cst1/openstreetmap-website
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
11737 commits 4 branches 1 tag 499 MiB
Commit graph

66 commits

Author SHA1 Message Date
Tom Hughes
40ec4734fb Fix new rubocop warnings 2022-05-16 19:16:53 +01:00
Tom Hughes
b5f06e06c1 Fix rubocop Rails/TimeZone warnings 2022-03-01 22:55:10 +00:00
Andy Allan
2731e7244a Add extra user transitions needed by the administrators 2022-02-02 16:37:50 +00:00
Andy Allan
1a11c4dc19 Use a state machine for user status 
The user status is a bit complex, since there are various states and
not all transitions between them make sense.

Using AASM means that we can name and restrict the transitions, which
hopefully makes them easier to reason about.
 2022-01-12 18:16:14 +00:00
Andy Allan
a863be8831 Rename User#delete to User#destroy 
"delete" is generally used for immediate SQL deletion without running
any callbacks or other ruby code, whereas "destroy" will trigger callbacks.

Although we don't currently use any callbacks, let's rename this method to
align better with the convention.
 2021-12-22 11:32:33 +00:00
Andy Allan
a8e8ba1a64 Refactor the account edit/update pages out into a separate accounts controller 2021-12-08 15:17:50 +00:00
Tom Hughes
abbd5a30d4 Validate any origin passed the auth failure callback 
Fixes #3375
 2021-11-23 17:33:19 +00:00
Tom Hughes
407b61857e Improve fallback behaviour for unsafe referer redirects 2021-11-23 17:18:41 +00:00
Tom Hughes
31e638474a Handle authentication failure callbacks with no message 2021-11-23 17:01:06 +00:00
Tom Hughes
0b43f6b5a0 Drop duplicate unconfirmed_login definition 
This allows third party logins to use the common definition from
the SessionMethods concern which specifies the controller.
 2021-10-24 10:37:08 +01:00
Tom Hughes
7d46f5db60 Fix new rubocop warnings 2021-08-17 18:17:18 +01:00
Andy Allan
d797de4317 Use user_account_path for links to settings page 
Much easier to read than having to be explicit about controllers etc
 2021-08-12 17:09:07 +01:00
Andy Allan
36f6d8d85d Fix redirect to terms path when not logged in 
This was missed during #3147 since it wasn't covered by a test.
 2021-07-28 16:36:13 +01:00
Andy Allan
caf2e2a242 Move profile-related settings to their own form 
Refs #3167
 2021-07-14 17:45:19 +01:00
Andy Allan
2403630da8 Split user preferences into a separate page 
Refs #3167
 2021-07-14 17:40:20 +01:00
Tom Hughes
ef092045e0 Fix some broken translation lookups 2021-06-29 19:14:50 +01:00
Andy Allan
0876ea0bee Refactor terms declined flash message to use a partial 
This allows us to include a link in the flash message, without having
to use html_safe. Also refactor to avoid having html angle brackets in
the translation strings, while still allowing locale-specific urls.
 2021-06-23 20:11:19 +01:00
Andy Allan
094d6c8bb9 Move confirmation methods into ConfirmationsController 2021-04-07 16:05:32 +01:00
Andy Allan
7a66c6d4eb Split password reset functionality into PasswordsController 2021-04-07 16:05:28 +01:00
Tom Hughes
e0d501f832 Don't allow deleted users to be confirmed 2021-04-01 17:28:03 +01:00
Andy Allan
f18baae22e Refactor login/logout into sessions controller 
Certain controller methods are shared with oauth-based logins, and these have been
moved to a concern.
 2021-03-24 11:32:46 +00:00
Tom Hughes
4c2e4de5c0 Handle errors checking for gravatars 2021-03-21 10:24:53 +00:00
Tom Hughes
afb22209bf Allow form submission to any location from the login page 
This allows openid login to work on browsers like chrome that enforce
the form-action rule for redirect POST requests.

Fixes #3131
 2021-03-14 10:18:32 +00:00
Andy Allan
38ad8fbc36 Use login_path instead of explicit controller and actions 
This makes future refactoring easier.
 2021-03-10 14:31:55 +00:00
Tom Hughes
2233edbcfa Use a 307 Temporary Redirect to redirect to authentication 
When the user wants to enable an external authenticator we need
to redirect to omniauth but that now needs to be a POST so use a
redirect that preserves the POST method.

