cst1/openstreetmap-website
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
10910 commits 4 branches 1 tag 499 MiB
Commit graph

46 commits

Author SHA1 Message Date
Andy Allan
f18baae22e Refactor login/logout into sessions controller 
Certain controller methods are shared with oauth-based logins, and these have been
moved to a concern.
 2021-03-24 11:32:46 +00:00
Tom Hughes
4c2e4de5c0 Handle errors checking for gravatars 2021-03-21 10:24:53 +00:00
Tom Hughes
afb22209bf Allow form submission to any location from the login page 
This allows openid login to work on browsers like chrome that enforce
the form-action rule for redirect POST requests.

Fixes #3131
 2021-03-14 10:18:32 +00:00
Andy Allan
38ad8fbc36 Use login_path instead of explicit controller and actions 
This makes future refactoring easier.
 2021-03-10 14:31:55 +00:00
Tom Hughes
2233edbcfa Use a 307 Temporary Redirect to redirect to authentication 
When the user wants to enable an external authenticator we need
to redirect to omniauth but that now needs to be a POST so use a
redirect that preserves the POST method.

Fixes #3114
 2021-03-03 09:27:33 +00:00
Tom Hughes
1f136a84a6 Prevent CSRF bypass with login form 2021-02-10 20:39:23 +00:00
Tom Hughes
51af102c00 Prevent CSRF bypass with password reset form 2021-02-09 23:00:21 +00:00
Tom Hughes
7810734ac4 Prevent CSRF bypass updating account details 
Fixes #3089
 2021-02-08 12:24:43 +00:00
Tom Hughes
bc233420dd Allow form post to third party authentication providers 2021-02-06 11:10:14 +00:00
Tom Hughes
5912a8011b Update to Omniauth 2.x 
This requires converting all use of the /auth endpoints
to use the POST method as GET is no longer supported.
 2021-02-02 19:49:03 +00:00
Tom Hughes
812f5b44e8 Redirect after saving settings in case the username has changed 
Fixes #3059
 2021-01-19 18:57:34 +00:00
Andy Allan
78b9d92207 Prefer keyword arguments when method has optional boolean arguments 2020-11-12 11:24:44 +00:00
Tom Hughes
20ce10a9ef Allow redirects to authentication services from the settings page 
Chrome and Safari require redirects to match the form-action rule
as well as the original submission address.
 2020-10-29 21:29:35 +00:00
Andy Allan
2559226be3 Avoid various uses of html_safe 
We can avoid using `html_safe` in various circumstances, through alternative approaches like i18n keys ending in `_html` or using `safe_join` to avoid converting via unsafe string types.

The `_html` keys approach only work for ActionView helper version of `t`, not the base `I18n.t` method.
 2020-10-21 15:43:14 +02:00
Andy Allan
2c1033f62d Rename Notifier to UserMailer 
It's a convention in rails to name your mailers with a Mailer suffix, and is also common to name the class after the recipient (e.g. User, Admin). So UserMailer seems a reasonable choice.
 2020-10-14 15:04:58 +02:00
Tom Hughes
7db541d697 Invalidate existing sessions when changing email or password 
As we don't have any way to actually find the active sessions for
an account we instead store a fingerprint in the session, and refuse
to use any session with a different fingerprint.
 2020-09-29 14:34:08 +01:00
Tom Hughes
c694c78c9a Delete any outstanding tokens when a user changes their email 
This ensures that any tokens previously sent to the old email address
can no longer be used if somebody were able to access that address.
 2020-09-29 13:47:40 +01:00
Tom Hughes
21adea321b Convert password reset forms to use bootstrap 2020-09-04 00:36:43 +01:00
Tom Hughes
b7432e9432 Handle new rubocop warnings 2020-09-02 07:18:21 +01:00
Tom Hughes
abca51e4d8 Fix some Style/StringConcatenation warnings 2020-08-09 19:48:16 +01:00
Tom Hughes
d4130bcac8 Fix the Redirect warnings from Brakeman 
Unfortunately I've had to leave the check disabed as Brakeman
can't see inside the safe_referer method so doesn't realise that
it is cleaning the referer.
 2020-07-22 19:23:46 +01:00
Andy Allan
600812f6ad Rework user#set_status and #delete to avoid GET requests 
This renames the delete action to destroy, and starts using resourceful
routing for user actions.
 2020-06-10 11:49:18 +02:00
Andy Allan
8ebfdbc1ff Move make_friend and remove_friend to friendships controller 2020-06-03 18:23:07 +02:00
Andy Allan
8a774e7519 Use a post link to logout 
This avoids needing to access the session id, which is currently
only working with the memcache store.

