app/controllers/media_controller.rb

   1 # frozen_string_literal: true
   2
   3 class MediaController < ApplicationController
   4   include Authorization
   5
   6   skip_before_action :store_current_location
   7   skip_before_action :require_functional!
   8
   9   before_action :authenticate_user!, if: :whitelist_mode?
  10   before_action :set_media_attachment
  11   before_action :verify_permitted_status!
  12   before_action :check_playable, only: :player
  13   before_action :allow_iframing, only: :player
  14
  15   content_security_policy only: :player do |p|
  16     p.frame_ancestors(false)
  17   end
  18
  19   def show
  20     redirect_to @media_attachment.file.url(:original)
  21   end
  22
  23   def player
  24     @body_classes = 'player'
  25   end
  26
  27   private
  28
  29   def set_media_attachment
  30     @media_attachment = MediaAttachment.attached.find_by!(shortcode: params[:id] || params[:medium_id])
  31   end
  32
  33   def verify_permitted_status!
  34     authorize @media_attachment.status, :show?
  35   rescue Mastodon::NotPermittedError
  36     raise ActiveRecord::RecordNotFound
  37   end
  38
  39   def check_playable
  40     not_found unless @media_attachment.larger_media_format?
  41   end
  42
  43   def allow_iframing
  44     response.headers['X-Frame-Options'] = 'ALLOWALL'
  45   end
  46 end