Check API status before authorizing access

Fixes #3530

app/controllers/api/changeset_comments_controller.rb

@@ -1,12 +1,12 @@
 module Api
   class ChangesetCommentsController < ApiController
+    before_action :check_api_writable
+    before_action :check_api_readable, :except => [:create]
     before_action :authorize
 
     authorize_resource
 
     before_action :require_public_data, :only => [:create]
-    before_action :check_api_writable
-    before_action :check_api_readable, :except => [:create]
     before_action :set_request_formats
     around_action :api_call_handle_error
     around_action :api_call_timeout

app/controllers/api/changesets_controller.rb

@@ -4,13 +4,13 @@ module Api
   class ChangesetsController < ApiController
     require "xml/libxml"
 
+    before_action :check_api_writable, :only => [:create, :update, :upload, :subscribe, :unsubscribe]
+    before_action :check_api_readable, :except => [:create, :update, :upload, :download, :query, :subscribe, :unsubscribe]
     before_action :authorize, :only => [:create, :update, :upload, :close, :subscribe, :unsubscribe]
 
     authorize_resource
 
     before_action :require_public_data, :only => [:create, :update, :upload, :close, :subscribe, :unsubscribe]
-    before_action :check_api_writable, :only => [:create, :update, :upload, :subscribe, :unsubscribe]
-    before_action :check_api_readable, :except => [:create, :update, :upload, :download, :query, :subscribe, :unsubscribe]
     before_action :set_request_formats, :except => [:create, :close, :upload]
 
     around_action :api_call_handle_error

app/controllers/api/map_controller.rb

@@ -1,8 +1,9 @@
 module Api
   class MapController < ApiController
+    before_action :check_api_readable
+
     authorize_resource :class => false
 
-    before_action :check_api_readable
     around_action :api_call_handle_error, :api_call_timeout
 
     before_action :set_request_formats

app/controllers/api/nodes_controller.rb

@@ -4,13 +4,13 @@ module Api
   class NodesController < ApiController
     require "xml/libxml"
 
+    before_action :check_api_writable, :only => [:create, :update, :delete]
+    before_action :check_api_readable, :except => [:create, :update, :delete]
     before_action :authorize, :only => [:create, :update, :delete]
 
     authorize_resource
 
     before_action :require_public_data, :only => [:create, :update, :delete]
-    before_action :check_api_writable, :only => [:create, :update, :delete]
-    before_action :check_api_readable, :except => [:create, :update, :delete]
     around_action :api_call_handle_error, :api_call_timeout
 
     before_action :set_request_formats, :except => [:create, :update, :delete]

app/controllers/api/notes_controller.rb

@@ -1,12 +1,12 @@
 module Api
   class NotesController < ApiController
     before_action :check_api_readable
+    before_action :check_api_writable, :only => [:create, :comment, :close, :reopen, :destroy]
     before_action :setup_user_auth, :only => [:create, :comment, :show]
     before_action :authorize, :only => [:close, :reopen, :destroy, :comment]
 
     authorize_resource
 
-    before_action :check_api_writable, :only => [:create, :comment, :close, :reopen, :destroy]
     before_action :set_locale
     around_action :api_call_handle_error, :api_call_timeout
 

app/controllers/api/old_controller.rb

@@ -5,13 +5,13 @@ module Api
   class OldController < ApiController
     require "xml/libxml"
 
+    before_action :check_api_readable
+    before_action :check_api_writable, :only => [:redact]
     before_action :setup_user_auth, :only => [:history, :version]
     before_action :authorize, :only => [:redact]
 
     authorize_resource
 
-    before_action :check_api_readable
-    before_action :check_api_writable, :only => [:redact]
     around_action :api_call_handle_error, :api_call_timeout
     before_action :lookup_old_element, :except => [:history]
     before_action :lookup_old_element_versions, :only => [:history]

app/controllers/api/permissions_controller.rb

@@ -1,8 +1,9 @@
 module Api
   class PermissionsController < ApiController
+    before_action :check_api_readable
+
     authorize_resource :class => false
 
-    before_action :check_api_readable
     before_action :setup_user_auth
     before_action :set_request_formats
     around_action :api_call_handle_error, :api_call_timeout

app/controllers/api/relations_controller.rb

@@ -2,13 +2,13 @@ module Api
   class RelationsController < ApiController
     require "xml/libxml"
 
+    before_action :check_api_writable, :only => [:create, :update, :delete]
+    before_action :check_api_readable, :except => [:create, :update, :delete]
     before_action :authorize, :only => [:create, :update, :delete]
 
     authorize_resource
 
     before_action :require_public_data, :only => [:create, :update, :delete]
-    before_action :check_api_writable, :only => [:create, :update, :delete]
-    before_action :check_api_readable, :except => [:create, :update, :delete]
     around_action :api_call_handle_error, :api_call_timeout
 
     before_action :set_request_formats, :except => [:create, :update, :delete]

app/controllers/api/tracepoints_controller.rb

@@ -1,8 +1,9 @@
 module Api
   class TracepointsController < ApiController
+    before_action :check_api_readable
+
     authorize_resource
 
-    before_action :check_api_readable
     around_action :api_call_handle_error, :api_call_timeout
 
     # Get an XML response containing a list of tracepoints that have been uploaded

app/controllers/api/traces_controller.rb

@@ -1,13 +1,13 @@
 module Api
   class TracesController < ApiController
+    before_action :check_database_readable, :except => [:show, :data]
+    before_action :check_database_writable, :only => [:create, :update, :destroy]
     before_action :authorize_web
     before_action :set_locale
     before_action :authorize
 
     authorize_resource
 
-    before_action :check_database_readable, :except => [:show, :data]
-    before_action :check_database_writable, :only => [:create, :update, :destroy]
     before_action :check_api_readable, :only => [:show, :data]
     before_action :check_api_writable, :only => [:create, :update, :destroy]
     before_action :offline_error, :only => [:create, :destroy, :data]

app/controllers/api/users_controller.rb

@@ -1,12 +1,12 @@
 module Api
   class UsersController < ApiController
+    before_action :check_api_readable
     before_action :disable_terms_redirect, :only => [:details]
     before_action :setup_user_auth, :only => [:show, :index]
     before_action :authorize, :only => [:details, :gpx_files]
 
     authorize_resource
 
-    before_action :check_api_readable
     around_action :api_call_handle_error
     before_action :lookup_user_by_id, :only => [:show]
 

app/controllers/api/ways_controller.rb

@@ -2,13 +2,13 @@ module Api
   class WaysController < ApiController
     require "xml/libxml"
 
+    before_action :check_api_writable, :only => [:create, :update, :delete]
+    before_action :check_api_readable, :except => [:create, :update, :delete]
     before_action :authorize, :only => [:create, :update, :delete]
 
     authorize_resource
 
     before_action :require_public_data, :only => [:create, :update, :delete]
-    before_action :check_api_writable, :only => [:create, :update, :delete]
-    before_action :check_api_readable, :except => [:create, :update, :delete]
     around_action :api_call_handle_error, :api_call_timeout
 
     before_action :set_request_formats, :except => [:create, :update, :delete]