mastodon/app/controllers/api/v1/statuses_controller.rb

# frozen_string_literal: true

class Api::V1::StatusesController < Api::BaseController
  include Authorization

  before_action :authorize_if_got_token, except:            [:create, :destroy]
  before_action -> { doorkeeper_authorize! :write }, only:  [:create, :destroy]
  before_action :require_user!, except:  [:show, :context, :card]
  before_action :set_status, only:       [:show, :context, :card]

  respond_to :json

  def show
    cached  = Rails.cache.read(@status.cache_key)
    @status = cached unless cached.nil?
    render json: @status, serializer: REST::StatusSerializer
  end

  def context
    ancestors_results   = @status.in_reply_to_id.nil? ? [] : @status.ancestors(current_account)
    descendants_results = @status.descendants(current_account)
    loaded_ancestors    = cache_collection(ancestors_results, Status)
    loaded_descendants  = cache_collection(descendants_results, Status)

    @context = Context.new(ancestors: loaded_ancestors, descendants: loaded_descendants)
    statuses = [@status] + @context.ancestors + @context.descendants

    render json: @context, serializer: REST::ContextSerializer, relationships: StatusRelationshipsPresenter.new(statuses, current_user&.account_id)
  end

  def card
    @card = @status.preview_cards.first

    if @card.nil?
      render_empty
    else
      render json: @card, serializer: REST::PreviewCardSerializer
    end
  end

  def create
    @status = PostStatusService.new.call(current_user.account,
                                         status_params[:status],
                                         status_params[:in_reply_to_id].blank? ? nil : Status.find(status_params[:in_reply_to_id]),
                                         media_ids: status_params[:media_ids],
                                         sensitive: status_params[:sensitive],
                                         spoiler_text: status_params[:spoiler_text],
                                         visibility: status_params[:visibility],
                                         application: doorkeeper_token.application,
                                         idempotency: request.headers['Idempotency-Key'])

    render json: @status, serializer: REST::StatusSerializer
  end

  def destroy
    @status = Status.where(account_id: current_user.account).find(params[:id])
    authorize @status, :destroy?

    RemovalWorker.perform_async(@status.id)

    render_empty
  end

  private

  def set_status
    @status = Status.find(params[:id])
    authorize @status, :show?
  rescue Mastodon::NotPermittedError
    # Reraise in order to get a 404 instead of a 403 error code
    raise ActiveRecord::RecordNotFound
  end

  def status_params
    params.permit(:status, :in_reply_to_id, :sensitive, :spoiler_text, :visibility, media_ids: [])
  end

  def pagination_params(core_params)
    params.permit(:limit).merge(core_params)
  end

  def authorize_if_got_token
    request_token = Doorkeeper::OAuth::Token.from_request(request, *Doorkeeper.configuration.access_token_methods)
    doorkeeper_authorize! :read if request_token
  end
end
Fix rubocop issues, introduce usage of frozen literal to improve performance 2016-11-15 16:56:29 +01:00			`# frozen_string_literal: true`

Clean up for api/base controller (#3629) * Move ApiController to Api/BaseController * API controllers inherit from Api::BaseController * Add coverage for various error cases in api/base controller 2017-06-07 20:09:25 +02:00			`class Api::V1::StatusesController < Api::BaseController`
Extract authorization policy for viewing statuses (#3150) 2017-05-29 18:22:22 +02:00			`include Authorization`

