Fix #416 - Generate random unique 14-byte (19 characters) shortcodes

for local attachments, use them in URLs. Check status privacy before redirecting to actual file.
2017-01-06 00:21:12 +01:00
parent 9f21eb6064
commit 7b9f8766e8
4 changed files with 37 additions and 2 deletions
--- a/app/controllers/media_controller.rb
+++ b/app/controllers/media_controller.rb
@@ -10,6 +10,7 @@ class MediaController < ApplicationController
  private

  def set_media_attachment
-    @media_attachment = MediaAttachment.where.not(status_id: nil).find(params[:id])
+    @media_attachment = MediaAttachment.where.not(status_id: nil).find_by!(shortcode: params[:id])
+    raise ActiveRecord::RecordNotFound unless @media_attachment.status.permitted?(current_account)
  end
 end