mirror of
https://gh.wpcy.net/https://github.com/discourse/discourse.git
synced 2026-05-06 11:58:15 +08:00
5eca5b58aa
When a user has hide_profile enabled, their bio, location, and website were still exposed through the user onebox preview. This checks the hide_profile flag directly in local_user_html so hidden profile data is never rendered into onebox HTML.
247 lines
7.6 KiB
Ruby
247 lines
7.6 KiB
Ruby
# frozen_string_literal: true
|
|
|
|
RSpec.describe OneboxController do
|
|
before { Discourse.cache.delete(Oneboxer.onebox_failed_cache_key(url)) }
|
|
|
|
let(:url) { "http://google.com" }
|
|
|
|
it "requires the user to be logged in" do
|
|
get "/onebox.json", params: { url: url }
|
|
expect(response.status).to eq(403)
|
|
end
|
|
|
|
describe "logged in" do
|
|
let(:user) { Fabricate(:user) }
|
|
let(:html) do
|
|
html = <<~HTML
|
|
<html>
|
|
<head>
|
|
<meta property="og:title" content="Onebox1">
|
|
<meta property="og:description" content="this is bodycontent">
|
|
</head>
|
|
<body>
|
|
<p>body</p>
|
|
</body>
|
|
<html>
|
|
HTML
|
|
html
|
|
end
|
|
|
|
let(:html2) do
|
|
html = <<~HTML
|
|
<html>
|
|
<head>
|
|
<meta property="og:title" content="Onebox2">
|
|
<meta property="og:description" content="this is bodycontent">
|
|
</head>
|
|
<body>
|
|
<p>body</p>
|
|
</body>
|
|
<html>
|
|
HTML
|
|
html
|
|
end
|
|
|
|
def bypass_limiting
|
|
Oneboxer.onebox_previewed!(user.id)
|
|
end
|
|
|
|
before { sign_in(user) }
|
|
|
|
it "invalidates the cache if refresh is passed" do
|
|
stub_request(:head, url)
|
|
stub_request(:get, url).to_return(status: 200, body: html).then.to_raise
|
|
|
|
bypass_limiting
|
|
Discourse.cache.delete("onebox__#{url}")
|
|
get "/onebox.json", params: { url: url }
|
|
expect(response.status).to eq(200)
|
|
expect(response.body).to include("Onebox1")
|
|
|
|
bypass_limiting
|
|
stub_request(:get, url).to_return(status: 200, body: html2).then.to_raise
|
|
get "/onebox.json", params: { url: url, refresh: "true" }
|
|
expect(response.status).to eq(200)
|
|
expect(response.body).to include("Onebox2")
|
|
end
|
|
|
|
describe "cached onebox" do
|
|
it "returns the cached onebox response in the body" do
|
|
url = "http://noodle.com/"
|
|
|
|
stub_request(:head, url)
|
|
stub_request(:get, url).to_return(body: html).then.to_raise
|
|
|
|
get "/onebox.json", params: { url: url, refresh: "true" }
|
|
|
|
expect(response.status).to eq(200)
|
|
expect(response.body).to include("Onebox1")
|
|
expect(response.body).to include("bodycontent")
|
|
|
|
get "/onebox.json", params: { url: url }
|
|
expect(response.status).to eq(200)
|
|
expect(response.body).to include("Onebox1")
|
|
expect(response.body).to include("bodycontent")
|
|
end
|
|
end
|
|
|
|
describe "only 1 outgoing preview per user" do
|
|
it "returns 429" do
|
|
Oneboxer.preview_onebox!(user.id)
|
|
|
|
stub_request(:head, url)
|
|
stub_request(:get, url).to_return(body: html).then.to_raise
|
|
|
|
get "/onebox.json", params: { url: url, refresh: "true" }
|
|
expect(response.status).to eq(429)
|
|
end
|
|
end
|
|
|
|
describe "found onebox" do
|
|
it "returns the onebox response in the body" do
|
|
stub_request(:head, url)
|
|
stub_request(:get, url).to_return(body: html).then.to_raise
|
|
get "/onebox.json", params: { url: url, refresh: "true" }
|
|
|
|
expect(response.status).to eq(200)
|
|
expect(response.body).to include("Onebox1")
|
|
end
|
|
end
|
|
|
|
describe "missing onebox" do
|
|
def stub_request_to_onebox_url(response_body)
|
|
stub_request(:head, url)
|
|
stub_request(:get, url).to_return(body: response_body).then.to_raise
|
|
end
|
|
|
|
it "returns preview-error if the onebox is nil" do
|
|
stub_request_to_onebox_url(nil)
|
|
get "/onebox.json", params: { url: url, refresh: "true" }
|
|
expect(response.body).to include(
|
|
"Sorry, we were unable to generate a preview for this web page",
|
|
)
|
|
end
|
|
|
|
it "returns preview-error if the onebox is an empty string" do
|
|
stub_request_to_onebox_url(" \t ")
|
|
get "/onebox.json", params: { url: url, refresh: "true" }
|
|
expect(response.response_code).to eq(200)
|
|
expect(response.body).to include(
|
|
"Sorry, we were unable to generate a preview for this web page",
|
|
)
|
|
end
|
|
end
|
|
|
|
describe "local onebox" do
|
|
it "does not cache local oneboxes" do
|
|
post = create_post
|
|
url = Discourse.base_url + post.url
|
|
|
|
get "/onebox.json", params: { url: url, category_id: post.topic.category_id }
|
|
expect(response.body).to include("blockquote")
|
|
|
|
post.trash!
