
|
end
|
|
|
|
|
|
|
|
# Our custom cache method
|
|
|
|
def discourse_expires_in(time_length)
|
|
|
|
return unless can_cache_content?
|
|
|
|
expires_in time_length, public: true
|
|
|
|
end
|
|
|
|
|
2013-02-05 14:16:51 -05:00
|
|
|
# Helper method - if no logged in user (anonymous), use Rails' conditional GET
|
|
|
|
# support. Should be very fast behind a cache.
|
|
|
|
def anonymous_etag(*args)
|
2013-02-06 11:55:54 -05:00
|
|
|
if can_cache_content?
|
2013-02-05 14:16:51 -05:00
|
|
|
yield if stale?(*args)
|
|
|
|
|
|
|
|
# Add a one minute expiry
|
2013-02-06 12:07:22 -05:00
|
|
|
expires_in 1.minute, public: true
|
2013-02-05 14:16:51 -05:00
|
|
|
else
|
|
|
|
yield
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
private
|
|
|
|
|
|
|
|
def render_json_error(obj)
|
|
|
|
if obj.present?
|
|
|
|
render json: MultiJson.dump(errors: obj.errors.full_messages), status: 422
|
|
|
|
else
|
|
|
|
render json: MultiJson.dump(errors: [I18n.t('js.generic_error')]), status: 422
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
def success_json
|
|
|
|
{success: 'OK'}
|
|
|
|
end
|
|
|
|
|
|
|
|
def failed_json
|
|
|
|
{failed: 'FAILED'}
|
|
|
|
end
|
|
|
|
|
|
|
|
def json_result(obj, opts={})
|
|
|
|
if yield(obj)
|
|
|
|
|
|
|
|
json = success_json
|
|
|
|
|
|
|
|
# If we were given a serializer, add the class to the json that comes back
|
|
|
|
if opts[:serializer].present?
|
2013-04-11 20:07:46 -04:00
|
|
|
json[obj.class.name.underscore] = opts[:serializer].new(obj, scope: guardian).serializable_hash
|
2013-02-05 14:16:51 -05:00
|
|
|
end
|
|
|
|
|
|
|
|
render json: MultiJson.dump(json)
|
|
|
|
else
|
|
|
|
render_json_error(obj)
|
|
|
|
end
|
2013-02-07 10:45:24 -05:00
|
|
|
end
|
2013-02-05 14:16:51 -05:00
|
|
|
|
|
|
|
def block_if_maintenance_mode
|
|
|
|
if Discourse.maintenance_mode?
|
|
|
|
if request.format.json?
|
2013-04-07 12:14:50 -04:00
|
|
|
render status: 503, json: failed_json.merge(message: I18n.t('site_under_maintenance'))
|
2013-02-05 14:16:51 -05:00
|
|
|
else
|
|
|
|
render status: 503, file: File.join( Rails.root, 'public', '503.html' ), layout: false
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
def check_restricted_access
|
2013-02-07 10:45:24 -05:00
|
|
|
# note current_user is defined in the CurrentUser mixin
|
2013-03-01 12:45:25 -05:00
|
|
|
if SiteSetting.access_password.present? && cookies[:_access] != SiteSetting.access_password
|
2013-03-23 11:02:59 -04:00
|
|
|
redirect_to request_access_path(return_path: request.fullpath)
|
2013-02-07 10:45:24 -05:00
|
|
|
return false
|
|
|
|
end
|
2013-02-05 14:16:51 -05:00
|
|
|
end
|
|
|
|
|
|
|
|
def mini_profiler_enabled?
|
2013-03-04 19:42:44 -05:00
|
|
|
defined?(Rack::MiniProfiler) && current_user.try(:admin?)
|
2013-02-05 14:16:51 -05:00
|
|
|
end
|
|
|
|
|
|
|
|
def authorize_mini_profiler
|
|
|
|
return unless mini_profiler_enabled?
|
|
|
|
Rack::MiniProfiler.authorize_request
|
|
|
|
end
|
|
|
|
|
|
|
|
def requires_parameters(*required)
|
2013-02-07 10:45:24 -05:00
|
|
|
required.each do |p|
|
2013-02-05 14:16:51 -05:00
|
|
|
raise Discourse::InvalidParameters.new(p) unless params.has_key?(p)
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
alias :requires_parameter :requires_parameters
|
|
|
|
|
|
|
|
def store_incoming_links
|
2013-04-26 02:18:41 -04:00
|
|
|
IncomingLink.add(request,current_user) unless request.xhr?
|
2013-02-05 14:16:51 -05:00
|
|
|
end
|
|
|
|
|
2013-02-07 10:45:24 -05:00
|
|
|
def check_xhr
|
2013-02-05 14:16:51 -05:00
|
|
|
unless (controller_name == 'forums' || controller_name == 'user_open_ids')
|
2013-03-25 21:04:28 -04:00
|
|
|
# bypass xhr check on PUT / POST / DELETE provided api key is there, otherwise calling api is annoying
|
2013-04-29 20:34:19 -04:00
|
|
|
return if !request.get? && request["api_key"] && SiteSetting.api_key_valid?(request["api_key"])
|
2013-03-04 19:42:44 -05:00
|
|
|
raise RenderEmpty.new unless ((request.format && request.format.json?) || request.xhr?)
|
2013-02-05 14:16:51 -05:00
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
def ensure_logged_in
|
|
|
|
raise Discourse::NotLoggedIn.new unless current_user.present?
|
|
|
|
end
|
2013-02-07 10:45:24 -05:00
|
|
|
|
2013-02-05 14:16:51 -05:00
|
|
|
end
|