discourse/app/controllers/static_controller.rb

class StaticController < ApplicationController

  skip_before_filter :check_xhr, :redirect_to_login_if_required
  skip_before_filter :verify_authenticity_token, only: [:enter]

  def show
    return redirect_to(path '/') if current_user && params[:id] == 'login'

    map = {
      "faq" => {redirect: "faq_url", topic_id: "guidelines_topic_id"},
      "tos" => {redirect: "tos_url", topic_id: "tos_topic_id"},
      "privacy" => {redirect: "privacy_policy_url", topic_id: "privacy_topic_id"}
    }

    @page = params[:id]

    if map.has_key?(@page)
      site_setting_key = map[@page][:redirect]
      url = SiteSetting.send(site_setting_key)
      return redirect_to(url) unless url.blank?
    end

    # The /guidelines route ALWAYS shows our FAQ, ignoring the faq_url site setting.
    @page = 'faq' if @page == 'guidelines'

    # Don't allow paths like ".." or "/" or anything hacky like that
    @page.gsub!(/[^a-z0-9\_\-]/, '')

    if map.has_key?(@page)
      @topic = Topic.find_by_id(SiteSetting.send(map[@page][:topic_id]))
      raise Discourse::NotFound unless @topic
      @title = @topic.title
      @body = @topic.posts.first.cooked
      @faq_overriden = !SiteSetting.faq_url.blank?
      render :show, layout: !request.xhr?, formats: [:html]
      return
    end

    if I18n.exists?("static.#{@page}")
      render text: I18n.t("static.#{@page}"), layout: !request.xhr?, formats: [:html]
      return
    end

    file = "static/#{@page}.#{I18n.locale}"
    file = "static/#{@page}.en" if lookup_context.find_all("#{file}.html").empty?
    file = "static/#{@page}"    if lookup_context.find_all("#{file}.html").empty?

    if lookup_context.find_all("#{file}.html").any?
      render file, layout: !request.xhr?, formats: [:html]
      return
    end

    raise Discourse::NotFound
  end

  # This method just redirects to a given url.
  # It's used when an ajax login was successful but we want the browser to see
  # a post of a login form so that it offers to remember your password.
  def enter
    params.delete(:username)
    params.delete(:password)

    destination = path("/")

    if params[:redirect].present? && !params[:redirect].match(login_path)
      begin
        forum_uri = URI(Discourse.base_url)
        uri = URI(params[:redirect])

        if uri.path.present? &&
           (uri.host.blank? || uri.host == forum_uri.host) &&
           uri.path !~ /\./

          destination = uri.path
          destination = "#{uri.path}?#{uri.query}" if uri.path =~ /new-topic/
        end
      rescue URI::InvalidURIError
        # Do nothing if the URI is invalid
      end
    end

    redirect_to destination
  end

  skip_before_filter :verify_authenticity_token, only: [:cdn_asset]

  def cdn_asset
    path = File.expand_path(Rails.root + "public/assets/" + params[:path])

    # SECURITY what if path has /../
    raise Discourse::NotFound unless path.start_with?(Rails.root.to_s + "/public/assets")

    expires_in 1.year, public: true

    response.headers["Expires"] = 1.year.from_now.httpdate
    response.headers["Access-Control-Allow-Origin"] = params[:origin] if params[:origin]

    begin
      response.headers["Last-Modified"] = File.ctime(path).httpdate
      response.headers["Content-Length"] = File.size(path).to_s
    rescue Errno::ENOENT
      raise Discourse::NotFound
    end

    opts = { disposition: nil }
    opts[:type] = "application/javascript" if path =~ /\.js$/

    # we must disable acceleration otherwise NGINX strips
    # access control headers
    request.env['sendfile.type'] = ''
    send_file(path, opts)
  end

end
Initial release of Discourse 2013-02-05 14:16:51 -05:00			`class StaticController < ApplicationController`

