media_controller.rb 1.2 KB

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950
  1. # frozen_string_literal: true
  2. class MediaController < ApplicationController
  3. include Authorization
  4. skip_before_action :require_functional!, unless: :limited_federation_mode?
  5. before_action :authenticate_user!, if: :limited_federation_mode?
  6. before_action :set_media_attachment
  7. before_action :verify_permitted_status!
  8. before_action :check_playable, only: :player
  9. before_action :allow_iframing, only: :player
  10. content_security_policy only: :player do |policy|
  11. policy.frame_ancestors(false)
  12. end
  13. def show
  14. redirect_to @media_attachment.file.url(:original)
  15. end
  16. def player
  17. @body_classes = 'player'
  18. end
  19. private
  20. def set_media_attachment
  21. id = params[:id] || params[:medium_id]
  22. return if id.nil?
  23. scope = MediaAttachment.local.attached
  24. # If id is 19 characters long, it's a shortcode, otherwise it's an identifier
  25. @media_attachment = id.size == 19 ? scope.find_by!(shortcode: id) : scope.find(id)
  26. end
  27. def verify_permitted_status!
  28. authorize @media_attachment.status, :show?
  29. rescue Mastodon::NotPermittedError
  30. not_found
  31. end
  32. def check_playable
  33. not_found unless @media_attachment.larger_media_format?
  34. end
  35. def allow_iframing
  36. response.headers.delete('X-Frame-Options')
  37. end
  38. end