cst1/openstreetmap-website
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
11304 commits 4 branches 1 tag 499 MiB
Commit graph

213 commits

Author SHA1 Message Date
Tom Hughes
f1935b1c57 Merge remote-tracking branch 'upstream/pull/3257' 2021-07-21 19:24:31 +01:00
Andy Allan
29efa4337c Remove incorrectly spelled helper_method 
The spelling of language is wrong here, and the correct version
is already there further down at the preferred_language method definition
 2021-07-21 17:28:23 +01:00
Andy Allan
9b8f2bbcbe Remove code complexity around resetting language preferences 
This was originally introduced since we saved the user and showed
the result on the same action. Now that the preferences controller
saves and redirects, the user model and associated language preferences
are reloaded between requests, and this code is no longer required.
 2021-07-14 17:40:20 +01:00
Tom Hughes
b4a1e41968 Switch web site to use OAuth 2 2021-06-27 19:00:36 +01:00
Tom Hughes
e222329d04 Add support for OAuth2 using doorkeeper 2021-05-18 12:05:32 +01:00
Tom Hughes
bf851691bf Fix deprecation warnings 2021-05-12 18:49:21 +01:00
Tom Hughes
93b8c47c8f Reject referers that do not include an absolute path 2021-03-16 11:07:34 +00:00
Andy Allan
38ad8fbc36 Use login_path instead of explicit controller and actions 
This makes future refactoring easier.
 2021-03-10 14:31:55 +00:00
Andy Allan
4f304e2301 Remove SystemTimer and use stdlib Timeout directly 
SystemTimer was only needed on ruby 1.8, and we dropped support for
that a long time ago.
 2020-12-23 14:25:58 +00:00
Andy Allan
78b9d92207 Prefer keyword arguments when method has optional boolean arguments 2020-11-12 11:24:44 +00:00
Tom Hughes
7db541d697 Invalidate existing sessions when changing email or password 
As we don't have any way to actually find the active sessions for
an account we instead store a fingerprint in the session, and refuse
to use any session with a different fingerprint.
 2020-09-29 14:34:08 +01:00
Tom Hughes
abca51e4d8 Fix some Style/StringConcatenation warnings 2020-08-09 19:48:16 +01:00
Tom Hughes
75e135869e Fix Style/ExplicitBlockArgument warnings 2020-08-09 19:06:04 +01:00
Tom Hughes
0e2a66e8de Fix new rubocop warnings 2020-08-06 18:42:16 +01:00
Tom Hughes
2d3972249c Fix some rubocop todos 2020-08-02 19:38:58 +01:00
Tom Hughes
f881a8c83c Register warning and error flash types 
Fixes #2743
 2020-08-02 15:53:13 +01:00
Tom Hughes
d4130bcac8 Fix the Redirect warnings from Brakeman 
Unfortunately I've had to leave the check disabed as Brakeman
can't see inside the safe_referer method so doesn't realise that
it is cleaning the referer.
 2020-07-22 19:23:46 +01:00
Tom Hughes
9f993fe8c8 Fix new rubocop warnings 2020-07-07 10:44:52 +01:00
Tom Hughes
d6f518f627 More improvements to locale selection for the data browser 
Use the browser language preferences for non-logged in users.
 2020-06-07 19:10:48 +01:00
Tom Hughes
f3219ada14 Fix new rubocop warnings 2020-05-12 19:18:45 +01:00
mmd-osm
3159c3c3f7 JSON: return HTTP 406 for unsupported formats 2020-01-22 22:33:30 +01:00
Tom Hughes
9f57f60b87 Fix new rubocop warnings 2019-04-23 09:33:34 +01:00
Andy Allan
7b057545c0 Disentangle the api abilities from the web abilities 
This will allow us to rename api actions without causing permissions headaches. The choice of
abilities files is made by inheriting from either api_controller or application_controller.