Redirect all controllers to login if required We want to skip the filter for sessions controller so that we can login and we want to skip the filter for static pages because those should be visible to visitors. 2013-06-04 15:32:36 -07:00			`skip_before_filter :check_xhr, :redirect_to_login_if_required`
FIX: BAD CSRF on login. Don't check csrf in the fake login form since it doesn't actually do anything. 2013-08-27 11:30:58 -04:00			`skip_before_filter :verify_authenticity_token, only: [:enter]`
Initial release of Discourse 2013-02-05 14:16:51 -05:00
			`def show`
FEATURE: add clean support for running Discourse in a subfolder To setup set DISCOURSE_RELATIVE_URL_ROOT to the folder you wish 2015-03-09 11:45:36 +11:00			`return redirect_to(path '/') if current_user && params[:id] == 'login'`
On sites with login_required enabled, after signup, don't show the /login page again 2013-10-30 16:37:22 -04:00
work in progress, add custom faq link, ember router needs to know about this or the redirect trick will not work 2013-06-27 17:15:59 +10:00			`map = {`
Move FAQ, Terms of Service, and Privacy Policy into topics in the Staff category. First post of those topics will be rendered on their respective pages. Site settings and content are not used for these documents anymore. Translations of the default text is moved into the standard YML files. 2014-07-24 14:27:34 -04:00			`"faq" => {redirect: "faq_url", topic_id: "guidelines_topic_id"},`
			`"tos" => {redirect: "tos_url", topic_id: "tos_topic_id"},`
			`"privacy" => {redirect: "privacy_policy_url", topic_id: "privacy_topic_id"}`
work in progress, add custom faq link, ember router needs to know about this or the redirect trick will not work 2013-06-27 17:15:59 +10:00			`}`

Move FAQ, Terms of Service, and Privacy Policy into topics in the Staff category. First post of those topics will be rendered on their respective pages. Site settings and content are not used for these documents anymore. Translations of the default text is moved into the standard YML files. 2014-07-24 14:27:34 -04:00			`@page = params[:id]`
Initial release of Discourse 2013-02-05 14:16:51 -05:00
Move FAQ, Terms of Service, and Privacy Policy into topics in the Staff category. First post of those topics will be rendered on their respective pages. Site settings and content are not used for these documents anymore. Translations of the default text is moved into the standard YML files. 2014-07-24 14:27:34 -04:00			`if map.has_key?(@page)`
			`site_setting_key = map[@page][:redirect]`
work in progress, add custom faq link, ember router needs to know about this or the redirect trick will not work 2013-06-27 17:15:59 +10:00			`url = SiteSetting.send(site_setting_key)`
			`return redirect_to(url) unless url.blank?`
			`end`
tos and privacy urls redirect based on site settings 2013-06-18 10:52:04 -04:00
FEATURE: /guidelines route will always show our FAQ, ignoring the faq_url site setting 2014-07-10 12:58:34 -04:00			`# The /guidelines route ALWAYS shows our FAQ, ignoring the faq_url site setting.`
Move FAQ, Terms of Service, and Privacy Policy into topics in the Staff category. First post of those topics will be rendered on their respective pages. Site settings and content are not used for these documents anymore. Translations of the default text is moved into the standard YML files. 2014-07-24 14:27:34 -04:00			`@page = 'faq' if @page == 'guidelines'`
FEATURE: /guidelines route will always show our FAQ, ignoring the faq_url site setting 2014-07-10 12:58:34 -04:00
Initial release of Discourse 2013-02-05 14:16:51 -05:00			`# Don't allow paths like ".." or "/" or anything hacky like that`
Move FAQ, Terms of Service, and Privacy Policy into topics in the Staff category. First post of those topics will be rendered on their respective pages. Site settings and content are not used for these documents anymore. Translations of the default text is moved into the standard YML files. 2014-07-24 14:27:34 -04:00			`@page.gsub!(/[^a-z0-9\_\-]/, '')`
Initial release of Discourse 2013-02-05 14:16:51 -05:00
Move FAQ, Terms of Service, and Privacy Policy into topics in the Staff category. First post of those topics will be rendered on their respective pages. Site settings and content are not used for these documents anymore. Translations of the default text is moved into the standard YML files. 2014-07-24 14:27:34 -04:00			`if map.has_key?(@page)`
			`@topic = Topic.find_by_id(SiteSetting.send(map[@page][:topic_id]))`
			`raise Discourse::NotFound unless @topic`
FIX: when missing a static topic we were returning an error 2015-06-01 11:40:52 +10:00			`@title = @topic.title`
Move FAQ, Terms of Service, and Privacy Policy into topics in the Staff category. First post of those topics will be rendered on their respective pages. Site settings and content are not used for these documents anymore. Translations of the default text is moved into the standard YML files. 2014-07-24 14:27:34 -04:00			`@body = @topic.posts.first.cooked`
FEATURE: /guidelines route will always show our FAQ, ignoring the faq_url site setting 2014-07-10 12:58:34 -04:00			`@faq_overriden = !SiteSetting.faq_url.blank?`
Move FAQ, Terms of Service, and Privacy Policy into topics in the Staff category. First post of those topics will be rendered on their respective pages. Site settings and content are not used for these documents anymore. Translations of the default text is moved into the standard YML files. 2014-07-24 14:27:34 -04:00			`render :show, layout: !request.xhr?, formats: [:html]`
Initial release of Discourse 2013-02-05 14:16:51 -05:00			`return`
			`end`

