The geocoder backend calls are a private implementation detail
and using POST enables request forgery checks and makes scraping
of nominatim via the backend calls harder.
This PR allows users to delete their own accounts. The logic implemented matches
that currently used by the admins when they manually close accounts, although
there is room to be more complex in future e.g. completely removing accounts
with no content.
The error handling has been slightly adapted for namespaced controllers, by
anchoring the controller name with a leading forward slash.
This is required to allow the account settings screen, which now
uses the PATCH verb, to redirect to OmniAuth when the external
authentication provider is changed.
As PATCH still uses CSRF this doesn't impact CVE-2015-9284 which
is the reason for requiring POST and most importantly got not
allowing GET requests to OmniAuth.
This opens up many possibilities for more interesting things to be
shown on the dashboard, as well as making it easier to find if
you have lots of content in your profile.
Because we don't have direct access to the session and cookies, some
of the tests need more setup e.g. by moving through the signup process
to get the session tokens into the right place for the confirmation
steps to work.
This is the modern way of writing controller tests, since it uses the
rails middleware (among other things) and leads to more realistic tests.
Refs #2563
This API clearly shows its age, having never been fully implemented
and simply returning 100 ways (or 2000 relations) at random matching
the provided tags.
It is, as far as I'm aware, completely unused. While it provides a
good amount of humour to anyone who reads the code, the time as come
for it to be retired.
This will eventually replace the unversioned 'capabilities' call.
Client applications can use this versions call to find out what versions
are available, if they support multiple versions. The capabilities
of each version, and the format of the capabilities call, is then
able to change between versions. If a client only supports one version
they can jump straight to the versioned capabilities call.
Additionally, supported versions are now a list of version identifiers,
without any implications surrounding min/max values (e.g. guesswork
for supported intermediate versions).
Fixes#2162
