Merge branch 'master' into feature/add-communities-page

# Conflicts: # Gemfile.lock # package.json # yarn.lock
2022-09-10 16:10:08 +01:00 · 2022-09-10 16:10:08 +01:00 · 7e5cbe87ed
commit 7e5cbe87ed
parent 4a6e7b7815 9cd96bd452
527 changed files with 147625 additions and 149175 deletions
--- a/config/initializers/action_mailer.rb
+++ b/config/initializers/action_mailer.rb
@ -7,6 +7,7 @@ ActionMailer::Base.smtp_settings = {
  :port => Settings.smtp_port,
  :domain => Settings.smtp_domain,
  :enable_starttls_auto => Settings.smtp_enable_starttls_auto,
+  :openssl_verify_mode => Settings.smtp_tls_verify_mode,
  :authentication => Settings.smtp_authentication,
  :user_name => Settings.smtp_user_name,
  :password => Settings.smtp_password
--- a/config/initializers/brotli.rb
+++ b/config/initializers/brotli.rb
@ -0,0 +1,3 @@
+Rails.application.config.assets.configure do |env|
+  env.register_exporter %w[text/* application/javascript application/json application/xml image/x-icon image/svg+xml], Sprockets::ExportersPack::BrotliExporter
+end
--- a/config/initializers/config.rb
+++ b/config/initializers/config.rb
@ -2,7 +2,7 @@
 # Otherwise, admins might not be aware that they are now silently ignored
 # and major problems could occur
 # rubocop:disable Rails/Output, Rails/Exit
-if File.exist?(Rails.root.join("config/application.yml"))
+if Rails.root.join("config/application.yml").exist?
  puts "The config/application.yml file is no longer supported."
  puts ""
  puts "Default settings are now found in config/settings.yml and you"
@ -74,9 +74,13 @@ Config.setup do |config|
    required(:max_note_request_area).filled(:number?)
    required(:tracepoints_per_page).filled(:int?)
    required(:max_number_of_way_nodes).filled(:int?)
+    required(:max_number_of_relation_members).filled(:int?)
    required(:api_timeout).filled(:int?)
    required(:imagery_blacklist).maybe(:array?)
    required(:status).filled(:str?, :included_in? => ALLOWED_STATUS)
-    required(:storage_service).filled(:str?)
+    required(:avatar_storage).filled(:str?)
+    required(:trace_file_storage).filled(:str?)
+    required(:trace_image_storage).filled(:str?)
+    required(:trace_icon_storage).filled(:str?)
  end
 end
--- a/config/initializers/content_security_policy.rb
+++ b/config/initializers/content_security_policy.rb
@ -4,27 +4,23 @@
 # For further information see the following documentation
 # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy

-# Rails.application.config.content_security_policy do |policy|
-#   policy.default_src :self, :https
-#   policy.font_src    :self, :https, :data
-#   policy.img_src     :self, :https, :data
-#   policy.object_src  :none
-#   policy.script_src  :self, :https
-#   policy.style_src   :self, :https
-#   # If you are using webpack-dev-server then specify webpack-dev-server host
-#   policy.connect_src :self, :https, "http://localhost:3035", "ws://localhost:3035" if Rails.env.development?
-
-#   # Specify URI for violation reports
-#   # policy.report_uri "/csp-violation-report-endpoint"
+# Rails.application.configure do
+#   config.content_security_policy do |policy|
+#     policy.default_src :self, :https
+#     policy.font_src    :self, :https, :data
+#     policy.img_src     :self, :https, :data
+#     policy.object_src  :none
+#     policy.script_src  :self, :https
+#     policy.style_src   :self, :https
+#     # Specify URI for violation reports
+#     # policy.report_uri "/csp-violation-report-endpoint"
+#   end
+#
+#   # Generate session nonces for permitted importmap and inline scripts
+#   config.content_security_policy_nonce_generator = ->(request) { request.session.id.to_s }
+#   config.content_security_policy_nonce_directives = %w(script-src)
+#
+#   # Report CSP violations to a specified URI. See:
+#   # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy-Report-Only
+#   # config.content_security_policy_report_only = true
 # end
-
-# If you are using UJS then enable automatic nonce generation
-# Rails.application.config.content_security_policy_nonce_generator = -> request { SecureRandom.base64(16) }
-
-# Set the nonce only to specific directives
-# Rails.application.config.content_security_policy_nonce_directives = %w(script-src)
-
-# Report CSP violations to a specified URI
-# For further information see the following documentation:
-# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy-Report-Only
-# Rails.application.config.content_security_policy_report_only = true
--- a/config/initializers/doorkeeper.rb
+++ b/config/initializers/doorkeeper.rb
@ -49,7 +49,7 @@ Rails.application.reloader.to_prepare do
    #   end
    # end

