cst1/openstreetmap-website
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
8960 commits 4 branches 1 tag 499 MiB
Commit graph

1285 commits

Author SHA1 Message Date
Andy Allan
c7a7d29813 Require terms agreement for abilities and capabilities related to api write methods 2019-01-02 17:40:43 +01:00
Andy Allan
ca596106f5 Refactor users_controller to use CanCanCan for authorisation 2018-12-12 16:17:24 +01:00
Andy Allan
981e4a34b5 Use only token capabilities when a token is provided 
The Authenticate#allow? method (from oauth-plugin) sets current_user as a side
effect of checking the token. But this allows a valid token to access
all actions that are available to that user, beyond the capabilities for
that token.
 2018-12-12 16:16:23 +01:00
Andy Allan
a3a10237f7 Use CanCanCan for user_roles auth 2018-11-28 21:39:26 +01:00
Tom Hughes
a790c47923 Merge remote-tracking branch 'upstream/pull/2072' 2018-11-28 18:24:04 +00:00
Paul Dexter-Sobkowiak
74d2c4336b Split browse_helper.rb into two modules due to rubocop ModuleLength 2018-11-28 18:18:14 +00:00
Tom Hughes
b99b192697 Merge remote-tracking branch 'upstream/pull/2075' 2018-11-28 18:09:20 +00:00
Andy Allan
ed8e15c8f0 Remove user_roles integration test since it is not meaningful 
This test has not been meaningful for a long while, since both check_success and check_fail contain exactly the same code.

