cst1/openstreetmap-website
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Fixing review comments

Browse source 
Added scoping for unredacted items, cleaned up authorization and
railsified old_node_controller.
This commit is contained in:
Matt Amos 2012-03-28 13:21:18 +01:00 committed by Tom Hughes
parent 67dd9e4c9d
commit 67182f824e
6 changed files with 72 additions and 32 deletions
Download patch file Download diff file Expand all files Collapse all files

12
app/controllers/application_controller.rb
View file

@ -160,6 +160,18 @@ class ApplicationController < ActionController::Base
end end
end end
##
# to be used as a before_filter *after* authorize. this checks that
# the user is a moderator and, if not, returns a forbidden error.
#
def authorize_moderator(errormessage="Access restricted to moderators")
# check user is a moderator
unless @user.moderator?
render :text => errormessage, :status => :forbidden
return false
end
end
def check_database_readable(need_api = false) def check_database_readable(need_api = false)
if STATUS == :database_offline or (need_api and STATUS == :api_offline) if STATUS == :database_offline or (need_api and STATUS == :api_offline)
redirect_to :controller => 'site', :action => 'offline' redirect_to :controller => 'site', :action => 'offline'

76
app/controllers/old_node_controller.rb
View file

@ -2,59 +2,77 @@ class OldNodeController < ApplicationController
require 'xml/libxml' require 'xml/libxml'
skip_before_filter :verify_authenticity_token skip_before_filter :verify_authenticity_token
before_filter :setup_user_auth, :only => [ :history, :version ]
before_filter :authorize, :only => [ :redact ] before_filter :authorize, :only => [ :redact ]
before_filter :authorize_moderator, :only => [ :redact ]
before_filter :require_allow_write_api, :only => [ :redact ] before_filter :require_allow_write_api, :only => [ :redact ]
before_filter :check_api_readable before_filter :check_api_readable
before_filter :check_api_writable, :only => [ :redact ] before_filter :check_api_writable, :only => [ :redact ]
before_filter :lookup_old_node, :except => [ :history ]
after_filter :compress_output after_filter :compress_output
around_filter :api_call_handle_error, :api_call_timeout around_filter :api_call_handle_error, :api_call_timeout
def history def history
# TODO - maybe a bit heavyweight to do this on every
# call, perhaps try lazy auth.
setup_user_auth
node = Node.find(params[:id].to_i) node = Node.find(params[:id].to_i)
doc = OSM::API.new.get_xml_doc doc = OSM::API.new.get_xml_doc
node.old_nodes.each do |old_node| visible_nodes = if @user and @user.moderator?
unless old_node.redacted? and (@user.nil? or not @user.moderator?) node.old_nodes
doc.root << old_node.to_xml_node else
end node.old_nodes.unredacted
end
visible_nodes.each do |old_node|
doc.root << old_node.to_xml_node
end end
render :text => doc.to_s, :content_type => "text/xml" render :text => doc.to_s, :content_type => "text/xml"
end end
def version def version
if old_node = OldNode.where(:node_id => params[:id], :version => params[:version]).first if @old_node.redacted? and (@user.nil? or not @user.moderator?)
# TODO - maybe a bit heavyweight to do this on every render :nothing => true, :status => :forbidden
# call, perhaps try lazy auth.
setup_user_auth
if old_node.redacted? and (@user.nil? or not @user.moderator?)
render :nothing => true, :status => :forbidden
else
response.last_modified = old_node.timestamp
doc = OSM::API.new.get_xml_doc
doc.root << old_node.to_xml_node
render :text => doc.to_s, :content_type => "text/xml"
end
else else
render :nothing => true, :status => :not_found
response.last_modified = @old_node.timestamp
doc = OSM::API.new.get_xml_doc
doc.root << @old_node.to_xml_node
render :text => doc.to_s, :content_type => "text/xml"
end end
end end
def redact def redact
if @user && @user.moderator? redaction_id = params['redaction']
render :nothing => true unless redaction_id.nil?
# if a redaction ID was specified, then set this node to
# be redacted in that redaction. (TODO: check that the
# user doing the redaction owns the redaction object too)
redaction = Redaction.find(redaction_id.to_i)
@old_node.redact!(redaction)
else else
render :nothing => true, :status => :forbidden # if no redaction ID was provided, then this is an unredact
# operation.
@old_node.redact!(nil)
end
# just return an empty 200 OK for success
render :nothing => true
end
private
def lookup_old_node
@old_node = OldNode.where(:node_id => params[:id], :version => params[:version]).first
if @old_node.nil?
# i want to do this
#raise OSM::APINotFoundError.new
# but i get errors, so i'm getting very fed up and doing this instead
render :nothing => true, :status => :not_found
return false
end end
end end
end end

