cst1/openstreetmap-website
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
11229 commits 4 branches 1 tag 499 MiB
Commit graph

2033 commits

Author SHA1 Message Date
Tom Hughes
801271363d Allow inline styling on pages that display the map 
Both leaflet itself and at least one of our plugins use inline
styling to style markers so we need to allow it.

Fixes #2093
 2018-12-31 09:32:13 +00:00
Tom Hughes
eb7c4cdedd Allow abilities that require no login for token based access 
Fixes #2085
 2018-12-12 22:41:29 +00:00
Tom Hughes
7bb15e02cc Merge remote-tracking branch 'upstream/pull/2084' 2018-12-12 18:40:13 +00:00
Tom Hughes
c203edda20 Merge remote-tracking branch 'upstream/pull/2083' 2018-12-12 18:33:23 +00:00
Andy Allan
ca596106f5 Refactor users_controller to use CanCanCan for authorisation 2018-12-12 16:17:24 +01:00
Andy Allan
981e4a34b5 Use only token capabilities when a token is provided 
The Authenticate#allow? method (from oauth-plugin) sets current_user as a side
effect of checking the token. But this allows a valid token to access
all actions that are available to that user, beyond the capabilities for
that token.
 2018-12-12 16:16:23 +01:00
Tom Hughes
cbc4c5352d Only check IP addresses for anonymous note comments 2018-12-05 12:54:55 +00:00
Andy Allan
a3a10237f7 Use CanCanCan for user_roles auth 2018-11-28 21:39:26 +01:00
Andy Allan
3fd083d9d4 Remove the unused require_moderator filter 
Use of this filter has been refactored to use CanCanCan
 2018-11-28 15:59:47 +01:00
Andy Allan
ea766ec57d Use CanCanCan for notes authorization 2018-11-28 15:59:47 +01:00
Andy Allan
8f70fb2114 Use CanCanCan for changeset comments 
This introduces different deny_access handlers for web and api requests, since we want to avoid sending redirects as API responses. See #2064 for discussion.
 2018-11-28 12:35:45 +01:00
Tom Hughes
15c96081a6 Allow connect_src to match all sites in Potlatch 
It seems that Safari matches connections made from a flash application
against connect_src while Firefox uses object_src instead.

Fixes #2067
 2018-11-19 17:34:47 +00:00
Tom Hughes
dc6a5bc1a6 Take security policy URLs from the configuration file 2018-11-15 18:48:05 +00:00
Tom Hughes
75189bd17d Merge remote-tracking branch 'upstream/pull/2060' 2018-11-14 13:13:56 +00:00
Andy Allan
234afb3f42 Remove custom deny_access handlers 
Since these pages are not accessed by normal users, except for url fiddling, it's fine to respond with a generic access denied.
 2018-11-14 14:10:51 +01:00
Andy Allan
252b9ef08a Pluralize changesets controller 2018-11-14 10:34:28 +01:00
Tom Hughes
4deffa5e40 Skip CSRF verification for changeset comment actions 
Fixes #2057
 2018-11-13 13:17:19 +00:00
Tom Hughes
ccdec3ed4c Attempt to send pretty 403 errors to web browsers 2018-11-08 19:09:56 +00:00
Tom Hughes
6ca22de4f2 Merge remote-tracking branch 'upstream/pull/2051' 2018-11-08 17:51:23 +00:00
Tom Hughes
70d6880e10 Merge remote-tracking branch 'upstream/pull/2052' 2018-11-08 17:44:57 +00:00
Tom Hughes
10294f4849 Merge remote-tracking branch 'upstream/pull/2050' 2018-11-08 17:31:30 +00:00
Andy Allan
26777c4464 Pluralize diary entries controller 2018-11-07 16:31:04 +01:00
Andy Allan
e85c56d151 Pluralize old_ controllers 2018-11-07 16:05:56 +01:00
Andy Allan
05117aa928 Pluralize nodes, ways and relations controllers 2018-11-07 15:55:26 +01:00
Andy Allan
79207ee594 Use CanCanCan for redaction authorizations 2018-11-07 13:28:58 +01:00
Andy Allan
368ce0000d Migrate UserBlocksController to use CanCanCan 2018-11-07 13:07:08 +01:00
Andy Allan
04afeeb32f Rename hide_comment and unhide_comment to destroy and restore 
This preserves the API endpoints and HTTP methods, which could be changed in the next API version
 2018-11-07 10:51:43 +01:00
Andy Allan
4b0d56f7e1 Rename comments_feed to index 2018-11-07 10:22:07 +01:00
Andy Allan
b7e871cb46 Rename comment to create 2018-11-07 10:22:07 +01:00
Andy Allan
19c2b92fb7 Split changeset comment handling into a changeset_comments controller 2018-11-07 10:20:14 +01:00
Tom Hughes
cdb42d2a6c Avoid ordering points from public and private traces 
Closes #2046
 2018-11-07 08:57:14 +00:00
Tom Hughes
16bef0c8ec Merge remote-tracking branch 'upstream/pull/2023' 2018-11-03 14:34:18 +00:00
Andy Allan
b54362d458 Use deliver_later for all email sending 2018-10-31 16:38:12 +01:00
Andy Allan
f11221f05b Merge branch 'master' into cancancan 2018-10-31 11:16:47 +01:00
Tom Hughes
22af018298 Update translation keys for renaming of user to users 2018-10-29 12:48:20 +00:00
Andy Allan
0888f43d7b Check the oauth token and then use the capabilities directly 2018-10-24 16:48:54 +02:00
Andy Allan
a50ad1c895 Rework the default denied access handler to give different responses to tokens, logged in users and other users 2018-10-24 09:39:02 +02:00
Tom Hughes
aef5273e95 Tidy up notes#search 2018-10-11 18:32:31 +01:00
Tom Hughes
db13180c70 Use "user" as user id parameter for notes searches 2018-10-11 18:30:53 +01:00
Tom Hughes
57095bc6c0 Merge remote-tracking branch 'upstream/pull/1955' 2018-10-11 17:41:47 +01:00
Tom Hughes
45c464a69a Suppress changeset pagination for inactive users 
Fixes #2024
 2018-10-11 09:39:56 +01:00
ENT8R
caef5828f4
Fix Rubocop issue 2018-10-11 08:36:13 +02:00
ENT8R
b19e424112
Fix some issues and improve code 2018-10-10 19:29:11 +02:00
Andy Allan
b7baa2c10a Remove temporary development code 2018-10-10 16:54:16 +02:00
Andy Allan
dfb9e40820 Move issues and reports to authorization system 2018-10-10 16:34:44 +02:00
Andy Allan
901c29a820 Fix typo in method name 2018-10-10 11:55:00 +02:00
Andy Allan
fb2c1f6cfd Refactor site#welcome to use abilities instead of require_user 2018-10-10 11:49:45 +02:00
Andy Allan
f8f7ab1568 Change abilities based on upstream renamings 2018-10-10 11:41:16 +02:00
Andy Allan
420a7289a0 Merge branch 'authz' of https://github.com/rubyforgood/openstreetmap-website into rubyforgood-authz 2018-10-10 11:26:30 +02:00
ENT8R
0859748815
Fix Rubocop issue 2018-10-09 14:50:55 +02:00