cst1/openstreetmap-website
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
9102 commits 4 branches 1 tag 499 MiB
Commit graph

183 commits

Author SHA1 Message Date
Andy Allan
d102c9aaf4 Move all settings to settings.yml 
We leave the STATUS setting alone, since it's required before rails
boots. The test-specific settings now live in config/settings/test.yml
 2019-03-13 18:06:23 +01:00
Andy Allan
3795da4014 Remove the require_terms_seen configuration option 
This option has been set to 'true' for over six years in production.

Refs #2097
 2019-02-06 14:54:56 +01:00
Simon Poole
26102f581f Remove old MapQuest Directions routing support 2019-01-29 20:19:36 +00:00
Simon Poole
067290f19f Remove old OSRM routing support 2019-01-29 20:19:36 +00:00
Simon Poole
8937099429 Add support for FOSSGIS routing server 2019-01-29 20:19:36 +00:00
Andy Allan
30a4fb85a9 Remove old authorization helpers 
These have been replaced by abilities and capabilities
 2019-01-16 11:55:01 +01:00
Andy Allan
131fd76cae Ensure authorization checks happen for all controller methods 2019-01-16 11:45:13 +01:00
Tom Hughes
801271363d Allow inline styling on pages that display the map 
Both leaflet itself and at least one of our plugins use inline
styling to style markers so we need to allow it.

Fixes #2093
 2018-12-31 09:32:13 +00:00
Tom Hughes
eb7c4cdedd Allow abilities that require no login for token based access 
Fixes #2085
 2018-12-12 22:41:29 +00:00
Andy Allan
981e4a34b5 Use only token capabilities when a token is provided 
The Authenticate#allow? method (from oauth-plugin) sets current_user as a side
effect of checking the token. But this allows a valid token to access
all actions that are available to that user, beyond the capabilities for
that token.
 2018-12-12 16:16:23 +01:00
Andy Allan
3fd083d9d4 Remove the unused require_moderator filter 
Use of this filter has been refactored to use CanCanCan
 2018-11-28 15:59:47 +01:00
Andy Allan
ea766ec57d Use CanCanCan for notes authorization 2018-11-28 15:59:47 +01:00
Andy Allan
8f70fb2114 Use CanCanCan for changeset comments 
This introduces different deny_access handlers for web and api requests, since we want to avoid sending redirects as API responses. See #2064 for discussion.
 2018-11-28 12:35:45 +01:00
Tom Hughes
dc6a5bc1a6 Take security policy URLs from the configuration file 2018-11-15 18:48:05 +00:00
Tom Hughes
ccdec3ed4c Attempt to send pretty 403 errors to web browsers 2018-11-08 19:09:56 +00:00
Andy Allan
f11221f05b Merge branch 'master' into cancancan 2018-10-31 11:16:47 +01:00
Tom Hughes
22af018298 Update translation keys for renaming of user to users 2018-10-29 12:48:20 +00:00
Andy Allan
0888f43d7b Check the oauth token and then use the capabilities directly 2018-10-24 16:48:54 +02:00
Andy Allan
a50ad1c895 Rework the default denied access handler to give different responses to tokens, logged in users and other users 2018-10-24 09:39:02 +02:00
Andy Allan
b7baa2c10a Remove temporary development code 2018-10-10 16:54:16 +02:00
Andy Allan
901c29a820 Fix typo in method name 2018-10-10 11:55:00 +02:00
Andy Allan
420a7289a0 Merge branch 'authz' of https://github.com/rubyforgood/openstreetmap-website into rubyforgood-authz 2018-10-10 11:26:30 +02:00
Andy Allan
3ec67ea2d3 Rename user_controller to users_controller 2018-10-03 15:31:10 +02:00
Tom Hughes
64146b4f36 Fix Style/SafeNavigation rubocop warnings 2018-09-22 17:21:06 +01:00
Chris Flipse
25256a4849 Make rubocop happy 2018-06-17 20:40:48 -04:00
Chris Flipse
91fc65a2e3 separate ability and capability 
These are asking fundamentally different questions;

