cst1/openstreetmap-website
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
9001 commits 4 branches 1 tag 499 MiB
Commit graph

5033 commits

Author SHA1 Message Date
Andy Allan
131fd76cae Ensure authorization checks happen for all controller methods 2019-01-16 11:45:13 +01:00
Andy Allan
fc6209dc07 Skip authorization checks for the errors controller 2019-01-16 11:44:55 +01:00
Tom Hughes
11806a676f Merge remote-tracking branch 'upstream/pull/2116' 2019-01-16 10:23:27 +00:00
Tom Hughes
d2e11a327e Merge remote-tracking branch 'upstream/pull/2115' 2019-01-16 10:20:29 +00:00
Tom Hughes
6fb660f0af Merge remote-tracking branch 'upstream/pull/2111' 2019-01-16 10:15:34 +00:00
Tom Hughes
81b37f9263 Fix styling of nested lists in rich text 2019-01-16 10:10:51 +00:00
Andy Allan
3e49e4a62a Use CanCanCan to control access to oauth controller actions 2019-01-16 10:17:55 +01:00
Andy Allan
bda8544d94 Mark non-action methods as protected 2019-01-16 10:17:55 +01:00
Andy Allan
e7f943c715 Use CanCanCan for nodes, ways, relations, old and api controllers 2019-01-16 10:12:19 +01:00
Tom Hughes
5c877e0fa4 Allow everybody to query features 2019-01-09 19:15:55 +00:00
Tom Hughes
99b380765a Allow everybody to create new notes 
Fixes #2110
 2019-01-09 18:13:55 +00:00
Tom Hughes
6c2432ae42 Merge remote-tracking branch 'upstream/pull/2109' 2019-01-09 17:27:16 +00:00
Tom Hughes
73fe5a13df Merge remote-tracking branch 'upstream/pull/2108' 2019-01-09 17:24:28 +00:00
Tom Hughes
74e1d7336e Merge remote-tracking branch 'upstream/pull/2107' 2019-01-09 17:20:08 +00:00
Tom Hughes
09b6560e81 Merge remote-tracking branch 'upstream/pull/2106' 2019-01-09 17:16:01 +00:00
Andy Allan
b184b39f34 Use CanCanCan for oauth clients controller 2019-01-09 15:34:54 +01:00
Andy Allan
425f42dd80 Use CanCanCan for messages controller 2019-01-09 15:27:29 +01:00
Andy Allan
58c101762e Use a builder view for the capabilities call 
This is easier to work with than building the XML document by hand
in the controller.
 2019-01-09 14:30:18 +01:00
Andy Allan
686fee43bf Use full list of osm xml root attributes in builder templates 2019-01-09 14:15:39 +01:00
Andy Allan
1774109311 Use CanCanCan for changesets controller 
The expand_bbox method now needs require_write_api capability on tokens.
 2019-01-09 12:41:33 +01:00
Andy Allan
414c4b2c36 Use CanCanCan for traces controller 2019-01-09 11:40:54 +01:00
Andy Allan
73201ca96b Use CanCanCan for swf controller 2019-01-09 10:32:57 +01:00
Andy Allan
18e418cc4c Skip authorization checks for amf controller 2019-01-09 10:26:12 +01:00
Andy Allan
89399c5ba1 Add missing authorize_resource declaration to geocoder controller 2019-01-09 10:14:52 +01:00
Andy Allan
7420479cde Use CanCanCan for directions controller 2019-01-09 10:12:14 +01:00
Andy Allan
1e30edba53 Use CanCanCan for browse controller 2019-01-09 10:10:12 +01:00
Tom Hughes
65d57a5bfa Fix new rubocop warning 2019-01-07 09:04:13 +00:00
Andy Allan
44eea9dcaf Use CanCanCan for export controller 2019-01-02 19:21:10 +01:00
Andy Allan
ad68d4c634 Use CanCanCan for search controller 2019-01-02 19:17:32 +01:00
Andy Allan
c7a7d29813 Require terms agreement for abilities and capabilities related to api write methods 2019-01-02 17:40:43 +01:00
Tom Hughes
4b0fed0aa4 Replace custom panning with new panInside leaflet method 2019-01-02 11:03:06 +00:00
Tom Hughes
801271363d Allow inline styling on pages that display the map 
Both leaflet itself and at least one of our plugins use inline
styling to style markers so we need to allow it.

Fixes #2093
 2018-12-31 09:32:13 +00:00
Tom Hughes
eb7c4cdedd Allow abilities that require no login for token based access 
Fixes #2085
 2018-12-12 22:41:29 +00:00
Tom Hughes
7bb15e02cc Merge remote-tracking branch 'upstream/pull/2084' 2018-12-12 18:40:13 +00:00
Tom Hughes
c203edda20 Merge remote-tracking branch 'upstream/pull/2083' 2018-12-12 18:33:23 +00:00
Andy Allan
ca596106f5 Refactor users_controller to use CanCanCan for authorisation 2018-12-12 16:17:24 +01:00
Andy Allan
981e4a34b5 Use only token capabilities when a token is provided 
The Authenticate#allow? method (from oauth-plugin) sets current_user as a side
effect of checking the token. But this allows a valid token to access
all actions that are available to that user, beyond the capabilities for
that token.
 2018-12-12 16:16:23 +01:00
Tom Hughes
cbc4c5352d Only check IP addresses for anonymous note comments 2018-12-05 12:54:55 +00:00
Andy Allan
a3a10237f7 Use CanCanCan for user_roles auth 2018-11-28 21:39:26 +01:00
Tom Hughes
a790c47923 Merge remote-tracking branch 'upstream/pull/2072' 2018-11-28 18:24:04 +00:00
Paul Dexter-Sobkowiak
74d2c4336b Split browse_helper.rb into two modules due to rubocop ModuleLength 2018-11-28 18:18:14 +00:00
Andy Allan
3fd083d9d4 Remove the unused require_moderator filter 
Use of this filter has been refactored to use CanCanCan
 2018-11-28 15:59:47 +01:00
Andy Allan
ea766ec57d Use CanCanCan for notes authorization 2018-11-28 15:59:47 +01:00
Andy Allan
8f70fb2114 Use CanCanCan for changeset comments 
This introduces different deny_access handlers for web and api requests, since we want to avoid sending redirects as API responses. See #2064 for discussion.
 2018-11-28 12:35:45 +01:00
Paul Dexter-Sobkowiak
5ba64efd7c Show tel: links for multiple phone numbers separated by ; 
Closes #2069
 2018-11-27 00:06:28 +00:00
Mikel Maron
98262d3ab1 Add links to Welcome Mat on /welcome and /help 
Closes #2056
 2018-11-20 18:46:22 +00:00
Tom Hughes
15c96081a6 Allow connect_src to match all sites in Potlatch 
It seems that Safari matches connections made from a flash application
against connect_src while Firefox uses object_src instead.

Fixes #2067
 2018-11-19 17:34:47 +00:00
Tom Hughes
85802048a7 Fix issues with renaming of diary entry controller 2018-11-17 17:47:51 +00:00
Tom Hughes
dc6a5bc1a6 Take security policy URLs from the configuration file 2018-11-15 18:48:05 +00:00
Tom Hughes
75189bd17d Merge remote-tracking branch 'upstream/pull/2060' 2018-11-14 13:13:56 +00:00