cst1/openstreetmap-website
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
8835 commits 4 branches 1 tag 499 MiB
Commit graph

821 commits

Author SHA1 Message Date
Andy Allan
f11221f05b Merge branch 'master' into cancancan 2018-10-31 11:16:47 +01:00
Andy Allan
0888f43d7b Check the oauth token and then use the capabilities directly 2018-10-24 16:48:54 +02:00
Andy Allan
71b21ec473 Rework capabilities to avoid assumptions about missing tokens 
The logic about missing tokens implying logged in users (and that
all logged in users have access to any method protected by a token
capability) is correct. However, I believe it is both confusing and
brittle, and leaves a security-related door ajar for future foot-gun
incidents.

Instead, apply Abilities as normal, and keep the Capabilities
involvement only for situations where a token is provided. This
reduces the cognitive burden when considering Abilities in isolation.
 2018-10-24 12:07:00 +02:00
Simon Poole
07ffb4c3f6 Calculate bounding box when deleting relations 
Closes #2030
Fixes #2020
 2018-10-21 19:32:12 +01:00
Andy Allan
ce761b3193 Combine site permissions declarations 2018-10-17 13:33:47 +02:00
Andy Allan
dfb9e40820 Move issues and reports to authorization system 2018-10-10 16:34:44 +02:00
Andy Allan
fb2c1f6cfd Refactor site#welcome to use abilities instead of require_user 2018-10-10 11:49:45 +02:00
Andy Allan
f8f7ab1568 Change abilities based on upstream renamings 2018-10-10 11:41:16 +02:00
Andy Allan
420a7289a0 Merge branch 'authz' of https://github.com/rubyforgood/openstreetmap-website into rubyforgood-authz 2018-10-10 11:26:30 +02:00
Tom Hughes
b8a8a88004 Merge remote-tracking branch 'upstream/pull/2014' 2018-10-03 18:59:33 +01:00
Andy Allan
3ec67ea2d3 Rename user_controller to users_controller 2018-10-03 15:31:10 +02:00
Andy Allan
5e407dfb34
Merge branch 'master' into messages 2018-10-03 14:04:12 +02:00
Xuyang Jia
d0e45c7c8e Fix any_relations always being false 
Closes #1976
 2018-09-22 17:46:00 +01:00
Tom Hughes
de29e9b3f5 Fix Style/NumericPredicate rubocop warnings 2018-09-22 17:34:58 +01:00
Tom Hughes
64146b4f36 Fix Style/SafeNavigation rubocop warnings 2018-09-22 17:21:06 +01:00
Tom Hughes
6c2093b29d Fix new rubocop warnings 2018-09-22 17:12:29 +01:00
Tom Hughes
70cca71f38 Merge remote-tracking branch 'upstream/pull/1973' 2018-09-05 19:01:24 +01:00
Andy Allan
5a06a3dffe Rename diary_entry#view to diary_entry#show 2018-09-05 14:52:36 +08:00
Andy Allan
19c26e70a3 Rename user#view to user#show 2018-09-05 14:21:01 +08:00
Andy Allan
dfe21fec82 Use resourceful routing for message replies 2018-09-05 13:22:43 +08:00
Tom Hughes
6027c42ee7 Hide note comments made by deleted users 
Fixes #1970
 2018-09-04 22:22:39 +01:00
mmd-osm
fe644bbd72 Include num_changes in changeset xml response 2018-08-14 10:57:13 +02:00
Tom Hughes
98de681e47 Update to rails 5.2.0 2018-06-19 00:16:24 +01:00
Chris Flipse
25256a4849 Make rubocop happy 2018-06-17 20:40:48 -04:00
Chris Flipse
91fc65a2e3 separate ability and capability 
These are asking fundamentally different questions;

Abilities are asking the application if the user has a role that allows
the user to take a certain action
Capabilities are asking if the user has granted the application to
perform a certain type of action

CanCanCan makes no distinction, however, so the `granted_capabilities`
method is provided as a point that can be checked in rescue methods, so
that one can _attempt_ to continue to provide the more informative error
messages around permission refusals
 2018-06-17 13:57:32 -04:00
Benjamin Reynolds
4d20a2c96a Authorize actions on GeocoderController with CanCanCan Ability 2018-06-17 13:57:06 -04:00
Chris Flipse
464c7f863e Update capabilities check to actually reflect the existing logic 
The OAuth capabilities are essentially user permissions that have been
granted to the app.  If the user authenticates through a non-oauth
method, they are assumed to have granted all capabilities to the app
 2018-06-17 13:57:06 -04:00
Chris Flipse
060c686c19 Use cancancan to authorize user_preference_controller 2018-06-17 13:57:06 -04:00
Chris Flipse
5232914427 Implement the cancan filters for diary entries 
Access logic is not _entirely_ exported from the controller,
unfortunately.  For interface reasons, some actions which require admin
have to be listed within the controller's deny_access method.

This is required because, being a default-deny system, cancancan
_cannot_ tell you the reason you were denied access; and so
the "nice" feedback presenting next steps can't be gleaned from
the exception
 2018-06-17 13:57:06 -04:00
Chris Flipse
6da3ece683 use token in ability checks 2018-06-17 13:56:23 -04:00
Chris Flipse
b16aa11f65 fix tests for site controller 2018-06-17 13:56:23 -04:00
Andy Allan
ffa65d4d72 Add cancancan and the first ability definitions for site_controller 2018-06-17 13:56:23 -04:00
Tom Hughes
e5604ce98e Assign vandalism reports for users to moderators 2018-06-17 11:14:19 +01:00
Tom Hughes
6c225bd01c Only include issues visible to the current user in the count 2018-06-17 01:01:24 +01:00
Tom Hughes
d3700e6201 Merge branch 'master' into next 2018-06-10 17:02:12 +01:00
Tom Hughes
f227804093 Add some extra indexes on issues 2018-06-10 15:25:53 +01:00
J Guthrie
30756f72ca Change language immediately after updating settings 
Closes #1883
 2018-05-27 15:12:34 +01:00
Andy Allan
4ec70f7994 Rename messages#read to #show 
Also rename the named path, to align with resourceful routing
 2018-05-15 18:25:54 +08:00
Andy Allan
011cfa794a Use named paths for messages 2018-05-09 11:24:11 +08:00
Andy Allan
713de1fadb Set default_url_options for action_mailer 
This saves having to repeat the same host and protocol options
throughout the notifiers
 2018-04-11 15:53:30 +08:00
Andy Allan
7dbf8d8336 Merge branch 'master' into moderation 2018-04-11 09:54:04 +08:00
Tom Hughes
1f2ac59d1d Fix new rubocop warnings 2018-03-26 19:00:03 +01:00
Andy Allan
ee1a8637d3 Convert issue status to an enum 2018-03-21 12:05:08 +08:00
Andy Allan
9f84c6f46e Use user_path links. Fixes #1785 2018-03-21 11:33:45 +08:00
Andy Allan
facce9d0bb Refactor set_default_assigned_role to be more easily read. 2018-03-14 17:35:58 +08:00
Andy Allan
5310c7000c Remove cascading deletes, add another foreign key, and switch index around. 2018-03-14 16:15:39 +08:00
Andy Allan
3e5a4a14df Ensure reports have an issue id and a user id 2018-03-14 15:36:46 +08:00
Andy Allan
5e7abf67fb Remove nonsense has_one relationship 2018-03-14 15:20:04 +08:00
Andy Allan
e85110957a Remove vandalism as an option for reporting notes. 2018-03-14 12:51:22 +08:00
Tom Hughes
276859d0c9 Validate user location is sensible 2018-03-04 10:53:14 +00:00