cst1/openstreetmap-website
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Use CanCanCan to control access to oauth controller actions

Browse source
This commit is contained in:
Andy Allan 2019-01-09 16:58:38 +01:00
parent bda8544d94
commit 3e49e4a62a
2 changed files with 6 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

2
app/abilities/ability.rb
View file

@ -15,6 +15,7 @@ class Ability
can [:search, :search_latlon, :search_ca_postcode, :search_osm_nominatim, can [:search, :search_latlon, :search_ca_postcode, :search_osm_nominatim,
:search_geonames, :search_osm_nominatim_reverse, :search_geonames_reverse], :geocoder :search_geonames, :search_osm_nominatim_reverse, :search_geonames_reverse], :geocoder
can [:index, :create, :comment, :feed, :show, :search, :mine], Note can [:index, :create, :comment, :feed, :show, :search, :mine], Note
can [:token, :request_token, :access_token, :test_request], :oauth
can [:index, :show], Redaction can [:index, :show], Redaction
can [:search_all, :search_nodes, :search_ways, :search_relations], :search can [:search_all, :search_nodes, :search_ways, :search_relations], :search
can [:trackpoints], :swf can [:trackpoints], :swf
@ -28,6 +29,7 @@ class Ability
can [:create, :edit, :comment, :subscribe, :unsubscribe], DiaryEntry can [:create, :edit, :comment, :subscribe, :unsubscribe], DiaryEntry
can [:new, :create, :reply, :show, :inbox, :outbox, :mark, :destroy], Message can [:new, :create, :reply, :show, :inbox, :outbox, :mark, :destroy], Message
can [:close, :reopen], Note can [:close, :reopen], Note
can [:revoke, :authorize], :oauth
can [:new, :create], Report can [:new, :create], Report
can [:mine, :new, :create, :edit, :update, :delete, :api_create, :api_read, :api_update, :api_delete, :api_data], Trace can [:mine, :new, :create, :edit, :update, :delete, :api_create, :api_read, :api_update, :api_delete, :api_data], Trace
can [:account, :go_public, :make_friend, :remove_friend, :api_details, :api_gpx_files], User can [:account, :go_public, :make_friend, :remove_friend, :api_details, :api_gpx_files], User

5
app/controllers/oauth_controller.rb
View file

@ -3,6 +3,10 @@ require "oauth/controllers/provider_controller"
class OauthController < ApplicationController class OauthController < ApplicationController
include OAuth::Controllers::ProviderController include OAuth::Controllers::ProviderController
# The ProviderController will call login_required for any action that needs
# a login, but we want to check authorization on every action.
authorize_resource :class => false
layout "site" layout "site"
def revoke def revoke
@ -19,7 +23,6 @@ class OauthController < ApplicationController
def login_required def login_required
authorize_web authorize_web
set_locale set_locale
require_user
end end
def user_authorizes_token? def user_authorizes_token?