-    application_class "Oauth2Application"
+    application_class "Oauth2Application" unless Settings.status == "database_offline"

    # Enables polymorphic Resource Owner association for Access Tokens and Access Grants.
    # By default this option is disabled.
--- a/config/initializers/inflections.rb
+++ b/config/initializers/inflections.rb
@ -4,13 +4,13 @@
 # are locale specific, and you may define rules for as many different
 # locales as you wish. All of these examples are active by default:
 # ActiveSupport::Inflector.inflections(:en) do |inflect|
-#   inflect.plural /^(ox)$/i, '\1en'
-#   inflect.singular /^(ox)en/i, '\1'
-#   inflect.irregular 'person', 'people'
+#   inflect.plural /^(ox)$/i, "\\1en"
+#   inflect.singular /^(ox)en/i, "\\1"
+#   inflect.irregular "person", "people"
 #   inflect.uncountable %w( fish sheep )
 # end

 # These inflection rules are supported but not enabled by default:
 # ActiveSupport::Inflector.inflections(:en) do |inflect|
-#   inflect.acronym 'RESTful'
+#   inflect.acronym "RESTful"
 # end
--- a/config/initializers/mail_delivery_job.rb
+++ b/config/initializers/mail_delivery_job.rb
@ -0,0 +1,13 @@
+module OpenStreetMap
+  module ActionMailer
+    module MailDeliveryJob
+      def perform(mailer, mail_method, delivery_method, *args, **kwargs)
+        kwargs = args.pop if kwargs.empty? && args.last.is_a?(Hash)
+
+        super(mailer, mail_method, delivery_method, *args, **kwargs)
+      end
+    end
+  end
+end
+
+ActionMailer::MailDeliveryJob.prepend(OpenStreetMap::ActionMailer::MailDeliveryJob)
--- a/config/initializers/new_framework_defaults_6_1.rb
+++ b/config/initializers/new_framework_defaults_6_1.rb
@ -1,58 +0,0 @@
-# Be sure to restart your server when you modify this file.
-#
-# This file contains migration options to ease your Rails 6.1 upgrade.
-#
-# Once upgraded flip defaults one by one to migrate to the new default.
-#
-# Read the Guide for Upgrading Ruby on Rails for more info on each option.
-
-# Support for inversing belongs_to -> has_many Active Record associations.
-Rails.application.config.active_record.has_many_inversing = true
-
-# Track Active Storage variants in the database.
-Rails.application.config.active_storage.track_variants = true
-
-# Apply random variation to the delay when retrying failed jobs.
-Rails.application.config.active_job.retry_jitter = 0.15
-
-# Stop executing `after_enqueue`/`after_perform` callbacks if
-# `before_enqueue`/`before_perform` respectively halts with `throw :abort`.
-Rails.application.config.active_job.skip_after_callbacks_if_terminated = true
-
-# Specify cookies SameSite protection level: either :none, :lax, or :strict.
-#
-# This change is not backwards compatible with earlier Rails versions.
-# It's best enabled when your entire app is migrated and stable on 6.1.
-Rails.application.config.action_dispatch.cookies_same_site_protection = :lax
-
-# Generate CSRF tokens that are encoded in URL-safe Base64.
-#
-# This change is not backwards compatible with earlier Rails versions.
-# It's best enabled when your entire app is migrated and stable on 6.1.
-Rails.application.config.action_controller.urlsafe_csrf_tokens = true
-
-# Specify whether `ActiveSupport::TimeZone.utc_to_local` returns a time with an
-# UTC offset or a UTC time.
-ActiveSupport.utc_to_local_returns_utc_offset_times = true
-
-# Change the default HTTP status code to `308` when redirecting non-GET/HEAD
-# requests to HTTPS in `ActionDispatch::SSL` middleware.
-Rails.application.config.action_dispatch.ssl_default_redirect_status = 308
-
-# Use new connection handling API. For most applications this won't have any
-# effect. For applications using multiple databases, this new API provides
-# support for granular connection swapping.
-Rails.application.config.active_record.legacy_connection_handling = false
-
-# Make `form_with` generate non-remote forms by default.
-Rails.application.config.action_view.form_with_generates_remote_forms = false
-
-# Set the default queue name for the incineration job to the queue adapter default.
-Rails.application.config.action_mailbox.queues.incineration = nil
-
-# Set the default queue name for the routing job to the queue adapter default.
-Rails.application.config.action_mailbox.queues.routing = nil
-
-# Generate a `Link` header that gives a hint to modern browsers about
-# preloading assets when using `javascript_include_tag` and `stylesheet_link_tag`.
-Rails.application.config.action_view.preload_links_header = true
--- a/config/initializers/new_framework_defaults_7_0.rb
+++ b/config/initializers/new_framework_defaults_7_0.rb
@ -0,0 +1,117 @@
+# Be sure to restart your server when you modify this file.
+#
+# This file eases your Rails 7.0 framework defaults upgrade.
+#
+# Uncomment each configuration one by one to switch to the new default.
+# Once your application is ready to run with all new defaults, you can remove
+# this file and set the `config.load_defaults` to `7.0`.
+#
+# Read the Guide for Upgrading Ruby on Rails for more info on each option.
+# https://guides.rubyonrails.org/upgrading_ruby_on_rails.html
+
+# `button_to` view helper will render `<button>` element, regardless of whether
+# or not the content is passed as the first argument or as a block.
+Rails.application.config.action_view.button_to_generates_button_tag = true
+
+# `stylesheet_link_tag` view helper will not render the media attribute by default.
+Rails.application.config.action_view.apply_stylesheet_media_default = false
