Internal oneboxing does not work on topics in private categories

(Matthieu) #1

When we copy/paste an internal link (to another post/topic) on our discourse instance (1.2.0.beta6), it does not show the nice onebox as it should and does here:

This bug only appears on internal references, all other combinations seem to work well.

I did not see any particular option in the admin panel nor warning in /admin/logs.

Do you have any idea where it could come from ?

(Dean Taylor) #2

I’ve experienced this somewhat randomly - from ~1.2.0.beta4 (may be earlier)

I’ve not managed to write a clear step by step process to reproduce.

It may be related to category permissions - but I can’t be sure - as when it’s happened for me I’ve always been logged in as admin.

(cpradio) #3

I know it definitely doesn’t one box posts that are in a private category (and that is desired).

(Dean Taylor) #4

The problem is (for me) - the majority of one of my forum categories is “private” as you put it… but really it’s just a “approved members”.
Members go though an approval process to get access to the vast majority of categories.

(cpradio) #5

Right, but if it were to onebox them, you’d potentially be showing conversations outside of a private area (that’d be bad). The only way to rectify this is to make the onebox know about topics and the categories they are in, so that a link pasted inside its own private category could be oneboxed. That just doesn’t logically make sense though.

(Matthieu) #6

Oh right, it is indeed with private topic that this behavior appears.

Thanks for the insight.

BTW, onebox could be allowed for private topic while they are in the same category, yet it is maybe not trivial to do so.

(cpradio) #7

From what I understand onebox acts like a service, receives the link and calls it, grabs the content sent back and then sends it back to the caller. On private topics, it doesn’t have access to the content that the URL resolves to, thus nothing gets returned.

To make it work, onebox would have to have some sort of permission or impersonate the user who posted the link (and that sounds like a really bad idea – as it could likely get abused).

(Kane York) #8

Yep, the oneboxer acts like an outsider, an anonymous user, so nothing gets internally boxed on a “login required to view” forum. (Every URL it tries, it gets back the “please log in” page.)

(Michael Marner) #9

Sorry for bumping an old discussion, but I was coming to report a bug. Essentially, Onebox does not work at all for internal links if Discourse is configured as a private forum.

I assumed that Onebox would be querying the server with the same authentication as the rest of the Discourse client, but this is not the case. Is this a deliberate design decision? Why can’t Onebox use the same authentication as the rest of Discourse?

At the moment, if you paste a link to an internal Discourse post, say

Onebox will link to it fine, but the text for the link will just be, which is no information at all for the user.

The linked topics off to the right at least show the name of the topic linked, Onebox doesn’t give any information. There must be a more graceful way of failing than just displaying the domain name from the link.

(Arpit Jalan) #10

This is incorrect.

Oneboxing does work for private Discourse forums as long as the topic/post you are linking to is not in read restricted category.

However there is a known bug specific to Discourse hosted private instances which I am looking into.

(Michael Marner) #11

ok, I am being affected by the bug you have linked to. I don’t understand the distinction of private hosted instances though.

(Jeff Atwood) #12

As in, hosted by us, you pay us for hosting.

(Joshua Rosenfeld) #13

Bumping this, as I am a bit confused. I just posted in a category restricted to mod and admins, and included a link to another topic in the same category, and it did not onebox. I understand the concern about oneboxing the topic link if I posted it in a non-private category, but within the same category I feel that the oneboxing should work…

Internal links stopped oneboxing in login-required instance
(Jeff Atwood) #14

The oneboxer always makes anonymous HTTP requests. Anything not visible to an anonymous user won’t onebox.

(RĂ©gis Hanol) #15

Self-oneboxing in read protected categories should work now :banana:

(Jeff Atwood) #16