5
app/models/old_node.rb
View file

@ -1,11 +1,14 @@
class OldNode < ActiveRecord::Base class OldNode < ActiveRecord::Base
include GeoRecord include GeoRecord
include ConsistencyValidations include ConsistencyValidations
include Redactable
self.table_name = "nodes" self.table_name = "nodes"
self.primary_keys = "node_id", "version" self.primary_keys = "node_id", "version"
# note this needs to be included after the table name changes, or
# the queries generated by Redactable will use the wrong table name.
include Redactable
validates_presence_of :changeset_id, :timestamp validates_presence_of :changeset_id, :timestamp
validates_inclusion_of :visible, :in => [ true, false ] validates_inclusion_of :visible, :in => [ true, false ]
validates_numericality_of :latitude, :longitude validates_numericality_of :latitude, :longitude

2
config/routes.rb
View file

@ -16,7 +16,7 @@ OpenStreetMap::Application.routes.draw do
match 'api/0.6/node/:id/ways' => 'way#ways_for_node', :via => :get, :id => /\d+/ match 'api/0.6/node/:id/ways' => 'way#ways_for_node', :via => :get, :id => /\d+/
match 'api/0.6/node/:id/relations' => 'relation#relations_for_node', :via => :get, :id => /\d+/ match 'api/0.6/node/:id/relations' => 'relation#relations_for_node', :via => :get, :id => /\d+/
match 'api/0.6/node/:id/history' => 'old_node#history', :via => :get, :id => /\d+/ match 'api/0.6/node/:id/history' => 'old_node#history', :via => :get, :id => /\d+/
match 'api/0.6/node/:id/:version/redact' => 'old_node#redact', :version => /\d+/, :id => /\d+/ match 'api/0.6/node/:id/:version/redact' => 'old_node#redact', :via => :post, :version => /\d+/, :id => /\d+/
match 'api/0.6/node/:id/:version' => 'old_node#version', :via => :get, :id => /\d+/, :version => /\d+/ match 'api/0.6/node/:id/:version' => 'old_node#version', :via => :get, :id => /\d+/, :version => /\d+/
match 'api/0.6/node/:id' => 'node#read', :via => :get, :id => /\d+/ match 'api/0.6/node/:id' => 'node#read', :via => :get, :id => /\d+/
match 'api/0.6/node/:id' => 'node#update', :via => :put, :id => /\d+/ match 'api/0.6/node/:id' => 'node#update', :via => :put, :id => /\d+/

7
lib/redactable.rb
View file

@ -1,6 +1,12 @@
require 'osm' require 'osm'
module Redactable module Redactable
def self.included(base)
# this is used to extend activerecord bases, as these aren't
# in scope for the module itself.
base.scope :unredacted, base.where(:redaction_id => nil)
end
def redacted? def redacted?
not self.redaction.nil? not self.redaction.nil?
end end
@ -11,5 +17,6 @@ module Redactable
# make the change # make the change
self.redaction = redaction self.redaction = redaction
self.save!
end end
end end

2
test/functional/old_node_controller_test.rb
View file

@ -193,7 +193,7 @@ class OldNodeControllerTest < ActionController::TestCase
do_redact_node(nodes(:node_with_versions_v4), do_redact_node(nodes(:node_with_versions_v4),
redactions(:example)) redactions(:example))
assert_response :forbidden, "shouldn't be OK to redact current version as moderator." assert_response :bad_request, "shouldn't be OK to redact current version as moderator."
end end
## ##