media_controller.rb 1.1 KB

12345678910111213141516171819202122232425262728293031323334353637383940414243444546
  1. # frozen_string_literal: true
  2. class MediaController < ApplicationController
  3. include Authorization
  4. skip_before_action :store_current_location
  5. skip_before_action :require_functional!
  6. before_action :authenticate_user!, if: :whitelist_mode?
  7. before_action :set_media_attachment
  8. before_action :verify_permitted_status!
  9. before_action :check_playable, only: :player
  10. before_action :allow_iframing, only: :player
  11. content_security_policy only: :player do |p|
  12. p.frame_ancestors(false)
  13. end
  14. def show
  15. redirect_to @media_attachment.file.url(:original)
  16. end
  17. def player
  18. @body_classes = 'player'
  19. end
  20. private
  21. def set_media_attachment
  22. @media_attachment = MediaAttachment.attached.find_by!(shortcode: params[:id] || params[:medium_id])
  23. end
  24. def verify_permitted_status!
  25. authorize @media_attachment.status, :show?
  26. rescue Mastodon::NotPermittedError
  27. raise ActiveRecord::RecordNotFound
  28. end
  29. def check_playable
  30. not_found unless @media_attachment.larger_media_format?
  31. end
  32. def allow_iframing
  33. response.headers['X-Frame-Options'] = 'ALLOWALL'
  34. end
  35. end