cst1/openstreetmap-website
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
11644 commits 4 branches 1 tag 499 MiB
Commit graph

2074 commits

Author SHA1 Message Date
Tom Hughes
385272bdae Mark redirects which need to be open with allow_other_host 2022-03-09 22:43:02 +00:00
Tom Hughes
44ac569d28 Merge remote-tracking branch 'upstream/pull/3493' 2022-03-08 20:30:19 +00:00
mmd-osm
c9e836a6cb JSON output added to permissions endpoint 2022-03-08 20:21:35 +01:00
Tom Hughes
5d67fa3908 Fix some Naming/AccessorMethodName rubocop warnings 2022-03-08 19:10:05 +00:00
Tom Hughes
cfb4a70129 Fix Lint/DuplicateBranch rubocop warnings 2022-03-08 19:05:37 +00:00
Tom Hughes
cbcc7dc49f Fix some rubocop Naming/PredicateName warnings 2022-03-03 22:47:55 +00:00
Tom Hughes
b5f06e06c1 Fix rubocop Rails/TimeZone warnings 2022-03-01 22:55:10 +00:00
Tom Hughes
1f8df781be Merge remote-tracking branch 'upstream/pull/3398' 2022-02-16 18:13:16 +00:00
Tom Hughes
53aa7259bb Merge remote-tracking branch 'upstream/pull/3345' 2022-02-13 18:39:21 +00:00
Andy Allan
6c1d73a509 Allow users to delete their own accounts 
This PR allows users to delete their own accounts. The logic implemented matches
that currently used by the admins when they manually close accounts, although
there is room to be more complex in future e.g. completely removing accounts
with no content.

The error handling has been slightly adapted for namespaced controllers, by
anchoring the controller name with a leading forward slash.
 2022-02-09 16:15:24 +00:00
Tom Hughes
446837c351 Merge remote-tracking branch 'upstream/pull/3419' 2022-02-03 18:37:12 +00:00
Andy Allan
2731e7244a Add extra user transitions needed by the administrators 2022-02-02 16:37:50 +00:00
Tom Hughes
988d7cd90d Remove form_action restrictions for sessions#login 
Login may redirect to ouath2_authorizations#create which may then
redirect to arbitrary schemes if the application is already authorized
so we need to allow login to redirect to any scheme.

Fixes #3424
 2022-01-17 11:01:07 +00:00
Tom Hughes
ff995e7ea3 Restore form_action restrictions for ouath2_authorizations#create 2022-01-17 11:00:41 +00:00
Tom Hughes
707ebddbb5 Remove form_action restrictions for ouath2_authorizations#create 
Fixes #3424
 2022-01-17 09:33:28 +00:00
Andy Allan
1a11c4dc19 Use a state machine for user status 
The user status is a bit complex, since there are various states and
not all transitions between them make sense.

Using AASM means that we can name and restrict the transitions, which
hopefully makes them easier to reason about.
 2022-01-12 18:16:14 +00:00
Tom Hughes
d6da1499fc Avoid putting ActionController::Parameters objects in the session 2022-01-11 19:43:43 +00:00
Tom Hughes
8e8f6ef990 Attempt to avoid polynomial time matches on user supplied data 2022-01-05 18:38:15 +00:00
Tom Hughes
d2337810a3 Remove redundant OpenID URL expansion code 
It was only used for Google who have long since dropped OpenID support.
 2022-01-04 12:02:02 +00:00
Tom Hughes
fea1b5b88d Fix new rubocop warnings 2021-12-28 19:47:51 +00:00
Andy Allan
a863be8831 Rename User#delete to User#destroy 
"delete" is generally used for immediate SQL deletion without running
any callbacks or other ruby code, whereas "destroy" will trigger callbacks.

Although we don't currently use any callbacks, let's rename this method to
align better with the convention.
 2021-12-22 11:32:33 +00:00
Tom Hughes
0410596908 Switch traces to use ActiveStorage 2021-12-16 18:45:31 +00:00
Andy Allan
a8e8ba1a64 Refactor the account edit/update pages out into a separate accounts controller 2021-12-08 15:17:50 +00:00
Tom Hughes
1a65c279aa Merge remote-tracking branch 'upstream/pull/3382' 2021-11-25 17:19:26 +00:00
Andy Allan
3aa8292d6d Drop the trace_use_job_queue option 
This has been set as true by default, and in production, for many
years. I don't think there's much use in keeping the setting around
any longer.
 2021-11-24 15:23:27 +00:00
Andy Allan
18c70fa2de Add a user link to the heading of the diary comments page 
Fixes #3369

This makes the heading match the layout of the user's Notes page,
which also has a short heading and a subheading with a link.

