cst1/openstreetmap-website
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
14290 commits 4 branches 1 tag 499 MiB
Commit graph

2334 commits

Author SHA1 Message Date
Andy Allan
54aa89a4bf
Merge pull request #4884 from AntonKhorev/copyright-page-title 
Add title to copyright page
 2024-06-19 15:26:21 +01:00
Anton Khorev
a128b4f585 Move diary comments hide/unhide actions to comments controller 2024-06-17 18:16:31 +03:00
Anton Khorev
6624beff11 Move diary comments index action to comments controller 2024-06-10 16:32:53 +03:00
Anton Khorev
2cf3a52d40 Add title to copyright page 2024-06-07 12:51:38 +03:00
Anton Khorev
a73e20cd5c Set Open Graph image to first image for diary entries 2024-06-06 17:28:57 +03:00
Tom Hughes
15e86708f1 Merge remote-tracking branch 'upstream/pull/4847' 2024-05-30 16:20:54 +01:00
Milan Cvetkovic
15623aa35a Social sign-in: avoid re-authorization in users_controller#create 
It does not add any additional guards against malicious users:

Malicious user may attempt to invoke `POST /users/new` with bogus
values for `auth_provider` and `auth_uid` resulting
with a new account to which user would have a way to login, other than
sending a password reset request.

In some cases, re-authorization would introduce additional
"Please login to your social account", or "Are you sure you want to be logged in"
popup triggered by identity provider.

This PR removes the re-authorization request from `POST /users/new` in authorization flow.
 2024-05-30 05:43:45 +00:00
Andy Allan
c1cccd40fc Move check_api_readable to api_controller 
It's easier to skip the check in the two places that we need to, and
include it by default everywhere else.
 2024-05-29 14:54:16 +01:00
Andy Allan
f2aaec4735 Standardise on avoiding except lists for check_api_readable 
Although this is technically duplicative, it's much easier to read
and therefore to maintain, particularly if you put the _readable one
first.
 2024-05-29 14:51:47 +01:00
Andy Allan
995bfa91ff Remove duplicate database status checks 
These are already done as part of the api checks
 2024-05-29 14:51:20 +01:00
Andy Allan
91fc588556 Add api_status checks for user preferences API 2024-05-29 14:51:20 +01:00
Martin Raifer
ed15352f56
reintroduce unsafe-eval CSP rule for iD 
fixes https://github.com/openstreetmap/iD/issues/10265
 2024-05-29 11:26:08 +02:00
Tom Hughes
49b98c1fdd Merge remote-tracking branch 'upstream/pull/4846' 2024-05-27 15:00:51 +01:00
Milan Cvetkovic
22bceff40b Add proper referrer for authorization scenario 
Fixes the following:
- `users_controller#new` loses referer in authorization scenario, when it was invoked after social signup succeded
- the second invocation of `auth_success`, triggered by re-authorization initiated from `users_controller#create`
  does not have referrer field set
- as a result, the final welcome screen does not offer final authorization, and drops into ID instead

Introduced by #4758.
 2024-05-27 13:31:20 +00:00
Tom Hughes
c834f9afe7 Merge remote-tracking branch 'upstream/pull/4841' 2024-05-27 10:33:34 +01:00
Martin Raifer
416fca5703
update script-src CSP rules for iD 2024-05-26 15:24:57 +02:00
Martin Raifer
4ef6876b32
allow data URIs for images in iD 2024-05-26 15:01:30 +02:00
Tom Hughes
20bdbb05c3 Switch to using rails builtin content security policy support 2024-05-22 16:38:59 +01:00
Andy Allan
8a5c9a8052
Merge pull request #4758 from tomhughes/login-referer 
Stop using the session to persist the referer during login
 2024-05-22 12:09:31 +01:00
Tom Hughes
ca893c1153 Fix new rubocop warnings 2024-05-21 18:21:56 +01:00
Tom Hughes
64af2816a3 Treat the body as UTF-8 for user_preferences#update 2024-05-16 17:51:33 +01:00
Andy Allan
ffda8d7ac5
Merge pull request #4680 from tomhughes/validate-page-numbers 
Add parameter validation to pagination
 2024-05-15 17:43:04 +01:00
Andy Allan
39963d8c70
Merge pull request #4633 from tomhughes/trace-images 
Trace image cleanups
 2024-05-15 16:38:00 +01:00
Andy Allan
ad4ab4603b
Merge pull request #4496 from tomhughes/disabled-auth-error 
Return an error when a disabled authentication mechanism is used
 2024-05-15 16:33:33 +01:00
Tom Hughes
ebb1fba41d Really remove login.live.com from CSP allow list 2024-05-10 17:55:11 +01:00
Milan Cvetkovic
b07c758345 Fix CSP failures for Microsoft social sign-in 
Replace login.live.com with login.microsoftonline.com in CSP allow list.