+
+# Change the digest class for the key generators to `OpenSSL::Digest::SHA256`.
+# Changing this default means invalidate all encrypted messages generated by
+# your application and, all the encrypted cookies. Only change this after you
+# rotated all the messages using the key rotator.
+#
+# See upgrading guide for more information on how to build a rotator.
+# https://guides.rubyonrails.org/v7.0/upgrading_ruby_on_rails.html
+Rails.application.config.active_support.key_generator_hash_digest_class = OpenSSL::Digest::SHA256
+
+# Change the digest class for ActiveSupport::Digest.
+# Changing this default means that for example Etags change and
+# various cache keys leading to cache invalidation.
+Rails.application.config.active_support.hash_digest_class = OpenSSL::Digest::SHA256
+
+# Don't override ActiveSupport::TimeWithZone.name and use the default Ruby
+# implementation.
+Rails.application.config.active_support.remove_deprecated_time_with_zone_name = true
+
+# Change the format of the cache entry.
+# Changing this default means that all new cache entries added to the cache
+# will have a different format that is not supported by Rails 6.1 applications.
+# Only change this value after your application is fully deployed to Rails 7.0
+# and you have no plans to rollback.
+Rails.application.config.active_support.cache_format_version = 7.0
+
+# Calls `Rails.application.executor.wrap` around test cases.
+# This makes test cases behave closer to an actual request or job.
+# Several features that are normally disabled in test, such as Active Record query cache
+# and asynchronous queries will then be enabled.
+Rails.application.config.active_support.executor_around_test_case = true
+
+# Define the isolation level of most of Rails internal state.
+# If you use a fiber based server or job processor, you should set it to `:fiber`.
+# Otherwise the default of `:thread` if preferable.
+Rails.application.config.active_support.isolation_level = :thread
+
+# Set both the `:open_timeout` and `:read_timeout` values for `:smtp` delivery method.
+Rails.application.config.action_mailer.smtp_timeout = 5
+
+# The ActiveStorage video previewer will now use scene change detection to generate
+# better preview images (rather than the previous default of using the first frame
+# of the video).
+Rails.application.config.active_storage.video_preview_arguments =
+  "-vf 'select=eq(n\\,0)+eq(key\\,1)+gt(scene\\,0.015),loop=loop=-1:size=2,trim=start_frame=1' -frames:v 1 -f image2"
+
+# Automatically infer `inverse_of` for associations with a scope.
+Rails.application.config.active_record.automatic_scope_inversing = true
+
+# Raise when running tests if fixtures contained foreign key violations
+Rails.application.config.active_record.verify_foreign_keys_for_fixtures = true
+
+# Disable partial inserts.
+# This default means that all columns will be referenced in INSERT queries
+# regardless of whether they have a default or not.
+Rails.application.config.active_record.partial_inserts = false
+
+# Protect from open redirect attacks in `redirect_back_or_to` and `redirect_to`.
+Rails.application.config.action_controller.raise_on_open_redirects = true
+
+# Change the variant processor for Active Storage.
+# Changing this default means updating all places in your code that
+# generate variants to use image processing macros and ruby-vips
+# operations. See the upgrading guide for detail on the changes required.
+# The `:mini_magick` option is not deprecated; it's fine to keep using it.
+Rails.application.config.active_storage.variant_processor = :vips
+
+# If you're upgrading and haven't set `cookies_serializer` previously, your cookie serializer
+# was `:marshal`. Convert all cookies to JSON, using the `:hybrid` formatter.
+#
+# If you're confident all your cookies are JSON formatted, you can switch to the `:json` formatter.
+#
+# Continue to use `:marshal` for backward-compatibility with old cookies.
+#
+# If you have configured the serializer elsewhere, you can remove this.
+#
+# See https://guides.rubyonrails.org/action_controller_overview.html#cookies for more information.
+# Rails.application.config.action_dispatch.cookies_serializer = :hybrid
+
+# Enable parameter wrapping for JSON.
+# Previously this was set in an initializer. It's fine to keep using that initializer if you've customized it.
+# To disable parameter wrapping entirely, set this config to `false`.
+Rails.application.config.action_controller.wrap_parameters_by_default = true
+
+# Specifies whether generated namespaced UUIDs follow the RFC 4122 standard for namespace IDs provided as a
+# `String` to `Digest::UUID.uuid_v3` or `Digest::UUID.uuid_v5` method calls.
+#
+# See https://guides.rubyonrails.org/configuring.html#config-active-support-use-rfc4122-namespaced-uuids for
+# more information.
+Rails.application.config.active_support.use_rfc4122_namespaced_uuids = true
+
+# Change the default headers to disable browsers' flawed legacy XSS protection.
+Rails.application.config.action_dispatch.default_headers = {
+  "X-Frame-Options" => "SAMEORIGIN",
+  "X-XSS-Protection" => "0",
+  "X-Content-Type-Options" => "nosniff",
+  "X-Download-Options" => "noopen",
+  "X-Permitted-Cross-Domain-Policies" => "none",
+  "Referrer-Policy" => "strict-origin-when-cross-origin"
+}
--- a/config/initializers/omniauth.rb
+++ b/config/initializers/omniauth.rb
@ -8,6 +8,7 @@ OpenID::Util.logger = Rails.logger

