Fix #416 - Generate random unique 14-byte (19 characters) shortcodes

for local attachments, use them in URLs. Check status privacy
before redirecting to actual file.

app/controllers/media_controller.rb

@@ -10,6 +10,7 @@ class MediaController < ApplicationController
   private
 
   def set_media_attachment
-    @media_attachment = MediaAttachment.where.not(status_id: nil).find(params[:id])
+    @media_attachment = MediaAttachment.where.not(status_id: nil).find_by!(shortcode: params[:id])
+    raise ActiveRecord::RecordNotFound unless @media_attachment.status.permitted?(current_account)
   end
 end

app/models/media_attachment.rb

@@ -16,6 +16,7 @@ class MediaAttachment < ApplicationRecord
 
   validates :account, presence: true
 
+  scope :local, -> { where(remote_url: '') }
   default_scope { order('id asc') }
 
   def local?
@@ -38,6 +39,12 @@ class MediaAttachment < ApplicationRecord
     image? ? 'image' : 'video'
   end
 
+  def to_param
+    shortcode
+  end
+
+  before_create :set_shortcode
+
   class << self
     private
 
@@ -62,4 +69,15 @@ class MediaAttachment < ApplicationRecord
       end
     end
   end
+
+  private
+
+  def set_shortcode
+    return unless local?
+
+    loop do
+      self.shortcode = SecureRandom.urlsafe_base64(14)
+      break if MediaAttachment.find_by(shortcode: shortcode).nil?
+    end
+  end
 end