How to like posts from a plugin in a secure way


(David Taylor) #1

I’m working on allowing users to “like” posts via my telegram bot plugin (and eventually be able to post responses through telegram).

I have it working, but I want to make sure I’m implementing it in the right way to make sure it won’t allow users to bypass things like rate limiters.

I’ve taken post_actions_controller.rb as a reference point. From reading through the create method, it looks like all I need to do is extract this logic:

    post_action_type_id = PostActionType.types[:like]

    taken = PostAction.counts_for([@post], current_user)[@post.id]

    guardian.ensure_post_can_act!(
      @post,
      PostActionType.types[@post_action_type_id],
      is_warning: params[:is_warning],
      taken_actions: taken
    )

    post_action = PostAction.act(current_user, @post, @post_action_type_id, args)

And then for un-liking stuff I have this:

    post_action_type_id = PostActionType.types[:like]
    post_action = current_user.post_actions.find_by(post_id: params[:id].to_i, post_action_type_id: @post_action_type_id, deleted_at: nil)
    guardian.ensure_can_delete!(post_action)
    PostAction.remove_act(current_user, @post, post_action.post_action_type_id)

Is that what I should be doing, or are there some simpler methods I can call which take care of all of the Guardian stuff?

On a related note, is there any way for my plugin to run logic whenever a “like” occurs? I can’t find a relavent DiscourseEvent, but I may be missing something.


(David Taylor) #2

After some more investigation I’ve found lib/post_action_creator which seems ideal. However, I can’t find an equivalent to “un-like” a post. Would that be PR material?