 OmniAuth.config.logger = Rails.logger
 OmniAuth.config.failure_raise_out_environments = []
+OmniAuth.config.allowed_request_methods = [:post, :patch]

 if Settings.key?(:memcache_servers)
  require "openid/store/memcache"
--- a/config/initializers/permissions_policy.rb
+++ b/config/initializers/permissions_policy.rb
@ -0,0 +1,11 @@
+# Define an application-wide HTTP permissions policy. For further
+# information see https://developers.google.com/web/updates/2018/06/feature-policy
+#
+# Rails.application.config.permissions_policy do |f|
+#   f.camera      :none
+#   f.gyroscope   :none
+#   f.microphone  :none
+#   f.usb         :none
+#   f.fullscreen  :self
+#   f.payment     :self, "https://secure.example.com"
+# end
--- a/config/initializers/piwik.rb
+++ b/config/initializers/piwik.rb
@ -1,5 +0,0 @@
-require "yaml"
-
-if File.exist?(piwik_file = File.expand_path("../piwik.yml", __dir__))
-  PIWIK = YAML.load_file(piwik_file)
-end
--- a/config/initializers/secure_headers.rb
+++ b/config/initializers/secure_headers.rb
@ -18,11 +18,12 @@ csp_policy = {
  :report_uri => []
 }

-csp_policy[:connect_src] << PIWIK["location"] if defined?(PIWIK)
-csp_policy[:img_src] << PIWIK["location"] if defined?(PIWIK)
-csp_policy[:script_src] << PIWIK["location"] if defined?(PIWIK)
+csp_policy[:connect_src] << Settings.matomo["location"] if defined?(Settings.matomo)
+csp_policy[:img_src] << Settings.matomo["location"] if defined?(Settings.matomo)
+csp_policy[:script_src] << Settings.matomo["location"] if defined?(Settings.matomo)

-csp_policy[:img_src] << Settings.storage_url if Settings.key?(:storage_url)
+csp_policy[:img_src] << Settings.avatar_storage_url if Settings.key?(:avatar_storage_url)
+csp_policy[:img_src] << Settings.trace_image_storage_url if Settings.key?(:trace_image_storage_url)

 csp_policy[:report_uri] << Settings.csp_report_url if Settings.key?(:csp_report_url)