cst1/openstreetmap-website
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
16024 commits 4 branches 1 tag 499 MiB
Commit graph

165 commits

Author SHA1 Message Date
Tom Hughes
5ca24de0d0 Merge remote-tracking branch 'upstream/pull/5452' 2025-02-15 11:15:25 +00:00
Anton Khorev
03867e2fee Remove current_user branch from ApiController#deny_access 
Unreachable because if there's no doorkeeper_token, there's also no current_user.
 2025-02-15 01:20:06 +03:00
Anton Khorev
9ec7e8c888 Skip blocks check when getting active blocks list 2025-02-14 14:16:48 +03:00
Anton Khorev
2d46b44872 Add write_changeset_comments scope 2025-02-14 00:17:45 +03:00
Anton Khorev
77a2657d33 Pass scopes instead of token to ApiAbility 2025-02-14 00:15:52 +03:00
Anton Khorev
304e0ef638 Pass user to ApiAbility 2025-02-14 00:15:52 +03:00
Tom Hughes
43f40c5d03 Stop using session flash to communicate with callbacks 2025-02-12 00:09:40 +00:00
Anton Khorev
47a8907e2a Move scope_enabled? to ApiController 2025-01-24 05:56:23 +03:00
Anton Khorev
cdce867183 Merge ApiCapability class into ApiAbility 2024-12-20 18:39:08 +03:00
Tom Hughes
ad2e50fcfb Merge remote-tracking branch 'upstream/pull/5245' 2024-10-02 18:36:03 +01:00
Andy Allan
83425edd8d Move api error handling and timeouts to parent class 
Fixes #4861

Since the around_action is defined before authorize_resource is called,
the handler needs to pass on the CanCan::AccessDenied exception.

I've added the timeouts where I think they were missing (e.g. UserPreferencesController)
but I've kept the exception for changeset#upload and traces#create
 2024-10-02 16:37:32 +01:00
Tom Hughes
6789fc3081 Drop support for ruby 3.0 
Also add Ubuntu 24.04 and drop 20.04 as 24.04 is needed for
ruby 3.1 without rvm so we should test it.
 2024-09-17 20:39:22 +01:00
Tom Hughes
973d62a25e Drop support for basic authentication 2024-09-02 19:00:57 +01:00
Tom Hughes
17bc0853a0 Drop support for OAuth 1 2024-09-01 03:43:02 +03:00
Tom Hughes
3e77cae66c Clear current_user if we reject OAuth 1 
This ensures we don't try and do any further validation of the
user which might lead to trying to report additional errors.
 2024-07-07 19:40:28 +01:00
Andy Allan
c1cccd40fc Move check_api_readable to api_controller 
It's easier to skip the check in the two places that we need to, and
include it by default everywhere else.
 2024-05-29 14:54:16 +01:00
Andy Allan
ad4ab4603b
Merge pull request #4496 from tomhughes/disabled-auth-error 
Return an error when a disabled authentication mechanism is used
 2024-05-15 16:33:33 +01:00
Anton Khorev
604bba10ec Remove assert_method from api controllers 2024-03-25 07:15:16 +03:00
Tom Hughes
29cc21c599 Drop user tokens table 2024-02-28 21:02:54 +00:00
Tom Hughes
519c13d4cd Allow OAuth 1.0a to be disabled 2024-02-25 08:56:09 +00:00
Tom Hughes
1a684a7766 Return an error when basic authentication is used and is disabled 2024-02-25 08:53:44 +00:00
Tom Hughes
24f579562f Attempt to make timeouts work properly 2024-01-29 19:37:59 +00:00
Tom Hughes
ba503e02d2 Enforce rate limit for API calls which make changes 2023-11-02 08:59:57 +00:00
Tom Hughes
d1d3c2597e Handle timeouts inside a view for API calls 2023-09-07 00:32:11 +01:00
Andy Allan
4c564e5a32 Move more api-related helper methods to ApiController 
This prevents them from being inadvertently used in non-API controllers
 2023-01-11 15:28:59 +00:00
Tom Hughes
0ae438a5c1 Add a configuration option to disable HTTP basic authentication 2022-07-08 17:25:20 +01:00
Tom Hughes
0c524b2408 Log any use of basic authentication 2022-07-08 17:13:02 +01:00
Tom Hughes
5d67fa3908 Fix some Naming/AccessorMethodName rubocop warnings 2022-03-08 19:10:05 +00:00
Tom Hughes
cfb4a70129 Fix Lint/DuplicateBranch rubocop warnings 2022-03-08 19:05:37 +00:00
Tom Hughes
e222329d04 Add support for OAuth2 using doorkeeper 2021-05-18 12:05:32 +01:00
Tom Hughes
70c4a750d7 Fix new rubocop warnings 2020-09-16 08:28:25 +01:00
Tom Hughes
aaf9d15d56 Rework set_default_request_format ast set_request_formats 
Instead of trying to work out the exact format, just figure
out the list of allowed formats and let rails do the rest.
 2020-02-29 15:28:23 +00:00
mmd-osm
b556b054d1 JSON: added clarification for non-supported Accept header formats 2020-01-22 17:38:28 +01:00
mmd-osm
03ca0b2c69 Added Accept header unit tests 2020-01-12 17:46:11 +01:00
mmd-osm
97036c181e JSON output, handle Accept header 2020-01-02 15:17:11 +01:00
mmd-osm
45a1d298a9 Move default_format_xml to api_controller 2019-12-30 17:26:00 +01:00
Tom Hughes
57f5b7840e Fix rubocop warnings 2019-12-04 19:31:53 +00:00
Andy Allan
7b057545c0 Disentangle the api abilities from the web abilities 
This will allow us to rename api actions without causing permissions headaches. The choice of
abilities files is made by inheriting from either api_controller or application_controller.

Also rename capabilities to api_capabilites, for consistency.
 2019-03-27 18:07:29 +01:00
Tom Hughes
951564eed1 Merge remote-tracking branch 'upstream/pull/2186' 2019-03-23 12:01:05 +00:00
Andy Allan
19c2f6d485 Move more api-only methods into api_controller 2019-03-20 15:08:36 +01:00
Andy Allan
8d207e7de0 Mark all methods in api_controller and application_controller as private 
They aren't designed to be used as request endpoints, so there's no
need for them to be public.
 2019-03-20 15:08:36 +01:00
Andy Allan
94d19ae567 Move the authorize method to api_controller 2019-03-20 14:39:17 +01:00
Andy Allan
742291a840 Simplify deny_access handling 
Now that we have all api controllers inheriting from a common base,
it's easier to override the deny_access handler without having to
switch between both.

Fixes #2064
 2019-03-20 14:39:17 +01:00
Andy Allan
3bb07e29ec Refactor api controllers to inherit from a common ApiController 2019-03-20 14:16:15 +01:00
Andy Allan
f4e2990526 Move map method to its own controller 2019-02-24 11:44:10 +01:00
Andy Allan
d887252eeb Move the changes api to its own controller 2019-02-24 11:00:28 +01:00
Andy Allan
8383fd0928 Move the permissions call out of api_controller 2019-02-24 11:00:28 +01:00
Andy Allan
317b8f9d45 Move the trackpoints call into its own controller (and rename to tracepoints) 2019-02-24 11:00:28 +01:00
Andy Allan
6a4092bc16 Move the capabilities call out of api_controller 2019-02-24 11:00:20 +01:00
Andy Allan
e7f943c715 Use CanCanCan for nodes, ways, relations, old and api controllers 2019-01-16 10:12:19 +01:00