Move create/destroy actions for api/v1/statuses to namespace (#3678) Each of mute, favourite, reblog has been updated to: - Have a separate controller with just a create and destroy action - Preserve historical route names to not break the API - Mild refactoring to break up long methods 2017-06-10 09:39:26 +02:00			`before_action :authorize_if_got_token, except: [:create, :destroy]`
			`before_action -> { doorkeeper_authorize! :write }, only: [:create, :destroy]`
Move reblogged_by and favourited_by actions out of api/v1/statuses and into unique controllers (#3646) * Add specs for api statuses routes * Update favourited_by and reblogged_by api routes * Move methods into new controllers * Use load_accounts methods to simplify index actions * Clean up load_accounts methods * Clean up link header generation * Check for link headers in specs * Remove unused actions from api/v1/statuses controller * Remove specs for moved actions 2017-06-09 20:12:40 +02:00			`before_action :require_user!, except: [:show, :context, :card]`
Move create/destroy actions for api/v1/statuses to namespace (#3678) Each of mute, favourite, reblog has been updated to: - Have a separate controller with just a create and destroy action - Preserve historical route names to not break the API - Mild refactoring to break up long methods 2017-06-10 09:39:26 +02:00			`before_action :set_status, only: [:show, :context, :card]`
Fix reblogged/favourited caching; add API endpoints for who favd/reblogged status 2016-11-03 14:50:22 +01:00
			`respond_to :json`
Adding doorkeeper, adding a REST API POST /api/statuses Params: status (text contents), in_reply_to_id (optional) GET /api/statuses/:id POST /api/statuses/:id/reblog GET /api/accounts/:id GET /api/accounts/:id/following GET /api/accounts/:id/followers POST /api/accounts/:id/follow POST /api/accounts/:id/unfollow POST /api/follows Params: uri (e.g. user@domain) OAuth authentication is currently disabled, but the API can be used with HTTP Auth. 2016-03-07 12:42:33 +01:00
			`def show`
Cache accounts/:id/statuses and single statuses too 2016-11-23 18:56:30 +01:00			`cached = Rails.cache.read(@status.cache_key)`
			`@status = cached unless cached.nil?`
Refactor JSON templates to be generated with ActiveModelSerializers instead of Rabl (#4090) 2017-07-07 04:02:06 +02:00			`render json: @status, serializer: REST::StatusSerializer`
Adding doorkeeper, adding a REST API POST /api/statuses Params: status (text contents), in_reply_to_id (optional) GET /api/statuses/:id POST /api/statuses/:id/reblog GET /api/accounts/:id GET /api/accounts/:id/following GET /api/accounts/:id/followers POST /api/accounts/:id/follow POST /api/accounts/:id/unfollow POST /api/follows Params: uri (e.g. user@domain) OAuth authentication is currently disabled, but the API can be used with HTTP Auth. 2016-03-07 12:42:33 +01:00			`end`

Setting up preliminary "detailed" routes in the UI, new API end-point for fetching status context 2016-09-16 00:21:51 +02:00			`def context`
Removing failed push notification API, make context loads use cache 2017-02-05 17:51:44 +01:00			`ancestors_results = @status.in_reply_to_id.nil? ? [] : @status.ancestors(current_account)`
			`descendants_results = @status.descendants(current_account)`
			`loaded_ancestors = cache_collection(ancestors_results, Status)`
			`loaded_descendants = cache_collection(descendants_results, Status)`

Refactor JSON templates to be generated with ActiveModelSerializers instead of Rabl (#4090) 2017-07-07 04:02:06 +02:00			`@context = Context.new(ancestors: loaded_ancestors, descendants: loaded_descendants)`
			`statuses = [@status] + @context.ancestors + @context.descendants`
Moving some counter queries out of subqueries in the API 2016-11-22 22:59:54 +01:00
Refactor JSON templates to be generated with ActiveModelSerializers instead of Rabl (#4090) 2017-07-07 04:02:06 +02:00			`render json: @context, serializer: REST::ContextSerializer, relationships: StatusRelationshipsPresenter.new(statuses, current_user&.account_id)`
Setting up preliminary "detailed" routes in the UI, new API end-point for fetching status context 2016-09-16 00:21:51 +02:00			`end`

Fix #463 - Fetch and display previews of URLs using OpenGraph tags 2017-01-20 01:00:14 +01:00			`def card`
Make PreviewCard records reuseable between statuses (#4642) * Make PreviewCard records reuseable between statuses Warning! Migration truncates preview_cards tablec * Allow a wider thumbnail for link preview, display it in horizontal layout (#4648) * Delete preview cards files before truncating * Rename old table instead of truncating it * Add mastodon:maintenance:remove_deprecated_preview_cards * Ignore deprecated_preview_cards in schema definition * Fix null behaviour 2017-09-01 16:20:16 +02:00			`@card = @status.preview_cards.first`
Refactor JSON templates to be generated with ActiveModelSerializers instead of Rabl (#4090) 2017-07-07 04:02:06 +02:00
			`if @card.nil?`
			`render_empty`
			`else`
			`render json: @card, serializer: REST::PreviewCardSerializer`
			`end`
Fix #463 - Fetch and display previews of URLs using OpenGraph tags 2017-01-20 01:00:14 +01:00			`end`

