More fixes to the changeset viewer, including logged-in-ness on per-user edit lists, fix XSS potential on usernames here, and general tidyups.

2009-03-23 19:40:33 +00:00 · 2009-03-23 19:40:33 +00:00 · 7d3a5899c9
commit 7d3a5899c9
parent 677f391ec1
3 changed files with 32 additions and 27 deletions
--- a/app/controllers/changeset_controller.rb
+++ b/app/controllers/changeset_controller.rb
@ -320,24 +320,26 @@ class ChangesetController < ApplicationController
  ##
  # list edits (changesets) belonging to a user
  def list_user
-    #find user by display name	  
+    user = User.find_by_display_name(params[:display_name], :conditions => {:visible => true})
    user = User.find(:first, :conditions => [ "visible = ? and display_name = ?", true, params[:display_name]])
-    conditions = nil
+    if user
-    begin
+      @display_name = user.display_name
-      conditions = conditions_user(user.id);
+      if not user.data_public? and @user != user
-    rescue OSM::APINotFoundError
+        @edits = nil
-      
+        render
      else
        conditions = cond_merge conditions, ['user_id = ?', user.id]
        conditions = cond_merge conditions, conditions_nonempty
        @edit_pages, @edits = paginate(:changesets,
                                        :include => [:user, :changeset_tags],
                                        :conditions => conditions,
                                        :order => "changesets.created_at DESC",
                                        :per_page => 20)
      end
    else
      @not_found_user = params[:display_name]
      render :template => 'user/no_such_user', :status => :not_found
    end
    conditions = cond_merge conditions, conditions_nonempty
    @edit_pages, @edits = paginate(:changesets,
                                   :include => [:user, :changeset_tags],
                                   :conditions => conditions,
                                   :order => "changesets.created_at DESC",
                                   :per_page => 20)
    @display_name = user.display_name
    # FIXME needs rescues in here
  end
  ##
--- a/app/views/changeset/_changeset.rhtml
+++ b/app/views/changeset/_changeset.rhtml
@ -9,13 +9,13 @@
    <% else %><%= changeset.closed_at.strftime("%d %b %Y %H:%M") %><% end %>
-  <%if showusername==true %>  
+  <%if showusername %>  
-	  <td class="<%= cl %>">
+    <td class="<%= cl %>">
-	  <% if changeset.user.data_public? %>
+    <% if changeset.user.data_public? %>
-	  	<%= link_to h(changeset.user.display_name), :controller => "user", :action => "view", :display_name => changeset.user.display_name %>
+      <%= link_to h(changeset.user.display_name), :controller => "user", :action => "view", :display_name => changeset.user.display_name %>
-	  <% else %>
+    <% else %>
-	  	<i>annon</i>
+      <i>Anonymous</i>
-	  <% end %>
+    <% end %>
  <% end %>
  <td class="<%= cl %>">
--- a/app/views/changeset/list_user.rhtml
+++ b/app/views/changeset/list_user.rhtml
@ -1,6 +1,9 @@
-<h1>Edits by <%= link_to(@display_name, {:controller=>'user', :action=>'view', :display_name=>@display_name}) %></h1>
+<h1>Edits by <%= link_to(h(@display_name), {:controller=>'user', :action=>'view', :display_name=>@display_name}) %></h1>
 <%= render :partial => 'changeset_paging_nav' %>
 <% if not @edits or @edits.empty? %>
 <p><b>No visible edits by <%= h(@display_name) %>.</b></p>
 <% else %>
 <%= render :partial => 'changeset_paging_nav' %>
 <table id="keyvalue" cellpadding="3">
  <tr>
    <th>ID</th>
@ -9,7 +12,7 @@
    <th>Area</th>
    <th></th>
  </tr>
-  <%= render :partial => 'changeset', :locals => {:showusername => false},  :collection => @edits unless @edits.nil?  %>
+  <%= render :partial => 'changeset', :locals => {:showusername => false},  :collection => @edits %>
 </table>
 <%= render :partial => 'changeset_paging_nav' %>
 <% end %>