SECURITY: Limit /inline-onebox to 10 URLs at a time

2025-05-31 01:17:16 +08:00 · 2024-11-26 23:04:39 +03:00
parent 6d0173c9bd
commit 416ec83ae5
6 changed files with 228 additions and 21 deletions
--- a/lib/inline_oneboxer.rb
+++ b/lib/inline_oneboxer.rb
@ -89,6 +89,18 @@ class InlineOneboxer
    nil
  end

+  def self.is_previewing?(user_id)
+    Discourse.redis.get(preview_key(user_id)) == "1"
+  end
+
+  def self.preview!(user_id)
+    Discourse.redis.setex(preview_key(user_id), 1.minute, "1")
+  end
+
+  def self.finish_preview!(user_id)
+    Discourse.redis.del(preview_key(user_id))
+  end
+
  private

  def self.onebox_for(url, title, opts)
@ -129,4 +141,8 @@ class InlineOneboxer
      author.username
    end
  end
+
+  def self.preview_key(user_id)
+    "inline-onebox:preview:#{user_id}"
+  end
 end