Additionally, add a page title, again for consistency
 2021-11-24 10:55:09 +00:00
Tom Hughes
abbd5a30d4 Validate any origin passed the auth failure callback 
Fixes #3375
 2021-11-23 17:33:19 +00:00
Tom Hughes
407b61857e Improve fallback behaviour for unsafe referer redirects 2021-11-23 17:18:41 +00:00
Tom Hughes
31e638474a Handle authentication failure callbacks with no message 2021-11-23 17:01:06 +00:00
Tom Hughes
d951621c44 Make safe_referer handle invalid URIs 2021-11-23 11:27:02 +00:00
Tom Hughes
02fb858956 Send plain errors for non HTML resources 
Without this we throw a second error when we can't find a view
of the correct format and issue a 500 response.
 2021-11-16 12:44:52 +00:00
Tom Hughes
d66d67805d Serve an updated TOTP token with the browse query response 2021-10-25 20:28:53 +01:00
Tom Hughes
99546ae0a1 Specify the controller when redirecting a failed login 
This ensures that third party logins, whose callback is processed
by the users controller, go to the right place.
 2021-10-24 10:38:35 +01:00
Tom Hughes
0b43f6b5a0 Drop duplicate unconfirmed_login definition 
This allows third party logins to use the common definition from
the SessionMethods concern which specifies the controller.
 2021-10-24 10:37:08 +01:00
Tom Hughes
5966acc207 Merge remote-tracking branch 'upstream/pull/3300' 2021-10-07 17:45:07 +01:00
Andy Allan
95e5178bfb Refactor tracepoint index to use an xml builder view 
This avoids constructing xml by hand in both the controller and
the model, and opens the way for other rendering in future.

The complexity of deciding which point goes where, along with revisiting
previous tracks and tracksegs means that I've broken it down into
two parts - sorting the points into the right trksegs is done first,
before rendering them all as xml. I couldn't find a way to allow
revisiting using the builder.
 2021-09-29 15:14:53 +01:00
Tom Hughes
e91c02f2ce Merge remote-tracking branch 'upstream/pull/3297' 2021-09-15 18:44:23 +01:00
Andy Allan
76f1d7bc78 Use a builder to render changeset downloads 2021-09-15 16:33:04 +01:00
Tom Hughes
f4d1d97848 Add a privileged scope that allows email addresses to be returned 2021-08-26 17:22:25 +01:00
Tom Hughes
6c6e8883f7 Introduce privileged scopes that only an administrator can enable 2021-08-26 17:22:24 +01:00
Tom Hughes
cc461b126d Correct policing of access to private user details 2021-08-24 17:49:08 +01:00
Andy Allan
cb7b79a58f Split the non-public information off of the profile page 
This opens up many possibilities for more interesting things to be
shown on the dashboard, as well as making it easier to find if
you have lots of content in your profile.
 2021-08-18 13:32:36 +01:00
Tom Hughes
7d46f5db60 Fix new rubocop warnings 2021-08-17 18:17:18 +01:00
Andy Allan
d797de4317 Use user_account_path for links to settings page 
Much easier to read than having to be explicit about controllers etc
 2021-08-12 17:09:07 +01:00
Andy Allan
36f6d8d85d Fix redirect to terms path when not logged in 
This was missed during #3147 since it wasn't covered by a test.
 2021-07-28 16:36:13 +01:00
Tom Hughes
f1935b1c57 Merge remote-tracking branch 'upstream/pull/3257' 2021-07-21 19:24:31 +01:00
Andy Allan
403c8941a6 Ensure that flash message is shown in the updated language 2021-07-21 18:58:47 +01:00
Andy Allan
29efa4337c Remove incorrectly spelled helper_method 
The spelling of language is wrong here, and the correct version
is already there further down at the preferred_language method definition
 2021-07-21 17:28:23 +01:00
Tom Hughes
cd9a72e669 Merge remote-tracking branch 'upstream/pull/3263' 2021-07-21 12:16:08 +01:00
Andy Allan
37b03e47c6 Fix various code comments 
These were found as part of #3233
 2021-07-21 11:24:23 +01:00