Abilities are asking the application if the user has a role that allows
the user to take a certain action
Capabilities are asking if the user has granted the application to
perform a certain type of action

CanCanCan makes no distinction, however, so the `granted_capabilities`
method is provided as a point that can be checked in rescue methods, so
that one can _attempt_ to continue to provide the more informative error
messages around permission refusals
 2018-06-17 13:57:32 -04:00
Chris Flipse
060c686c19 Use cancancan to authorize user_preference_controller 2018-06-17 13:57:06 -04:00
Chris Flipse
6b44a1976c use a controller method to handle cancan denials 
This will let controllers override for specific circumstances
 2018-06-17 13:57:06 -04:00
Chris Flipse
6da3ece683 use token in ability checks 2018-06-17 13:56:23 -04:00
Chris Flipse
2ab3d56102 don't check authorization everywhere 2018-06-17 13:56:23 -04:00
Andy Allan
ffa65d4d72 Add cancancan and the first ability definitions for site_controller 2018-06-17 13:56:23 -04:00
Tom Hughes
727ee97a3f Allow inline javascript and CSS in better_errors pages 2018-06-17 11:33:51 +01:00
J Guthrie
30756f72ca Change language immediately after updating settings 
Closes #1883
 2018-05-27 15:12:34 +01:00
Peter Karich
1cea6b363a Use XHR instead of jsonp for GraphHopper 
Closes #1872
 2018-05-17 20:47:58 +01:00
Tom Hughes
50f85248db Use https to launch the remote editor except for modern browsers 
Currently only Chrome 53+ and Firefox 55+ are known to support loading
of http resources from localhost for an https page.
 2018-05-15 14:21:09 +01:00
Tom Hughes
79284a0fcd Add frame-src to allow http://127.0.0.1:8111 2018-05-15 12:43:37 +01:00
Tom Hughes
0e810db927 Make CSP rule for the remote control explicitly allow http 2018-05-13 16:01:39 +01:00
Andy Allan
7b2af50f4a Refactor @this_user to @user 
Historically we used @user for the currently logged in user, but
this was changed to `current_user` in 2017.
 2018-04-11 11:42:33 +08:00
Tom Hughes
1f2ac59d1d Fix new rubocop warnings 2018-03-26 19:00:03 +01:00
Tom Hughes
a83030dab7 Fix new rubocop warnings 2018-01-22 18:55:45 +00:00
Tom Hughes
9cf698322c Merge remote-tracking branch 'upstream/pull/1707' 2018-01-13 10:35:42 +00:00
Tom Hughes
9340c46173 Remove dependencies on mapzen services 2018-01-02 18:45:20 +00:00
Guillaume RISCHARD
ca36cf2826 Remove support for soon discontinued josm remote https endpoint 2017-12-16 16:15:52 +01:00
Tom Hughes
986779966b Extend form-action policies for Chrome 
It seems that unlike other browsers Chrome requires that if a form
submission redirects that the redirected URL also match the form-action
policy rather than just requiring the original URL to match.
 2017-11-25 12:04:02 +00:00
Tom Hughes
6a1a4a3f7d Fix remote editing security policy 2017-11-24 00:46:27 +00:00
Tom Hughes
2cd81daf34 Add security policy for remote control editing 2017-11-24 00:43:14 +00:00
Tom Hughes
bb116b85df Allow third party images in user content 2017-11-23 22:39:05 +00:00
Tom Hughes
cea455d390 Update for ActionView::Template::Error change 2017-10-27 19:25:49 +01:00
Tom Hughes
8dae890a76 Fix rubocop warnings 2017-10-05 19:18:38 +01:00
Tom Hughes
ebeea34670 Replace @user with @current_user 
This ensures that that we will find any more hidden references
to @user that might be hanging around...
 2017-07-27 19:44:14 +01:00