cc628f0363
This way we'll add an extra layer of protection from attacks that might cause our application to redirect to an external host. There's one place where we're allowing redirects to external hosts, though: administrators can link external resources in notifications, and we're redirecting to them after marking the notification as read. Since the tests for the remote translations controller were (accidentally) using an external redirect, we're updating them to use a relative URL.
46 lines
1.1 KiB
Ruby
46 lines
1.1 KiB
Ruby
class NotificationsController < ApplicationController
|
|
before_action :authenticate_user!
|
|
skip_authorization_check
|
|
|
|
respond_to :html, :js
|
|
|
|
def index
|
|
@notifications = current_user.notifications.unread
|
|
end
|
|
|
|
def show
|
|
@notification = current_user.notifications.find(params[:id])
|
|
@notification.mark_as_read
|
|
redirect_to linkable_resource_path(@notification), allow_other_host: true
|
|
end
|
|
|
|
def read
|
|
@notifications = current_user.notifications.read
|
|
end
|
|
|
|
def mark_all_as_read
|
|
current_user.notifications.unread.each(&:mark_as_read)
|
|
redirect_to notifications_path
|
|
end
|
|
|
|
def mark_as_read
|
|
@notification = current_user.notifications.find(params[:id])
|
|
@notification.mark_as_read
|
|
end
|
|
|
|
def mark_as_unread
|
|
@notification = current_user.notifications.find(params[:id])
|
|
@notification.mark_as_unread
|
|
end
|
|
|
|
private
|
|
|
|
def linkable_resource_path(notification)
|
|
if notification.linkable_resource.is_a?(AdminNotification)
|
|
notification.linkable_resource.link || notifications_path
|
|
else
|
|
polymorphic_path(notification.linkable_resource)
|
|
end
|
|
end
|
|
end
|