From b363cd65ae7d95638957fd31bca52a5d95aea38c Mon Sep 17 00:00:00 2001
From: fog <foglaboratories@gmail.com>
Date: Fri, 6 Dec 2024 14:49:47 -0500
Subject: [PATCH 1/4] 'embed access restriction'

---
 app/controllers/embed_controller.rb | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/app/controllers/embed_controller.rb b/app/controllers/embed_controller.rb
index b5f4bf614f..31eb71a75c 100644
--- a/app/controllers/embed_controller.rb
+++ b/app/controllers/embed_controller.rb
@@ -40,10 +40,12 @@ def openvault
       if @pbcore.proxy_start_time && params["proxy_start_time"].nil? && !media_start_time?(params)
         params["proxy_start_time"] = @pbcore.proxy_start_time
       end
-    end
 
-    response.headers.delete('X-Frame-Options')
-    response.headers['Content-Security-Policy'] = 'frame-ancestors https://ov.wgbh-mla.org http://localhost:4000 http://localhost:3000;'
+      response.headers.delete('X-Frame-Options')
+      response.headers['Content-Security-Policy'] = 'frame-ancestors https://ov.wgbh-mla.org http://localhost:4000 http://localhost:3000;'
+    else
+      render status: :unauthorized, json: { error: "Unauthorized" }
+    end
   end
 
   def video

From 090a29eda34a4fb3fe43dcffb75fdc963928617a Mon Sep 17 00:00:00 2001
From: fog <foglaboratories@gmail.com>
Date: Tue, 10 Dec 2024 10:21:34 -0500
Subject: [PATCH 2/4] add correct protections for embed routes

---
 app/controllers/embed_controller.rb | 25 ++++++++++++++++---------
 1 file changed, 16 insertions(+), 9 deletions(-)

diff --git a/app/controllers/embed_controller.rb b/app/controllers/embed_controller.rb
index 31eb71a75c..5a07ae2a99 100644
--- a/app/controllers/embed_controller.rb
+++ b/app/controllers/embed_controller.rb
@@ -18,16 +18,18 @@ def lite
     raise Blacklight::Exceptions::RecordNotFound unless @document
     xml = @document['xml']
     @pbcore = PBCorePresenter.new(xml)
+
+    response.headers.delete('X-Frame-Options')
     if can? :play_embedded, @pbcore
       # can? play because we're inside this block
       if @pbcore.proxy_start_time && params["proxy_start_time"].nil? && !media_start_time?(params)
         params["proxy_start_time"] = @pbcore.proxy_start_time
       end
-    end
-
-    response.headers.delete('X-Frame-Options')
 
-    render 'lite', layout: 'lite_embed'
+      render 'lite', layout: 'lite_embed'
+    else
+      head :unauthorized
+    end
   end
 
   def openvault
@@ -35,16 +37,17 @@ def openvault
     raise Blacklight::Exceptions::RecordNotFound unless @document
     xml = @document['xml']
     @pbcore = PBCorePresenter.new(xml)
+
+    response.headers.delete('X-Frame-Options')
+    response.headers['Content-Security-Policy'] = 'frame-ancestors https://ov.wgbh-mla.org http://localhost:4000 http://localhost:3000;'
+    
     if can? :play, @pbcore
       # can? play because we're inside this block
       if @pbcore.proxy_start_time && params["proxy_start_time"].nil? && !media_start_time?(params)
         params["proxy_start_time"] = @pbcore.proxy_start_time
       end
-
-      response.headers.delete('X-Frame-Options')
-      response.headers['Content-Security-Policy'] = 'frame-ancestors https://ov.wgbh-mla.org http://localhost:4000 http://localhost:3000;'
     else
-      render status: :unauthorized, json: { error: "Unauthorized" }
+      head :unauthorized
     end
   end
 
@@ -53,13 +56,17 @@ def video
     raise Blacklight::Exceptions::RecordNotFound unless @document
     xml = @document['xml']
     @pbcore = PBCorePresenter.new(xml)
+
+    response.headers.delete('X-Frame-Options')
+
     if can? :play, @pbcore
       # can? play because we're inside this block
       if @pbcore.proxy_start_time && params["proxy_start_time"].nil? && !media_start_time?(params)
         params["proxy_start_time"] = @pbcore.proxy_start_time
       end
+    else
+      head :unauthorized
     end
 
-    response.headers.delete('X-Frame-Options')
   end
 end

From f0e35d4ed1a228131221a3428a9e309402bac069 Mon Sep 17 00:00:00 2001
From: fog <foglaboratories@gmail.com>
Date: Tue, 10 Dec 2024 10:24:44 -0500
Subject: [PATCH 3/4] 'rubooo'

---
 app/controllers/embed_controller.rb | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/app/controllers/embed_controller.rb b/app/controllers/embed_controller.rb
index 5a07ae2a99..e185ed55ee 100644
--- a/app/controllers/embed_controller.rb
+++ b/app/controllers/embed_controller.rb
@@ -40,7 +40,7 @@ def openvault
 
     response.headers.delete('X-Frame-Options')
     response.headers['Content-Security-Policy'] = 'frame-ancestors https://ov.wgbh-mla.org http://localhost:4000 http://localhost:3000;'
-    
+
     if can? :play, @pbcore
       # can? play because we're inside this block
       if @pbcore.proxy_start_time && params["proxy_start_time"].nil? && !media_start_time?(params)
@@ -67,6 +67,5 @@ def video
     else
       head :unauthorized
     end
-
   end
 end

From 6f07f11b67be0733321dcb10d0146e80b6629a80 Mon Sep 17 00:00:00 2001
From: fog <foglaboratories@gmail.com>
Date: Wed, 29 Jan 2025 13:55:44 -0500
Subject: [PATCH 4/4] 'beautiful rubo'

---
 app/controllers/embed_controller.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/app/controllers/embed_controller.rb b/app/controllers/embed_controller.rb
index 6940cca67d..1088ad3c3c 100644
--- a/app/controllers/embed_controller.rb
+++ b/app/controllers/embed_controller.rb
@@ -49,7 +49,7 @@ def openvault
     else
       head :unauthorized
     end
-    
+
     response.headers.delete('X-Frame-Options')
     response.headers['Content-Security-Policy'] = 'frame-ancestors https://openvault.wgbh.org http://localhost:4000 http://localhost:3000;'
   end