Also rename capabilities to api_capabilites, for consistency.
 2019-03-27 18:07:29 +01:00
Tom Hughes
951564eed1 Merge remote-tracking branch 'upstream/pull/2186' 2019-03-23 12:01:05 +00:00
Tom Hughes
cba7945a5b Use strings consistently for database/api/gpx status 2019-03-23 11:59:42 +00:00
Andy Allan
19c2f6d485 Move more api-only methods into api_controller 2019-03-20 15:08:36 +01:00
Andy Allan
8d207e7de0 Mark all methods in api_controller and application_controller as private 
They aren't designed to be used as request endpoints, so there's no
need for them to be public.
 2019-03-20 15:08:36 +01:00
Andy Allan
94d19ae567 Move the authorize method to api_controller 2019-03-20 14:39:17 +01:00
Andy Allan
742291a840 Simplify deny_access handling 
Now that we have all api controllers inheriting from a common base,
it's easier to override the deny_access handler without having to
switch between both.

Fixes #2064
 2019-03-20 14:39:17 +01:00
Tom Hughes
141df02e67 Move status into the settings object 
Only the very early boot code needs to look at the value
from the environment directly.
 2019-03-17 11:15:34 +00:00
Andy Allan
d102c9aaf4 Move all settings to settings.yml 
We leave the STATUS setting alone, since it's required before rails
boots. The test-specific settings now live in config/settings/test.yml
 2019-03-13 18:06:23 +01:00
Andy Allan
3795da4014 Remove the require_terms_seen configuration option 
This option has been set to 'true' for over six years in production.

Refs #2097
 2019-02-06 14:54:56 +01:00
Simon Poole
26102f581f Remove old MapQuest Directions routing support 2019-01-29 20:19:36 +00:00
Simon Poole
067290f19f Remove old OSRM routing support 2019-01-29 20:19:36 +00:00
Simon Poole
8937099429 Add support for FOSSGIS routing server 2019-01-29 20:19:36 +00:00
Andy Allan
30a4fb85a9 Remove old authorization helpers 
These have been replaced by abilities and capabilities
 2019-01-16 11:55:01 +01:00
Andy Allan
131fd76cae Ensure authorization checks happen for all controller methods 2019-01-16 11:45:13 +01:00
Tom Hughes
801271363d Allow inline styling on pages that display the map 
Both leaflet itself and at least one of our plugins use inline
styling to style markers so we need to allow it.

Fixes #2093
 2018-12-31 09:32:13 +00:00
Tom Hughes
eb7c4cdedd Allow abilities that require no login for token based access 
Fixes #2085
 2018-12-12 22:41:29 +00:00
Andy Allan
981e4a34b5 Use only token capabilities when a token is provided 
The Authenticate#allow? method (from oauth-plugin) sets current_user as a side
effect of checking the token. But this allows a valid token to access
all actions that are available to that user, beyond the capabilities for
that token.
 2018-12-12 16:16:23 +01:00
Andy Allan
3fd083d9d4 Remove the unused require_moderator filter 
Use of this filter has been refactored to use CanCanCan
 2018-11-28 15:59:47 +01:00
Andy Allan
ea766ec57d Use CanCanCan for notes authorization 2018-11-28 15:59:47 +01:00
Andy Allan
8f70fb2114 Use CanCanCan for changeset comments 
This introduces different deny_access handlers for web and api requests, since we want to avoid sending redirects as API responses. See #2064 for discussion.
 2018-11-28 12:35:45 +01:00
Tom Hughes
dc6a5bc1a6 Take security policy URLs from the configuration file 2018-11-15 18:48:05 +00:00
Tom Hughes
ccdec3ed4c Attempt to send pretty 403 errors to web browsers 2018-11-08 19:09:56 +00:00
Andy Allan
f11221f05b Merge branch 'master' into cancancan 2018-10-31 11:16:47 +01:00
Tom Hughes
22af018298 Update translation keys for renaming of user to users 2018-10-29 12:48:20 +00:00
Andy Allan
0888f43d7b Check the oauth token and then use the capabilities directly 2018-10-24 16:48:54 +02:00
Andy Allan
a50ad1c895 Rework the default denied access handler to give different responses to tokens, logged in users and other users 2018-10-24 09:39:02 +02:00
Andy Allan
b7baa2c10a Remove temporary development code 2018-10-10 16:54:16 +02:00