The fallback page is preserved for anyone who wants to logout without
using javascript.

Refs #2488
 2020-01-08 14:03:05 +01:00
Tom Hughes
57f5b7840e Fix rubocop warnings 2019-12-04 19:31:53 +00:00
Tom Hughes
1f880528bd Fix new rubocop warnings 2019-07-18 16:47:08 +01:00
Tom Hughes
3cfffc2258 Update gravatar methods to check for Active Storage images 2019-07-16 22:29:07 +01:00
Tom Hughes
905a7eadb6 Defer deletion of avatars to a background job 2019-07-16 08:27:14 +01:00
Tom Hughes
6c202448ad Move user images to Active Storage with paperclip as a fallback 2019-07-09 19:17:30 +01:00
Tom Hughes
d2d5d48f29 Allow signups to be blocked by MX host 2019-06-23 11:21:03 +01:00
Andy Allan
d33b1f6b29 Pass the models, not the ids, when dealing with friendships 2019-06-19 16:56:31 +02:00
Andy Allan
1cf8fec58d Rename Friend model to Friendship 
This better describes what the model represents, which is the relationship
between the two users.
 2019-06-19 16:39:25 +02:00
Simon Poole
1be8d599e8 Add checkbox for contributor terms and improve text 2019-05-13 16:54:29 +02:00
Simon Poole
fa81a608f7 Remove unnecessary test for 0 2019-05-13 16:54:29 +02:00
Simon Poole
e30813bbb1 Rubocop fixes and increase per method complexity limit from 23 to 25 2019-05-13 16:54:29 +02:00
Simon Poole
6d7a713c12 Require that tou_read checkbox is set 2019-05-13 16:54:29 +02:00
Simon Poole
077834704e Add links to the ToU and include them in signup 
- this adds links to the ToU in the Welcome box and on the About page
- adds a timestamp column to the users table to record acceptance of the ToU
- require ToU to be accepted before signup can proceed
- rearrange and change text on signup page
 2019-05-13 16:52:18 +02:00
Tom Hughes
6600221fe3 Fix database offline mode 2019-03-17 11:15:34 +00:00
Andy Allan
d102c9aaf4 Move all settings to settings.yml 
We leave the STATUS setting alone, since it's required before rails
boots. The test-specific settings now live in config/settings/test.yml
 2019-03-13 18:06:23 +01:00
Tom Hughes
94b59f4403 Merge remote-tracking branch 'upstream/pull/2161' 2019-02-28 19:17:40 +00:00
Andy Allan
4b4c5aac2f Move the user api methods into a separate controller in the api namespace 2019-02-28 17:12:28 +01:00
Tom Hughes
d2ff1491b4 Avoid CSP issues with OpenID login 
To avoid Chrom getting upset about sending form data to sites
that our policy doesn't allow, even when it isn't, use Javascript
to jump straight to Omniauth as the direct OpenID based login
buttons were already doing.

Fixes #1909
 2019-02-25 11:46:12 +00:00
Andy Allan
3795da4014 Remove the require_terms_seen configuration option 
This option has been set to 'true' for over six years in production.

Refs #2097
 2019-02-06 14:54:56 +01:00
Andy Allan
ca596106f5 Refactor users_controller to use CanCanCan for authorisation 2018-12-12 16:17:24 +01:00
Andy Allan
b54362d458 Use deliver_later for all email sending 2018-10-31 16:38:12 +01:00
Andy Allan
3ec67ea2d3 Rename user_controller to users_controller 2018-10-03 15:31:10 +02:00
Renamed from app/controllers/user_controller.rb (Browse further)