FEATURE: advanced search help 2014-10-18 14:27:33 +11:00			`if I18n.exists?("static.#{@page}")`
don't use Markdown 2014-10-18 17:17:20 +11:00			`render text: I18n.t("static.#{@page}"), layout: !request.xhr?, formats: [:html]`
FEATURE: advanced search help 2014-10-18 14:27:33 +11:00			`return`
			`end`

BUGFIX: login was broken when login was required 2014-07-26 23:16:08 +02:00			`file = "static/#{@page}.#{I18n.locale}"`
			`file = "static/#{@page}.en" if lookup_context.find_all("#{file}.html").empty?`
			`file = "static/#{@page}" if lookup_context.find_all("#{file}.html").empty?`

			`if lookup_context.find_all("#{file}.html").any?`
			`render file, layout: !request.xhr?, formats: [:html]`
			`return`
			`end`

get rid of nonsense 404.html correct 404 handling for invalid pages 2013-05-20 10:29:49 +10:00			`raise Discourse::NotFound`
Initial release of Discourse 2013-02-05 14:16:51 -05:00			`end`

Support for browser password managers, but doesn't quite work in IE 2013-03-13 10:22:56 -04:00			`# This method just redirects to a given url.`
			`# It's used when an ajax login was successful but we want the browser to see`
			`# a post of a login form so that it offers to remember your password.`
			`def enter`
			`params.delete(:username)`
			`params.delete(:password)`

FEATURE: add clean support for running Discourse in a subfolder To setup set DISCOURSE_RELATIVE_URL_ROOT to the folder you wish 2015-03-09 11:45:36 +11:00			`destination = path("/")`
SECURITY: Only redirect to our host by path on the login action 2014-08-28 17:45:13 -04:00
			`if params[:redirect].present? && !params[:redirect].match(login_path)`
			`begin`
			`forum_uri = URI(Discourse.base_url)`
			`uri = URI(params[:redirect])`
FEATURE: add clean support for running Discourse in a subfolder To setup set DISCOURSE_RELATIVE_URL_ROOT to the folder you wish 2015-03-09 11:45:36 +11:00
SECURITY: Don't allow redirects with periods in case you don't control other tlds on the same domain. 2014-10-30 11:31:44 -04:00			`if uri.path.present? &&`
			`(uri.host.blank? \|\| uri.host == forum_uri.host) &&`
			`uri.path !~ /\./`
FEATURE: add clean support for running Discourse in a subfolder To setup set DISCOURSE_RELATIVE_URL_ROOT to the folder you wish 2015-03-09 11:45:36 +11:00
SECURITY: Only redirect to our host by path on the login action 2014-08-28 17:45:13 -04:00			`destination = uri.path`
FIX: new-topic URL should survive login redirection 2015-06-14 20:24:47 +05:30			`destination = "#{uri.path}?#{uri.query}" if uri.path =~ /new-topic/`
SECURITY: Only redirect to our host by path on the login action 2014-08-28 17:45:13 -04:00			`end`
			`rescue URI::InvalidURIError`
			`# Do nothing if the URI is invalid`
Redirect to root after login if no path provided If we do not do this, then people that login from /login will just be redirected back to the login page. We'd rather have them see the root path. 2013-06-04 15:34:54 -07:00			`end`
SECURITY: Only redirect to our host by path on the login action 2014-08-28 17:45:13 -04:00			`end`