The URL changed with the move from using the omniauth-windowslive plugin
to the omniauth-microsoft_graph plugin but wasn't noticed until now.
 2024-05-10 17:40:14 +01:00
Tom Hughes
74cc88fce4 Stop using the session to persist the referer during login 2024-05-06 10:55:07 +01:00
Tom Hughes
b625eefdeb Merge remote-tracking branch 'upstream/pull/4455' 2024-05-06 09:15:03 +01:00
Tom Hughes
1874e5b1a2 Improve flash message handling in users#new 
Only show the duplicate email message if we actually have errors
logged against the email field, and then show it as a warning.

In all other cases we show the generic informational hint about
social logins and pre-existing accounts.
 2024-05-06 09:14:49 +01:00
Anton Khorev
5da2957591 Redirect to inbox after marking a message as read/unread disregarding referer 
Avoids staying on the message page after the "Mark as unread" button is clicked and immediately reading the message again.
 2024-05-05 15:32:47 +03:00
Anton Khorev
15e1459f25 Link to previous/next nonempty user's changeset on changeset pages 2024-05-01 15:02:59 +03:00
Milan Cvetkovic
4965c19b7a Re-introduce additional round trip for verifying auth_provider 2024-04-29 11:32:54 +00:00
Milan Cvetkovic
c486dd5532 Rename verified_email to email_hmac parameter in /users/new 2024-04-29 11:32:54 +00:00
Milan Cvetkovic
9649b192c0 Add preferred provider social signup 
- Add preferred provider for authorization to login and signup pages.
  To use, the 3rd party application would have to add `preferred_provider=...`
  parameter to OAuth2 authorization request.
- Resize 3rd party provider icons
- Add "login to authorize" heading to login and signup screens
 2024-04-29 11:32:54 +00:00
Milan Cvetkovic
0c7c950149 Add social signin buttons to signup screen, avoid repeating round trip to auth provider. 2024-04-27 12:44:10 +01:00
Milan Cvetkovic
f8a606869e Remove email confirmation field in signup form 2024-04-27 12:44:09 +01:00
Milan Cvetkovic
1276fb944a Merge login and terms screens, assume TOU and contributor terms are accepted on /user/new form 
This eliminates the need for "terms" screen after /user/new form..
Terms screen is still required for legacy users who never accepted the terms.
 2024-04-27 12:44:09 +01:00
Tom Hughes
d8b468e7a1 Add validation for maximum ID passed to changesets#index 2024-04-11 10:08:20 +01:00
Tom Hughes
e3c43e4a1a Add validation for before/after parameters to pagination concern 2024-04-11 10:08:20 +01:00
Tom Hughes
5d887a37bf Add validation for page number passed to notes#index 2024-04-11 10:08:20 +01:00
Tom Hughes
feff501b25 Add framework for parameter validation using rails_param gem 2024-04-11 10:08:20 +01:00
Anton Khorev
588b77244b Rename api OldController to OldElementsController 2024-04-02 16:11:09 +03:00
Tom Hughes
c79da4746a Merge remote-tracking branch 'upstream/pull/4637' 2024-04-01 18:54:52 +01:00
Tom Hughes
d2688d4d63 Merge remote-tracking branch 'upstream/pull/4639' 2024-04-01 18:37:27 +01:00
Anton Khorev
c2c5892112 Rename api changesets index template 2024-03-30 08:39:29 +03:00
Anton Khorev
765165777e Rename api changesets index action 2024-03-30 08:26:58 +03:00
Anton Khorev
558c8765f5 Rename api changeset show template 
Make template name correspond to action name.
 2024-03-30 08:10:24 +03:00
Anton Khorev
134f9e2df1 Use before/after pagination on users page 2024-03-29 18:21:15 +03:00
Tom Hughes
6059ed0d92 Drop redundant support for legacy trace files 2024-03-28 17:27:28 +00:00
Tom Hughes
91143a5959 Use imported scope to simplify trace controller methods 2024-03-28 17:26:04 +00:00