cst1/openstreetmap-website
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Fixing review comments

Browse source 
Added scoping for unredacted items, cleaned up authorization and
railsified old_node_controller.
This commit is contained in:
Matt Amos 2012-03-28 13:21:18 +01:00 committed by Tom Hughes
parent 67dd9e4c9d
commit 67182f824e
6 changed files with 72 additions and 32 deletions
Download patch file Download diff file Expand all files Collapse all files

12
app/controllers/application_controller.rb
View file

@ -160,6 +160,18 @@ class ApplicationController < ActionController::Base
end
end
##
# to be used as a before_filter *after* authorize. this checks that
# the user is a moderator and, if not, returns a forbidden error.
#
def authorize_moderator(errormessage="Access restricted to moderators")
# check user is a moderator
unless @user.moderator?
render :text => errormessage, :status => :forbidden
return false
end
end
def check_database_readable(need_api = false)
if STATUS == :database_offline or (need_api and STATUS == :api_offline)
redirect_to :controller => 'site', :action => 'offline'

76
app/controllers/old_node_controller.rb
View file

@ -2,59 +2,77 @@ class OldNodeController < ApplicationController
require 'xml/libxml'
skip_before_filter :verify_authenticity_token
before_filter :setup_user_auth, :only => [ :history, :version ]
before_filter :authorize, :only => [ :redact ]
before_filter :authorize_moderator, :only => [ :redact ]
before_filter :require_allow_write_api, :only => [ :redact ]
before_filter :check_api_readable
before_filter :check_api_writable, :only => [ :redact ]
before_filter :lookup_old_node, :except => [ :history ]
after_filter :compress_output
around_filter :api_call_handle_error, :api_call_timeout
def history
# TODO - maybe a bit heavyweight to do this on every
# call, perhaps try lazy auth.
setup_user_auth
node = Node.find(params[:id].to_i)
doc = OSM::API.new.get_xml_doc
node.old_nodes.each do |old_node|
unless old_node.redacted? and (@user.nil? or not @user.moderator?)
doc.root << old_node.to_xml_node
end
visible_nodes = if @user and @user.moderator?
node.old_nodes
else
node.old_nodes.unredacted
end
visible_nodes.each do |old_node|
doc.root << old_node.to_xml_node
end
render :text => doc.to_s, :content_type => "text/xml"
end
def version
if old_node = OldNode.where(:node_id => params[:id], :version => params[:version]).first
# TODO - maybe a bit heavyweight to do this on every
# call, perhaps try lazy auth.
setup_user_auth
if old_node.redacted? and (@user.nil? or not @user.moderator?)
render :nothing => true, :status => :forbidden
else
response.last_modified = old_node.timestamp
doc = OSM::API.new.get_xml_doc
doc.root << old_node.to_xml_node
render :text => doc.to_s, :content_type => "text/xml"
end
if @old_node.redacted? and (@user.nil? or not @user.moderator?)
render :nothing => true, :status => :forbidden
else
render :nothing => true, :status => :not_found
response.last_modified = @old_node.timestamp
doc = OSM::API.new.get_xml_doc
doc.root << @old_node.to_xml_node
render :text => doc.to_s, :content_type => "text/xml"
end
end
def redact
if @user && @user.moderator?
render :nothing => true
redaction_id = params['redaction']
unless redaction_id.nil?
# if a redaction ID was specified, then set this node to
# be redacted in that redaction. (TODO: check that the
# user doing the redaction owns the redaction object too)
redaction = Redaction.find(redaction_id.to_i)
@old_node.redact!(redaction)
else
render :nothing => true, :status => :forbidden
# if no redaction ID was provided, then this is an unredact
# operation.
@old_node.redact!(nil)
end
# just return an empty 200 OK for success
render :nothing => true
end
private
def lookup_old_node
@old_node = OldNode.where(:node_id => params[:id], :version => params[:version]).first
if @old_node.nil?
# i want to do this
#raise OSM::APINotFoundError.new
# but i get errors, so i'm getting very fed up and doing this instead
render :nothing => true, :status => :not_found
return false
end
end
end