Adding doorkeeper, adding a REST API POST /api/statuses Params: status (text contents), in_reply_to_id (optional) GET /api/statuses/:id POST /api/statuses/:id/reblog GET /api/accounts/:id GET /api/accounts/:id/following GET /api/accounts/:id/followers POST /api/accounts/:id/follow POST /api/accounts/:id/unfollow POST /api/follows Params: uri (e.g. user@domain) OAuth authentication is currently disabled, but the API can be used with HTTP Auth. 2016-03-07 12:42:33 +01:00			`def create`
Fix #2402 - Add Idempotency-Key header to PostStatusService that prevents (#2419) duplicates. Web UI regenerates UUID for that header every time the compose form is changed or successfully submitted Also, fix Farsi i18n overwriting the English one 2017-04-25 15:04:49 +02:00			`@status = PostStatusService.new.call(current_user.account,`
			`status_params[:status],`
			`status_params[:in_reply_to_id].blank? ? nil : Status.find(status_params[:in_reply_to_id]),`
			`media_ids: status_params[:media_ids],`
			`sensitive: status_params[:sensitive],`
			`spoiler_text: status_params[:spoiler_text],`
			`visibility: status_params[:visibility],`
			`application: doorkeeper_token.application,`
			`idempotency: request.headers['Idempotency-Key'])`

Refactor JSON templates to be generated with ActiveModelSerializers instead of Rabl (#4090) 2017-07-07 04:02:06 +02:00			`render json: @status, serializer: REST::StatusSerializer`
Adding doorkeeper, adding a REST API POST /api/statuses Params: status (text contents), in_reply_to_id (optional) GET /api/statuses/:id POST /api/statuses/:id/reblog GET /api/accounts/:id GET /api/accounts/:id/following GET /api/accounts/:id/followers POST /api/accounts/:id/follow POST /api/accounts/:id/unfollow POST /api/follows Params: uri (e.g. user@domain) OAuth authentication is currently disabled, but the API can be used with HTTP Auth. 2016-03-07 12:42:33 +01:00			`end`

Replace logo, fix #57 - delete/unreblog/unfavourite API, fix #45 - app registration API 2016-09-26 23:55:21 +02:00			`def destroy`
			`@status = Status.where(account_id: current_user.account).find(params[:id])`
Add status destroy authorization to policy (#3453) * Add status destroy authorization to policy * Create explicit unreblog status authorization 2017-05-30 22:56:31 +02:00			`authorize @status, :destroy?`

Delete statuses asynchronously but provide instant feedback in the API 2016-11-29 15:32:25 +01:00			`RemovalWorker.perform_async(@status.id)`
Add status destroy authorization to policy (#3453) * Add status destroy authorization to policy * Create explicit unreblog status authorization 2017-05-30 22:56:31 +02:00
Replace logo, fix #57 - delete/unreblog/unfavourite API, fix #45 - app registration API 2016-09-26 23:55:21 +02:00			`render_empty`
			`end`

Fix reblogged/favourited caching; add API endpoints for who favd/reblogged status 2016-11-03 14:50:22 +01:00			`private`

			`def set_status`
			`@status = Status.find(params[:id])`
Extract authorization policy for viewing statuses (#3150) 2017-05-29 18:22:22 +02:00			`authorize @status, :show?`
			`rescue Mastodon::NotPermittedError`
			`# Reraise in order to get a 404 instead of a 403 error code`
			`raise ActiveRecord::RecordNotFound`
Fix reblogged/favourited caching; add API endpoints for who favd/reblogged status 2016-11-03 14:50:22 +01:00			`end`
Fix ActionController::Parameters in API issue 2017-04-04 01:33:34 +02:00
			`def status_params`
			`params.permit(:status, :in_reply_to_id, :sensitive, :spoiler_text, :visibility, media_ids: [])`
			`end`
Make public timelines API not require user context/app credentials (#1291) * Make /api/v1/timelines/public and /api/v1/timelines/tag/:id public Fix #1156 - respect query params when generating pagination links in API * Apply pagination fix to more APIs 2017-04-08 23:39:31 +02:00
			`def pagination_params(core_params)`
			`params.permit(:limit).merge(core_params)`
			`end`
Remove API authentication for public statuses (after review) (#1919) 2017-04-18 21:58:57 +02:00
			`def authorize_if_got_token`
			`request_token = Doorkeeper::OAuth::Token.from_request(request, *Doorkeeper.configuration.access_token_methods)`
			`doorkeeper_authorize! :read if request_token`
			`end`
Adding doorkeeper, adding a REST API POST /api/statuses Params: status (text contents), in_reply_to_id (optional) GET /api/statuses/:id POST /api/statuses/:id/reblog GET /api/accounts/:id GET /api/accounts/:id/following GET /api/accounts/:id/followers POST /api/accounts/:id/follow POST /api/accounts/:id/unfollow POST /api/follows Params: uri (e.g. user@domain) OAuth authentication is currently disabled, but the API can be used with HTTP Auth. 2016-03-07 12:42:33 +01:00			`end`