Fixes #3114
 2021-03-03 09:27:33 +00:00
Tom Hughes
1f136a84a6 Prevent CSRF bypass with login form 2021-02-10 20:39:23 +00:00
Tom Hughes
51af102c00 Prevent CSRF bypass with password reset form 2021-02-09 23:00:21 +00:00
Tom Hughes
7810734ac4 Prevent CSRF bypass updating account details 
Fixes #3089
 2021-02-08 12:24:43 +00:00
Tom Hughes
bc233420dd Allow form post to third party authentication providers 2021-02-06 11:10:14 +00:00
Tom Hughes
5912a8011b Update to Omniauth 2.x 
This requires converting all use of the /auth endpoints
to use the POST method as GET is no longer supported.
 2021-02-02 19:49:03 +00:00
Tom Hughes
812f5b44e8 Redirect after saving settings in case the username has changed 
Fixes #3059
 2021-01-19 18:57:34 +00:00
Andy Allan
78b9d92207 Prefer keyword arguments when method has optional boolean arguments 2020-11-12 11:24:44 +00:00
Tom Hughes
20ce10a9ef Allow redirects to authentication services from the settings page 
Chrome and Safari require redirects to match the form-action rule
as well as the original submission address.
 2020-10-29 21:29:35 +00:00
Andy Allan
2559226be3 Avoid various uses of html_safe 
We can avoid using `html_safe` in various circumstances, through alternative approaches like i18n keys ending in `_html` or using `safe_join` to avoid converting via unsafe string types.

The `_html` keys approach only work for ActionView helper version of `t`, not the base `I18n.t` method.
 2020-10-21 15:43:14 +02:00
Andy Allan
2c1033f62d Rename Notifier to UserMailer 
It's a convention in rails to name your mailers with a Mailer suffix, and is also common to name the class after the recipient (e.g. User, Admin). So UserMailer seems a reasonable choice.
 2020-10-14 15:04:58 +02:00
Tom Hughes
7db541d697 Invalidate existing sessions when changing email or password 
As we don't have any way to actually find the active sessions for
an account we instead store a fingerprint in the session, and refuse
to use any session with a different fingerprint.
 2020-09-29 14:34:08 +01:00
Tom Hughes
c694c78c9a Delete any outstanding tokens when a user changes their email 
This ensures that any tokens previously sent to the old email address
can no longer be used if somebody were able to access that address.
 2020-09-29 13:47:40 +01:00
Tom Hughes
21adea321b Convert password reset forms to use bootstrap 2020-09-04 00:36:43 +01:00
Tom Hughes
b7432e9432 Handle new rubocop warnings 2020-09-02 07:18:21 +01:00
Tom Hughes
abca51e4d8 Fix some Style/StringConcatenation warnings 2020-08-09 19:48:16 +01:00
Tom Hughes
d4130bcac8 Fix the Redirect warnings from Brakeman 
Unfortunately I've had to leave the check disabed as Brakeman
can't see inside the safe_referer method so doesn't realise that
it is cleaning the referer.
 2020-07-22 19:23:46 +01:00
Andy Allan
600812f6ad Rework user#set_status and #delete to avoid GET requests 
This renames the delete action to destroy, and starts using resourceful
routing for user actions.
 2020-06-10 11:49:18 +02:00
Andy Allan
8ebfdbc1ff Move make_friend and remove_friend to friendships controller 2020-06-03 18:23:07 +02:00
Andy Allan
8a774e7519 Use a post link to logout 
This avoids needing to access the session id, which is currently
only working with the memcache store.

The fallback page is preserved for anyone who wants to logout without
using javascript.

Refs #2488
 2020-01-08 14:03:05 +01:00
Tom Hughes
57f5b7840e Fix rubocop warnings 2019-12-04 19:31:53 +00:00
Tom Hughes
1f880528bd Fix new rubocop warnings 2019-07-18 16:47:08 +01:00
Tom Hughes
3cfffc2258 Update gravatar methods to check for Active Storage images 2019-07-16 22:29:07 +01:00
Tom Hughes
905a7eadb6 Defer deletion of avatars to a background job 2019-07-16 08:27:14 +01:00
Tom Hughes
6c202448ad Move user images to Active Storage with paperclip as a fallback 2019-07-09 19:17:30 +01:00
Tom Hughes
d2d5d48f29 Allow signups to be blocked by MX host 2019-06-23 11:21:03 +01:00