cst1/openstreetmap-website
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
13561 commits 4 branches 1 tag 499 MiB
Commit graph

88 commits

Author SHA1 Message Date
Tom Hughes
1b5200b797 Treat github and wikipedia provided emails as confirmed 
Fixes #4270
 2024-02-25 10:04:18 +00:00
Tom Hughes
242a4a1aee Include both copies of the password in the saved user 
This allows is to go back to hashing passwords when the user is saved.

Fixes #4474
 2024-01-12 17:55:16 +00:00
Milan Cvetkovic
a4c23cd89f Implement allow list for account creation 2023-12-17 07:55:43 +00:00
Milan Cvetkovic
aeb4271a27 Do not merge zoom/lat/lon options with oauth_return_url 2023-11-21 13:01:52 +00:00
Milan Cvetkovic
1fbd1d11c4 Extract welcome_options function to simplify save function 2023-11-21 11:56:09 +00:00
Milan Cvetkovic
87a5a0844b Welcome screen works with confirmation email too 2023-11-21 11:56:09 +00:00
Milan Cvetkovic
60c885d071 Welcome screen displays 'Continue with authorization' 
do not hide notes
 2023-11-21 11:56:09 +00:00
Tom Hughes
aaed886890 Hash passwords as soon as a new user is created 2023-11-16 01:02:11 +00:00
Tom Hughes
b1553135fc Preserve pass_crypt_confirmation in the new user hash 2023-11-16 00:29:49 +00:00
Tom Hughes
898a3882c5 Avoid storing user records in the session during signup 
This works around an issue with rails failing to preserve attribute
change flags and is in line with upstream advice against storing models
in the session in this way.

https://github.com/rails/rails/issues/49826
https://github.com/rails/rails/issues/49827
 2023-10-29 10:13:28 +00:00
Anton Khorev
f5c20527aa Move email-related methods to mixin 2023-09-02 13:43:41 +03:00
Tom Hughes
63bf18a3c3 Add support for rate limiting signup requests 2023-08-22 18:45:17 +01:00
Milan Cvetkovic
ad164d384e Change provider name to "microsoft" 2023-08-20 10:19:30 +01:00
Milan Cvetkovic
568bf4939d Replace references to windowslive with microsoft_graph 2023-08-17 13:01:15 +00:00
Milan Cvetkovic
7428da74c2 Use omniauth-microsoft_graph instead of omniauth-windowslive 
Omniauth-microsoft_graph correctly populates 'email' and 'name' fields used by OpenStreetMap.
It also  uses updated endpoints for Microsoft identity provider.

Use email address returned by microsoft_graph provider as a verified address.

Upgrading exisiting users from windowslive to microsoft_graph:
 - upon next login existing `windowslive` users will have to authorizei
   OpenStreetMap application to "Read Your Profile," required for proper reading
   of display name field.

The name of the identity provider in OSM is kept to 'windowslive':
 - the entries in users table with `provider == 'windowslive'`
   can be reused for microsoft_graph provider, since
   the uid field is preserved. Users will not need to repeat the sign up process.
 - OAuth2 callback is still `/auth/windowslive`, no updates to Microsoft Identity Provider portal
   App registration are necessary.
 2023-08-17 13:01:15 +00:00
Tom Hughes
65d092a579 Fix new rubocop warnings 2023-08-15 18:22:45 +01:00
Andy Allan
ace8e9a9c3 Fix redirection to wiki when terms are declined 
Adds missing test to pick this up.

Fixes #3826.
 2022-12-21 15:39:23 +00:00
Tom Hughes
dc28f1dccc Fix new rubocop warnings 2022-11-22 18:32:02 +00:00
Andy Allan
972249ce9d Reconfigure the suspended flash message to avoid html_safe 
This also avoids having raw html in the translation strings
 2022-11-17 12:04:28 +00:00
Andy Allan
22946d703a Enable the ActionOrder cop for remaining controllers 
Where actions were reordered, the rails standard actions were
also moved to the top of each controller.
 2022-11-02 11:06:00 +00:00
Tom Hughes
e9f62a8c30 Rename piwik to matomo and merge configuration into settings 2022-08-01 22:42:04 +01:00
Tom Hughes
2cbf6062fc Don't try and write directly to the user status 
This causes an exception when processing the authentication callback for
providers like google where we treat the email address as verified.
 2022-07-26 00:52:22 +01:00
Tom Hughes
40ec4734fb Fix new rubocop warnings 2022-05-16 19:16:53 +01:00
Tom Hughes
b5f06e06c1 Fix rubocop Rails/TimeZone warnings 2022-03-01 22:55:10 +00:00
Andy Allan
2731e7244a Add extra user transitions needed by the administrators 2022-02-02 16:37:50 +00:00
Andy Allan
1a11c4dc19 Use a state machine for user status 
The user status is a bit complex, since there are various states and
not all transitions between them make sense.

