1
0

media_controller.rb 915 B

1234567891011121314151617181920212223242526272829303132333435
  1. # frozen_string_literal: true
  2. class MediaController < ApplicationController
  3. include Authorization
  4. before_action :set_media_attachment
  5. before_action :verify_permitted_status!
  6. content_security_policy only: :player do |p|
  7. p.frame_ancestors(false)
  8. end
  9. def show
  10. redirect_to @media_attachment.file.url(:original)
  11. end
  12. def player
  13. @body_classes = 'player'
  14. response.headers['X-Frame-Options'] = 'ALLOWALL'
  15. raise ActiveRecord::RecordNotFound unless @media_attachment.video? || @media_attachment.gifv?
  16. end
  17. private
  18. def set_media_attachment
  19. @media_attachment = MediaAttachment.attached.find_by!(shortcode: params[:id] || params[:medium_id])
  20. end
  21. def verify_permitted_status!
  22. authorize @media_attachment.status, :show?
  23. rescue Mastodon::NotPermittedError
  24. # Reraise in order to get a 404 instead of a 403 error code
  25. raise ActiveRecord::RecordNotFound
  26. end
  27. end