Ooops. Added missing access control to changeset controller.

2008-11-06 19:10:19 +00:00 · 2008-11-06 19:10:19 +00:00 · c760891d63
commit c760891d63
parent 383f204e64
1 changed files with 18 additions and 0 deletions
--- a/app/controllers/changeset_controller.rb
+++ b/app/controllers/changeset_controller.rb
@ -41,7 +41,13 @@ class ChangesetController < ApplicationController
        render :nothing => true, :status => :method_not_allowed
        return
      end
+
      changeset = Changeset.find(params[:id])
+
+      unless @user.id == changeset.user_id 
+        raise OSM::APIUserChangesetMismatchError 
+      end
+
      changeset.open = false
      changeset.save!
      render :nothing => true
@ -61,6 +67,12 @@ class ChangesetController < ApplicationController
    if request.post?
      cs = Changeset.find(params[:id])

+      # check user credentials - only the user who opened a changeset
+      # may alter it.
+      unless @user.id == changeset.user_id 
+        raise OSM::APIUserChangesetMismatchError 
+      end
+
      # keep an array of lons and lats
      lon = Array.new
      lat = Array.new
@ -120,6 +132,12 @@ class ChangesetController < ApplicationController
      return
    end

+    # access control - only the user who created a changeset may
+    # upload to it.
+    unless @user.id == changeset.user_id 
+      raise OSM::APIUserChangesetMismatchError 
+    end
+
    changeset = Changeset.find(params[:id])
    
    diff_reader = DiffReader.new(request.raw_post, changeset)