More fixes to the changeset viewer, including logged-in-ness on per-user edit lists, fix XSS potential on usernames here, and general tidyups.

2009-03-23 19:40:33 +00:00 · 2009-03-23 19:40:33 +00:00 · 7d3a5899c9
commit 7d3a5899c9
parent 677f391ec1
3 changed files with 32 additions and 27 deletions
--- a/app/controllers/changeset_controller.rb
+++ b/app/controllers/changeset_controller.rb
@ -320,24 +320,26 @@ class ChangesetController < ApplicationController
  ##
  # list edits (changesets) belonging to a user
  def list_user
-    #find user by display name	  
-    user = User.find(:first, :conditions => [ "visible = ? and display_name = ?", true, params[:display_name]])
+    user = User.find_by_display_name(params[:display_name], :conditions => {:visible => true})
    
-    conditions = nil
-    begin
-      conditions = conditions_user(user.id);
-    rescue OSM::APINotFoundError
-      
+    if user
+      @display_name = user.display_name
+      if not user.data_public? and @user != user
+        @edits = nil
+        render
+      else
+        conditions = cond_merge conditions, ['user_id = ?', user.id]
+        conditions = cond_merge conditions, conditions_nonempty
+        @edit_pages, @edits = paginate(:changesets,
+                                        :include => [:user, :changeset_tags],
+                                        :conditions => conditions,
+                                        :order => "changesets.created_at DESC",
+                                        :per_page => 20)
+      end
+    else
+      @not_found_user = params[:display_name]
+      render :template => 'user/no_such_user', :status => :not_found
    end
-    conditions = cond_merge conditions, conditions_nonempty
-    @edit_pages, @edits = paginate(:changesets,
-                                   :include => [:user, :changeset_tags],
-                                   :conditions => conditions,
-                                   :order => "changesets.created_at DESC",
-                                   :per_page => 20)
-    
-    @display_name = user.display_name
-    # FIXME needs rescues in here
  end
  
  ##
--- a/app/views/changeset/_changeset.rhtml
+++ b/app/views/changeset/_changeset.rhtml
@ -9,13 +9,13 @@
    <% else %><%= changeset.closed_at.strftime("%d %b %Y %H:%M") %><% end %>

    
-  <%if showusername==true %>  
-	  <td class="<%= cl %>">
-	  <% if changeset.user.data_public? %>
-	  	<%= link_to h(changeset.user.display_name), :controller => "user", :action => "view", :display_name => changeset.user.display_name %>
-	  <% else %>
-	  	<i>annon</i>
-	  <% end %>
+  <%if showusername %>  
+    <td class="<%= cl %>">
+    <% if changeset.user.data_public? %>
+      <%= link_to h(changeset.user.display_name), :controller => "user", :action => "view", :display_name => changeset.user.display_name %>
+    <% else %>
+      <i>Anonymous</i>
+    <% end %>
  <% end %>
    
  <td class="<%= cl %>">
--- a/app/views/changeset/list_user.rhtml
+++ b/app/views/changeset/list_user.rhtml
@ -1,6 +1,9 @@
-<h1>Edits by <%= link_to(@display_name, {:controller=>'user', :action=>'view', :display_name=>@display_name}) %></h1>
-<%= render :partial => 'changeset_paging_nav' %>
+<h1>Edits by <%= link_to(h(@display_name), {:controller=>'user', :action=>'view', :display_name=>@display_name}) %></h1>

+<% if not @edits or @edits.empty? %>
+<p><b>No visible edits by <%= h(@display_name) %>.</b></p>
+<% else %>
+<%= render :partial => 'changeset_paging_nav' %>
 <table id="keyvalue" cellpadding="3">
  <tr>
    <th>ID</th>
@ -9,7 +12,7 @@
    <th>Area</th>
    <th></th>
  </tr>
-  <%= render :partial => 'changeset', :locals => {:showusername => false},  :collection => @edits unless @edits.nil?  %>
+  <%= render :partial => 'changeset', :locals => {:showusername => false},  :collection => @edits %>
 </table>
-
 <%= render :partial => 'changeset_paging_nav' %>
+<% end %>