cst1/openstreetmap-website
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
13078 commits 4 branches 1 tag 499 MiB
Commit graph

421 commits

Author SHA1 Message Date
Tom Hughes
aec7af87d7 Disable peer host name validation when sending email 2022-02-16 22:48:26 +00:00
Andy Allan
ce4fbc63ec
Merge pull request #3414 from tomhughes/rails7 
Update to rails 7.x
 2022-02-16 15:16:53 +00:00
Andy Allan
2fabc46421
Merge pull request #3440 from mmd-osm/relationmemberlimit 
Introduce relation member limit
 2022-02-16 14:58:30 +00:00
Tom Hughes
7eafdca51c Update to rails 7.0.2.2 2022-02-16 14:26:57 +00:00
Tom Hughes
1612ea75c5 Allow trace image URL to be configured in the CSP policy 2022-02-13 19:25:42 +00:00
mmd-osm
2efd73c672 Introduce relation member limit 
Adds a new parameter `max_number_of_relation_members` in settings.yml
 2022-02-02 13:15:40 +01:00
Tom Hughes
7de3143525 Switch to 6.1 defaults as everything has been enabled for some time 2021-12-30 19:55:13 +00:00
Tom Hughes
b0288b83bb Allow PATCH for OmniAuth requests 
This is required to allow the account settings screen, which now
uses the PATCH verb, to redirect to OmniAuth when the external
authentication provider is changed.

As PATCH still uses CSRF this doesn't impact CVE-2015-9284 which
is the reason for requiring POST and most importantly got not
allowing GET requests to OmniAuth.
 2021-12-27 10:34:24 +00:00
Tom Hughes
bb5954e489 Drop unused browser feature predicates 2021-11-19 18:10:50 +00:00
Tom Hughes
ad0cfee788 Fix boot warnings for autoloaded constants in initializers 2021-11-16 19:08:26 +00:00
Tom Hughes
64604a852f Add a privileged scope that allows authorization to be skipped 2021-08-26 17:22:25 +01:00
Tom Hughes
6c6e8883f7 Introduce privileged scopes that only an administrator can enable 2021-08-26 17:22:24 +01:00
Tom Hughes
ba8093f13a Allow cross origin access to OAuth 2 token endpoints 2021-07-06 19:30:05 +01:00
Tom Hughes
9db8488e7f Allow cross origin access to trace data 
Fixes #3252
 2021-07-06 19:29:42 +01:00
Tom Hughes
e9010306c5 Enable access token reuse for OAuth 2 2021-06-24 20:40:23 +01:00
Tom Hughes
76b45e5dde Update doorkeeper configuration file from master template 2021-06-24 20:40:23 +01:00
Tom Hughes
8d76be71bb Merge remote-tracking branch 'upstream/pull/3177' 2021-06-24 08:43:18 +01:00
Tom Hughes
1096b3b8e2 Don't mark banner cookies as HttpOnly 
Fixes #3231
 2021-06-23 15:08:45 +01:00
Tom Hughes
baa32464cd Drop last vestiges of ruby 2.5 support 2021-06-08 20:33:25 +01:00
Tom Hughes
29032847d9 Set a referrer policy 2021-06-04 21:50:15 +01:00
Tom Hughes
aa9ce8b6db Allow OAuth 2 to redirect to plain HTTP for localhost 2021-05-18 12:05:33 +01:00
Tom Hughes
e222329d04 Add support for OAuth2 using doorkeeper 2021-05-18 12:05:32 +01:00
Tom Hughes
be9a9a1556 Enable variant tracking for Active Storage 2021-05-17 19:29:12 +01:00
Tom Hughes
a533d341f0 Enable some more rails 6.1 defaults 2021-05-17 19:20:32 +01:00
Tom Hughes
84abb70f17 Default rails generated cookies to SameSite=Lax 2021-05-17 18:39:22 +01:00
Tom Hughes
c4d2f74408 Switch to new defaults for queue names 2021-05-13 20:41:41 +01:00
Tom Hughes
c7ad888015 Enable new Active Job defaults 2021-05-13 20:26:14 +01:00
Tom Hughes
94c5151064 Enable link header for asset preloading 2021-05-13 19:57:47 +01:00
Tom Hughes
32ebe67c00 Enable new connection handling API 2021-05-13 19:54:07 +01:00
Tom Hughes
afc4c6fde1 Enable use of URL safe CSRF tokens 2021-05-13 19:52:02 +01:00
Tom Hughes
a71b8af4d1 Update to rails 6.1.3.2 2021-05-12 18:49:21 +01:00
Tom Hughes
4d164df5b8 Drop monkey patch that is no longer needed with rails 6 2021-05-10 20:17:44 +01:00
Tom Hughes
1ba10fa9ac Drop monkey patch that is no longer required 2021-05-10 18:52:34 +01:00
Tom Hughes
46eae20478 Monkey patch oauth gem to avoid use of deprecated URI.unescape 2021-04-26 22:10:45 +01:00
Tom Hughes
89456c8b40 Handle UTF-8 correctly in monkey patched OAuth::Helper.escape 
Fixes #3185
 2021-04-26 22:10:45 +01:00
Tom Hughes
ad6c0d3eba Monkey patch oauth gem to avoid use of deprecated URI.escape 2021-04-22 18:53:27 +01:00
Andy Allan
bb2afc3e8b Prevent addition of style attributes to all elements 2021-03-24 20:55:30 +00:00
Andy Allan
d7eac9b5a8 Strip away class attributes from sanitized outputs 
There's a lot of shenanigans that are possible when you can apply
arbitrary classes to the rendered output.
 2021-03-24 19:15:21 +00:00
Andy Allan
f442bb9e80 Rework configuration to use Sanitize::Config.merge 
This is the recommended approach, and works better when dealing with deeper attributes
 2021-03-24 18:19:14 +00:00
Tom Hughes
f91dd6afc2 Tighten up cookie security 
Mark all cookies as Secure, and the cookies which are not
modified client side as HttpOnly.
 2021-02-19 18:18:13 +00:00
Tom Hughes
cea93e7244 Fix new rubocop warnings 2021-02-02 18:56:29 +00:00
Andy Allan
78bf2993e4 Refactor richtext fields to use a custom bootstrap_form input. 
This allows us to use form_group_builder and get all the label and
help text handling in line with other bootstrap_form inputs.
 2021-01-13 14:05:39 +00:00
Tom Hughes
b7d6243aff Restore ruby 2.5 compatibility 2021-01-11 20:04:13 +00:00
Tom Hughes
0654be27f9 Fix new rubocop warnings 2021-01-11 19:17:31 +00:00
Tom Hughes
0ff89c31e4 Remove both Potlatch versions 
Fixes #2622
 2021-01-05 21:18:45 +00:00
Tom Hughes
3e150205ad Remove unnecessary inflection 2021-01-01 11:54:29 +00:00
Tom Hughes
eada36ff96 Switch to using the zeitwork autoloader 2020-12-30 20:30:21 +00:00
Tom Hughes
e392556444 Revert "Switch to using the zeitwork autoloader" 
This reverts commit 127880a73f.
 2020-12-29 19:29:36 +00:00
Tom Hughes
127880a73f Switch to using the zeitwork autoloader 2020-12-29 18:42:22 +00:00
Tom Hughes
5d96da3b67 Merge remote-tracking branch 'upstream/pull/2983' into master 2020-11-25 16:59:23 +00:00