cst1/openstreetmap-website
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
8923 commits 4 branches 1 tag 499 MiB
Commit graph

171 commits

Author SHA1 Message Date
Andy Allan
8f70fb2114 Use CanCanCan for changeset comments 
This introduces different deny_access handlers for web and api requests, since we want to avoid sending redirects as API responses. See #2064 for discussion.
 2018-11-28 12:35:45 +01:00
Tom Hughes
dc6a5bc1a6 Take security policy URLs from the configuration file 2018-11-15 18:48:05 +00:00
Tom Hughes
ccdec3ed4c Attempt to send pretty 403 errors to web browsers 2018-11-08 19:09:56 +00:00
Andy Allan
f11221f05b Merge branch 'master' into cancancan 2018-10-31 11:16:47 +01:00
Tom Hughes
22af018298 Update translation keys for renaming of user to users 2018-10-29 12:48:20 +00:00
Andy Allan
0888f43d7b Check the oauth token and then use the capabilities directly 2018-10-24 16:48:54 +02:00
Andy Allan
a50ad1c895 Rework the default denied access handler to give different responses to tokens, logged in users and other users 2018-10-24 09:39:02 +02:00
Andy Allan
b7baa2c10a Remove temporary development code 2018-10-10 16:54:16 +02:00
Andy Allan
901c29a820 Fix typo in method name 2018-10-10 11:55:00 +02:00
Andy Allan
420a7289a0 Merge branch 'authz' of https://github.com/rubyforgood/openstreetmap-website into rubyforgood-authz 2018-10-10 11:26:30 +02:00
Andy Allan
3ec67ea2d3 Rename user_controller to users_controller 2018-10-03 15:31:10 +02:00
Tom Hughes
64146b4f36 Fix Style/SafeNavigation rubocop warnings 2018-09-22 17:21:06 +01:00
Chris Flipse
25256a4849 Make rubocop happy 2018-06-17 20:40:48 -04:00
Chris Flipse
91fc65a2e3 separate ability and capability 
These are asking fundamentally different questions;

Abilities are asking the application if the user has a role that allows
the user to take a certain action
Capabilities are asking if the user has granted the application to
perform a certain type of action

CanCanCan makes no distinction, however, so the `granted_capabilities`
method is provided as a point that can be checked in rescue methods, so
that one can _attempt_ to continue to provide the more informative error
messages around permission refusals
 2018-06-17 13:57:32 -04:00
Chris Flipse
060c686c19 Use cancancan to authorize user_preference_controller 2018-06-17 13:57:06 -04:00
Chris Flipse
6b44a1976c use a controller method to handle cancan denials 
This will let controllers override for specific circumstances
 2018-06-17 13:57:06 -04:00
Chris Flipse
6da3ece683 use token in ability checks 2018-06-17 13:56:23 -04:00
Chris Flipse
2ab3d56102 don't check authorization everywhere 2018-06-17 13:56:23 -04:00
Andy Allan
ffa65d4d72 Add cancancan and the first ability definitions for site_controller 2018-06-17 13:56:23 -04:00
Tom Hughes
727ee97a3f Allow inline javascript and CSS in better_errors pages 2018-06-17 11:33:51 +01:00
J Guthrie
30756f72ca Change language immediately after updating settings 
Closes #1883
 2018-05-27 15:12:34 +01:00
Peter Karich
1cea6b363a Use XHR instead of jsonp for GraphHopper 
Closes #1872
 2018-05-17 20:47:58 +01:00
Tom Hughes
50f85248db Use https to launch the remote editor except for modern browsers 
Currently only Chrome 53+ and Firefox 55+ are known to support loading
of http resources from localhost for an https page.
 2018-05-15 14:21:09 +01:00
Tom Hughes
79284a0fcd Add frame-src to allow http://127.0.0.1:8111 2018-05-15 12:43:37 +01:00
Tom Hughes
0e810db927 Make CSP rule for the remote control explicitly allow http 2018-05-13 16:01:39 +01:00
Andy Allan
7b2af50f4a Refactor @this_user to @user 
Historically we used @user for the currently logged in user, but
this was changed to `current_user` in 2017.
 2018-04-11 11:42:33 +08:00
Tom Hughes
1f2ac59d1d Fix new rubocop warnings 2018-03-26 19:00:03 +01:00
Tom Hughes
a83030dab7 Fix new rubocop warnings 2018-01-22 18:55:45 +00:00
Tom Hughes
9cf698322c Merge remote-tracking branch 'upstream/pull/1707' 2018-01-13 10:35:42 +00:00
Tom Hughes
9340c46173 Remove dependencies on mapzen services 2018-01-02 18:45:20 +00:00
Guillaume RISCHARD
ca36cf2826 Remove support for soon discontinued josm remote https endpoint 2017-12-16 16:15:52 +01:00
Tom Hughes
986779966b Extend form-action policies for Chrome 
It seems that unlike other browsers Chrome requires that if a form
submission redirects that the redirected URL also match the form-action
policy rather than just requiring the original URL to match.
 2017-11-25 12:04:02 +00:00
Tom Hughes
6a1a4a3f7d Fix remote editing security policy 2017-11-24 00:46:27 +00:00
Tom Hughes
2cd81daf34 Add security policy for remote control editing 2017-11-24 00:43:14 +00:00
Tom Hughes
bb116b85df Allow third party images in user content 2017-11-23 22:39:05 +00:00
Tom Hughes
cea455d390 Update for ActionView::Template::Error change 2017-10-27 19:25:49 +01:00
Tom Hughes
8dae890a76 Fix rubocop warnings 2017-10-05 19:18:38 +01:00
Tom Hughes
ebeea34670 Replace @user with @current_user 
This ensures that that we will find any more hidden references
to @user that might be hanging around...
 2017-07-27 19:44:14 +01:00
Andy Allan
09ba878519 Convert @user to current_user 2017-07-27 10:31:31 +01:00
Andy Allan
c819bec8b7 Use a current_user helper for accessing the logged in user in all views. 2017-07-27 10:07:51 +01:00
Andy Allan
41000078b9 Convert remaining controller code to use current_user 
The `self.current_user` is important when assigning to the current user,
to avoid creating a local variable called `current_user`
 2017-07-27 10:07:51 +01:00
Tom Hughes
81deb35331 Update to rails 5.0.4 2017-06-27 08:26:44 +01:00
Tom Hughes
18c8946556 Use explicit to_unsafe_h method when converting parameters to a hash 2017-06-05 22:44:15 +01:00
Tom Hughes
ff97501ed0 Remove all use of the :text option to render 
It doesn't actually do what it says, as it sets the content type
to text/html not text/plain so is just confusing and as a result
has been deprecated in newer rails versions.
 2017-06-02 19:12:05 +01:00
Tom Hughes
5b33f3f8e3 Fix rubocop warnings 2017-06-02 00:08:30 +01:00
Tom Hughes
5cdb835de3 Show offline/readonly messages as normal flash messages 2017-03-10 16:30:04 +00:00
Tom Hughes
88d16deadd Detect a timeout encapsulated in ActionView::Template::Error 
Fixes #1476
 2017-03-06 17:50:09 +00:00
Tom Hughes
c5ef6404f5 Improve the content security policy 2017-03-01 22:38:24 +00:00
Tom Hughes
428e7d6baa Merge remote-tracking branch 'openstreetmap/pull/1467' 2017-02-26 22:22:48 +00:00
Simon Poole
12013f60a0 Externalize message about missing OAuth capabilities/permissions and make it less technical 2017-02-26 21:43:43 +01:00