Using AASM means that we can name and restrict the transitions, which
hopefully makes them easier to reason about.
 2022-01-12 18:16:14 +00:00
Andy Allan
a863be8831 Rename User#delete to User#destroy 
"delete" is generally used for immediate SQL deletion without running
any callbacks or other ruby code, whereas "destroy" will trigger callbacks.

Although we don't currently use any callbacks, let's rename this method to
align better with the convention.
 2021-12-22 11:32:33 +00:00
Andy Allan
a8e8ba1a64 Refactor the account edit/update pages out into a separate accounts controller 2021-12-08 15:17:50 +00:00
Tom Hughes
abbd5a30d4 Validate any origin passed the auth failure callback 
Fixes #3375
 2021-11-23 17:33:19 +00:00
Tom Hughes
407b61857e Improve fallback behaviour for unsafe referer redirects 2021-11-23 17:18:41 +00:00
Tom Hughes
31e638474a Handle authentication failure callbacks with no message 2021-11-23 17:01:06 +00:00
Tom Hughes
0b43f6b5a0 Drop duplicate unconfirmed_login definition 
This allows third party logins to use the common definition from
the SessionMethods concern which specifies the controller.
 2021-10-24 10:37:08 +01:00
Tom Hughes
7d46f5db60 Fix new rubocop warnings 2021-08-17 18:17:18 +01:00
Andy Allan
d797de4317 Use user_account_path for links to settings page 
Much easier to read than having to be explicit about controllers etc
 2021-08-12 17:09:07 +01:00
Andy Allan
36f6d8d85d Fix redirect to terms path when not logged in 
This was missed during #3147 since it wasn't covered by a test.
 2021-07-28 16:36:13 +01:00
Andy Allan
caf2e2a242 Move profile-related settings to their own form 
Refs #3167
 2021-07-14 17:45:19 +01:00
Andy Allan
2403630da8 Split user preferences into a separate page 
Refs #3167
 2021-07-14 17:40:20 +01:00
Tom Hughes
ef092045e0 Fix some broken translation lookups 2021-06-29 19:14:50 +01:00
Andy Allan
0876ea0bee Refactor terms declined flash message to use a partial 
This allows us to include a link in the flash message, without having
to use html_safe. Also refactor to avoid having html angle brackets in
the translation strings, while still allowing locale-specific urls.
 2021-06-23 20:11:19 +01:00
Andy Allan
094d6c8bb9 Move confirmation methods into ConfirmationsController 2021-04-07 16:05:32 +01:00
Andy Allan
7a66c6d4eb Split password reset functionality into PasswordsController 2021-04-07 16:05:28 +01:00
Tom Hughes
e0d501f832 Don't allow deleted users to be confirmed 2021-04-01 17:28:03 +01:00
Andy Allan
f18baae22e Refactor login/logout into sessions controller 
Certain controller methods are shared with oauth-based logins, and these have been
moved to a concern.
 2021-03-24 11:32:46 +00:00
Tom Hughes
4c2e4de5c0 Handle errors checking for gravatars 2021-03-21 10:24:53 +00:00
Tom Hughes
afb22209bf Allow form submission to any location from the login page 
This allows openid login to work on browsers like chrome that enforce
the form-action rule for redirect POST requests.

Fixes #3131
 2021-03-14 10:18:32 +00:00
Andy Allan
38ad8fbc36 Use login_path instead of explicit controller and actions 
This makes future refactoring easier.
 2021-03-10 14:31:55 +00:00
Tom Hughes
2233edbcfa Use a 307 Temporary Redirect to redirect to authentication 
When the user wants to enable an external authenticator we need
to redirect to omniauth but that now needs to be a POST so use a
redirect that preserves the POST method.

Fixes #3114
 2021-03-03 09:27:33 +00:00
Tom Hughes
1f136a84a6 Prevent CSRF bypass with login form 2021-02-10 20:39:23 +00:00
Tom Hughes
51af102c00 Prevent CSRF bypass with password reset form 2021-02-09 23:00:21 +00:00
Tom Hughes
7810734ac4 Prevent CSRF bypass updating account details 
Fixes #3089
 2021-02-08 12:24:43 +00:00