			`redirect_to destination`
Redirect to root after login if no path provided If we do not do this, then people that login from /login will just be redirected back to the login page. We'd rather have them see the root path. 2013-06-04 15:34:54 -07:00			`end`
BUGFIX: re-enable CDN js debugging in a robust way May be disabled if needed via site setting 2014-05-19 08:46:09 +10:00
PERF: finalize porting to new incoming links structure 2014-08-04 16:43:57 +10:00			`skip_before_filter :verify_authenticity_token, only: [:cdn_asset]`
FIX: add 'Content-Length' header for avatars 2014-10-22 15:39:51 +02:00
BUGFIX: re-enable CDN js debugging in a robust way May be disabled if needed via site setting 2014-05-19 08:46:09 +10:00			`def cdn_asset`
FIX: allow for subdirectorys for cdn assets 2014-07-10 17:29:38 +10:00			`path = File.expand_path(Rails.root + "public/assets/" + params[:path])`

			`# SECURITY what if path has /../`
FIX: add 'Content-Length' header for avatars 2014-10-22 15:39:51 +02:00			`raise Discourse::NotFound unless path.start_with?(Rails.root.to_s + "/public/assets")`
FIX: allow for subdirectorys for cdn assets 2014-07-10 17:29:38 +10:00
BUGFIX: re-enable CDN js debugging in a robust way May be disabled if needed via site setting 2014-05-19 08:46:09 +10:00			`expires_in 1.year, public: true`
Clean up content type and add Expires header when serving CDN assets 2014-10-21 15:59:16 +11:00
			`response.headers["Expires"] = 1.year.from_now.httpdate`
BUG: minor, do not send access origin if not set 2015-02-17 09:54:45 +11:00			`response.headers["Access-Control-Allow-Origin"] = params[:origin] if params[:origin]`
Clean up content type and add Expires header when serving CDN assets 2014-10-21 15:59:16 +11:00
FIX: set last modified date on CDN assets 2014-07-08 14:48:20 +10:00			`begin`
			`response.headers["Last-Modified"] = File.ctime(path).httpdate`
attempt to get content length through 2014-10-21 16:17:13 +11:00			`response.headers["Content-Length"] = File.size(path).to_s`
FIX: set last modified date on CDN assets 2014-07-08 14:48:20 +10:00			`rescue Errno::ENOENT`
			`raise Discourse::NotFound`
			`end`
Clean up content type and add Expires header when serving CDN assets 2014-10-21 15:59:16 +11:00
FIX: add 'Content-Length' header for avatars 2014-10-22 15:39:51 +02:00			`opts = { disposition: nil }`
Clean up content type and add Expires header when serving CDN assets 2014-10-21 15:59:16 +11:00			`opts[:type] = "application/javascript" if path =~ /\.js$/`
FIX: disable x accl redirect for CDN assets We need to keep headers in tact 2014-07-10 16:32:06 +10:00
			`# we must disable acceleration otherwise NGINX strips`
			`# access control headers`
FIX: remove hardcoding from middleware stack so we can control it 2014-07-10 17:01:21 +10:00			`request.env['sendfile.type'] = ''`
BUGFIX: re-enable CDN js debugging in a robust way May be disabled if needed via site setting 2014-05-19 08:46:09 +10:00			`send_file(path, opts)`
			`end`
FIX: add 'Content-Length' header for avatars 2014-10-22 15:39:51 +02:00
Fix all the trailing whitespace 2013-02-07 16:45:24 +01:00			`end`
No results found.