media_controller.rb 1.3 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051
  1. # frozen_string_literal: true
  2. class MediaController < ApplicationController
  3. include Authorization
  4. skip_before_action :store_current_location
  5. skip_before_action :require_functional!, unless: :whitelist_mode?
  6. before_action :authenticate_user!, if: :whitelist_mode?
  7. before_action :set_media_attachment
  8. before_action :verify_permitted_status!
  9. before_action :check_playable, only: :player
  10. before_action :allow_iframing, only: :player
  11. content_security_policy only: :player do |policy|
  12. policy.frame_ancestors(false)
  13. end
  14. def show
  15. redirect_to @media_attachment.file.url(:original)
  16. end
  17. def player
  18. @body_classes = 'player'
  19. end
  20. private
  21. def set_media_attachment
  22. id = params[:id] || params[:medium_id]
  23. return if id.nil?
  24. scope = MediaAttachment.local.attached
  25. # If id is 19 characters long, it's a shortcode, otherwise it's an identifier
  26. @media_attachment = id.size == 19 ? scope.find_by!(shortcode: id) : scope.find_by!(id: id)
  27. end
  28. def verify_permitted_status!
  29. authorize @media_attachment.status, :show?
  30. rescue Mastodon::NotPermittedError
  31. not_found
  32. end
  33. def check_playable
  34. not_found unless @media_attachment.larger_media_format?
  35. end
  36. def allow_iframing
  37. response.headers['X-Frame-Options'] = 'ALLOWALL'
  38. end
  39. end