Cross origin request from plugin

Hi all, my plugin:
https://github.com/abyrnedesign/discourse-json-follow-list

is working a treat in the local environment. But I have an issue when trying to request the same feed from another domain. It does not fail but responds HTML “page does not exits or is private”

CORS is setup correctly and the I’m not getting refuse domain errors, there is a private content issue it seems.

lil help?

more info here. The log response from a cross domain request:

Processing by JsonFollowList::FollowingController#topics as */*
7:53 am
Parameters: {"uid"=>"5", "start"=>"0", "total"=>"10", "tid"=>"4,3"}
7:53 am
(1.0ms) SELECT "groups"."id", "groups"."name" FROM "groups" ORDER BY "groups"."name" ASC
7:53 am
Category Load (2.0ms) SELECT categories.*, t.slug topic_slug FROM "categories" LEFT JOIN topics t on t.id = categories.topic_id WHERE (NOT categories.read_restricted) ORDER BY "categories"."positi
7:53 am
PostActionType Load (1.2ms) SELECT "post_action_types".* FROM "post_action_types" ORDER BY position asc
7:53 am
PostActionType Load (2.4ms) SELECT "post_action_types".* FROM "post_action_types" WHERE "post_action_types"."name_key" IN ('inappropriate', 'spam', 'notify_moderators') ORDER BY position asc
7:53 am
UserField Load (1.9ms) SELECT "user_fields".* FROM "user_fields"
7:53 am
SiteCustomization Load (1.2ms) SELECT "site_customizations".* FROM "site_customizations" WHERE "site_customizations"."enabled" = 't' ORDER BY "site_customizations"."name" ASC [["enabled", true]]
7:53 am
CACHE (0.0ms) SELECT "site_customizations".* FROM "site_customizations" WHERE "site_customizations"."enabled" = 't' ORDER BY "site_customizations"."name" ASC [["enabled", true]]
7:53 am
Topic Load (1.4ms) SELECT "topics".* FROM "topics" WHERE ("topics"."deleted_at" IS NULL) AND "topics"."archetype" = 'banner' ORDER BY "topics"."id" ASC LIMIT 1 [["archetype", "banner"]]
7:53 am
Rendered default/empty.html.erb within layouts/application (0.2ms)
7:53 am

Everything kicks along fine till the discourse renders the empty template with no reasoning as to why. I assume its something to do with permissions.

Well that was easy…

https://github.com/abyrnedesign/discourse-json-follow-list/commit/d32ecf780497e64a5e6fc65d09394fdaf706e4bf

added 2 checks from the application controller.

skip_before_filter :check_xhr #allow API requests
before_filter :ensure_logged_in #or just check the users logged in

skip_before_filter :check_xhr ← does as it says.
looks for a XHR request and requires an API key skips and other checks if found.

before_filter :ensure_logged_in ← another brilliant function name.
Looks for user login

Close it up @codinghorror !

4 Likes