mirror of
https://github.com/discourse/discourse.git
synced 2026-03-05 15:27:34 +08:00
9d544dc2dd
What is the problem? Developers need to profile pages while browsing as anonymous users or while impersonating other users. Currently, MiniProfiler authorization is tied to the session, so it's lost when the session changes. What is the solution? Add a `/dev-mode` endpoint that sets an encrypted cookie to persist MiniProfiler authorization for 1 hour, independent of the session: - New `DevModeController` with CSRF-protected POST form - Only accessible to users in the Developer group - Cookie validated on each request by checking timestamp, user existence, and developer status
34 lines
774 B
Ruby
34 lines
774 B
Ruby
# frozen_string_literal: true
|
|
|
|
class DevModeController < ApplicationController
|
|
layout "no_ember"
|
|
skip_before_action :preload_json, :check_xhr
|
|
|
|
before_action :ensure_developer
|
|
|
|
def index
|
|
response.headers["X-Robots-Tag"] = "noindex, nofollow"
|
|
end
|
|
|
|
def enter
|
|
if params["enable_rack_mini_profiler"] == "true"
|
|
cookies.encrypted[:_mp_auth] = {
|
|
value: {
|
|
user_id: current_user.id,
|
|
issued_at: Time.now.to_i,
|
|
},
|
|
expires: MINI_PROFILER_AUTH_COOKIE_EXPIRES_IN.from_now,
|
|
httponly: true,
|
|
secure: SiteSetting.force_https,
|
|
same_site: :strict,
|
|
}
|
|
end
|
|
redirect_to path("/")
|
|
end
|
|
|
|
private
|
|
|
|
def ensure_developer
|
|
raise Discourse::NotFound unless guardian.is_developer?
|
|
end
|
|
end
|