Additionally, the test doesn't cover any integrations (beyond logging in), and so it is only covering the same ground as the controller test.
 2018-11-28 17:22:31 +01:00
Andy Allan
ea766ec57d Use CanCanCan for notes authorization 2018-11-28 15:59:47 +01:00
Andy Allan
8f70fb2114 Use CanCanCan for changeset comments 
This introduces different deny_access handlers for web and api requests, since we want to avoid sending redirects as API responses. See #2064 for discussion.
 2018-11-28 12:35:45 +01:00
Paul Dexter-Sobkowiak
5ba64efd7c Show tel: links for multiple phone numbers separated by ; 
Closes #2069
 2018-11-27 00:06:28 +00:00
Tom Hughes
6f2f9221ef Fix tests for rails 5.2.1 compatibility 
Rails 5.2.1 has changed how the request body is handled
internally for a test which means we can no longer cheat
by stashing it in the request environment and must instead
pass it properly to the request method.
 2018-11-15 00:46:53 +00:00
Tom Hughes
75189bd17d Merge remote-tracking branch 'upstream/pull/2060' 2018-11-14 13:13:56 +00:00
Andy Allan
234afb3f42 Remove custom deny_access handlers 
Since these pages are not accessed by normal users, except for url fiddling, it's fine to respond with a generic access denied.
 2018-11-14 14:10:51 +01:00
Tom Hughes
dd302f4f2c Merge remote-tracking branch 'upstream/pull/2061' 2018-11-14 12:43:35 +00:00
Andy Allan
c89b88c8d0 Add a changeset to exercise that part of the contact rendering 2018-11-14 12:25:21 +01:00
Andy Allan
0d55c40ca8 Ensure that the blocked template rendering works 2018-11-14 12:19:23 +01:00
Andy Allan
d7f41756f9 Check that a request that requires authentication is redirected when the user hasn't seen the terms 2018-11-14 12:19:23 +01:00
Andy Allan
252b9ef08a Pluralize changesets controller 2018-11-14 10:34:28 +01:00
Tom Hughes
ccdec3ed4c Attempt to send pretty 403 errors to web browsers 2018-11-08 19:09:56 +00:00
Tom Hughes
6ca22de4f2 Merge remote-tracking branch 'upstream/pull/2051' 2018-11-08 17:51:23 +00:00
Tom Hughes
70d6880e10 Merge remote-tracking branch 'upstream/pull/2052' 2018-11-08 17:44:57 +00:00
Tom Hughes
10294f4849 Merge remote-tracking branch 'upstream/pull/2050' 2018-11-08 17:31:30 +00:00
Andy Allan
d70529f12b Remove unnecessary include from redaction model test 2018-11-07 16:48:48 +01:00
Andy Allan
efa37f6a83 Remove unnecessary require statements from tests 2018-11-07 16:42:11 +01:00
Andy Allan
26777c4464 Pluralize diary entries controller 2018-11-07 16:31:04 +01:00
Andy Allan
e85c56d151 Pluralize old_ controllers 2018-11-07 16:05:56 +01:00
Andy Allan
05117aa928 Pluralize nodes, ways and relations controllers 2018-11-07 15:55:26 +01:00
Andy Allan
79207ee594 Use CanCanCan for redaction authorizations 2018-11-07 13:28:58 +01:00
Andy Allan
368ce0000d Migrate UserBlocksController to use CanCanCan 2018-11-07 13:07:08 +01:00
Andy Allan
04afeeb32f Rename hide_comment and unhide_comment to destroy and restore 
This preserves the API endpoints and HTTP methods, which could be changed in the next API version
 2018-11-07 10:51:43 +01:00
Andy Allan
4b0d56f7e1 Rename comments_feed to index 2018-11-07 10:22:07 +01:00
Andy Allan
b7e871cb46 Rename comment to create 2018-11-07 10:22:07 +01:00
Andy Allan
19c2b92fb7 Split changeset comment handling into a changeset_comments controller 2018-11-07 10:20:14 +01:00
Tom Hughes
d73a5d4bc0 Merge character validators 2018-11-05 18:54:19 +00:00
Tom Hughes
b4ef61a9f3 Merge leading and trailing whitespace validators 2018-11-05 18:29:17 +00:00
J Guthrie
1e57189366 Added tests for validators 2018-11-05 16:23:30 +00:00
J Guthrie
6cde8c9b0c Changed User model to not allow nil display_name (w/ tests) 2018-11-05 15:40:37 +00:00
Tom Hughes
16bef0c8ec Merge remote-tracking branch 'upstream/pull/2023' 2018-11-03 14:34:18 +00:00
Tom Hughes
8c269aba4e Move abilities to a sepatarate top level directory 2018-11-03 12:56:50 +00:00
Tom Hughes
391fb933f5 Merge remote-tracking branch 'upstream/pull/2038' 2018-11-03 11:58:56 +00:00
Tom Hughes
6142980d07 Fix new rubocop warnings 2018-10-31 19:14:39 +00:00
Andy Allan
b54362d458 Use deliver_later for all email sending 2018-10-31 16:38:12 +01:00
Andy Allan
7a177cb03f Fix error messages when users should not be able to do things 2018-10-31 11:42:49 +01:00
Andy Allan
41619593df Add testing for moderator users and issues 2018-10-31 11:41:32 +01:00
Andy Allan
149c07fd2b Remove unnecessary token granting from the user_preferences tests 
Sufficient permissions are granted by the basic authorisation, so this
isn't testing anything.
 2018-10-31 11:36:24 +01:00
Andy Allan
f11221f05b Merge branch 'master' into cancancan 2018-10-31 11:16:47 +01:00
Andy Allan
0888f43d7b Check the oauth token and then use the capabilities directly 2018-10-24 16:48:54 +02:00
Andy Allan
71b21ec473 Rework capabilities to avoid assumptions about missing tokens 
The logic about missing tokens implying logged in users (and that
all logged in users have access to any method protected by a token
capability) is correct. However, I believe it is both confusing and
brittle, and leaves a security-related door ajar for future foot-gun
incidents.

Instead, apply Abilities as normal, and keep the Capabilities
involvement only for situations where a token is provided. This
reduces the cognitive burden when considering Abilities in isolation.
 2018-10-24 12:07:00 +02:00
Tom Hughes
a5124ed409 Update translation keys for renaming of user to users 
Fixes #2031
 2018-10-22 11:00:03 +01:00