|
|
|
|
get "/onebox.json", params: { url: url, category_id: post.topic.category_id }
|
|
expect(response.body).not_to include("blockquote")
|
|
end
|
|
end
|
|
|
|
it "does not onebox when you have no permission on category" do
|
|
post = create_post
|
|
url = Discourse.base_url + post.url
|
|
|
|
get "/onebox.json", params: { url: url, category_id: post.topic.category_id }
|
|
expect(response.body).to include("blockquote")
|
|
|
|
post.topic.category.set_permissions(staff: :full)
|
|
post.topic.category.save
|
|
|
|
get "/onebox.json", params: { url: url, category_id: post.topic.category_id }
|
|
expect(response.body).not_to include("blockquote")
|
|
end
|
|
|
|
it "does not allow onebox of PMs" do
|
|
post = create_post(archetype: "private_message", target_usernames: [user.username])
|
|
url = Discourse.base_url + post.url
|
|
|
|
get "/onebox.json", params: { url: url }
|
|
expect(response.body).not_to include("blockquote")
|
|
end
|
|
|
|
it "does not allow whisper onebox" do
|
|
post = create_post
|
|
whisper = create_post(topic_id: post.topic_id, post_type: Post.types[:whisper])
|
|
url = Discourse.base_url + whisper.url
|
|
|
|
get "/onebox.json", params: { url: url }
|
|
expect(response.body).not_to include("blockquote")
|
|
end
|
|
|
|
it "allows onebox to public topics/posts in PM" do
|
|
post = create_post
|
|
url = Discourse.base_url + post.url
|
|
|
|
get "/onebox.json", params: { url: url }
|
|
expect(response.body).to include("blockquote")
|
|
end
|
|
|
|
context "with local categories" do
|
|
fab!(:category)
|
|
|
|
it "oneboxes a public category" do
|
|
get "/onebox.json", params: { url: category.url }
|
|
expect(response.body).to include("aside")
|
|
end
|
|
|
|
it "includes subcategories" do
|
|
subcategory = Fabricate(:category, name: "child", parent_category_id: category.id)
|
|
|
|
get "/onebox.json", params: { url: subcategory.url }
|
|
expect(response.body).not_to include("subcategories")
|
|
end
|
|
|
|
it "does not onebox restricted categories" do
|
|
staff_category = Fabricate(:private_category, group: Group[:staff])
|
|
|
|
get "/onebox.json", params: { url: staff_category.url }
|
|
expect(response.body).not_to include("aside")
|
|
end
|
|
end
|
|
|
|
context "with local user profiles" do
|
|
fab!(:hidden_user, :user)
|
|
|
|
before do
|
|
hidden_user.user_profile.update!(
|
|
bio_raw: "secret bio content",
|
|
location: "secret location",
|
|
website: "https://secret.example.com",
|
|
)
|
|
SiteSetting.allow_users_to_hide_profile = true
|
|
hidden_user.user_option.update!(hide_profile: true)
|
|
end
|
|
|
|
it "does not onebox a hidden user profile" do
|
|
url = "#{Discourse.base_url}/u/#{hidden_user.username}"
|
|
|
|
get "/onebox.json", params: { url: url }
|
|
|
|
expect(response.body).not_to include("secret bio content")
|
|
expect(response.body).not_to include("secret location")
|
|
expect(response.body).not_to include("secret.example.com")
|
|
end
|
|
|
|
it "oneboxes a user profile when the viewer can see the profile" do
|
|
visible_user = Fabricate(:user)
|
|
visible_user.user_profile.update!(location: "visible location")
|
|
url = "#{Discourse.base_url}/u/#{visible_user.username}"
|
|
|
|
get "/onebox.json", params: { url: url }
|
|
|
|
expect(response.body).to include(visible_user.username)
|
|
expect(response.body).to include("visible location")
|
|
end
|
|
end
|
|
end
|
|
end
|
