cst1/openstreetmap-website
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
10228 commits 4 branches 1 tag 499 MiB
Commit graph

198 commits

Author SHA1 Message Date
Tom Hughes
f881a8c83c Register warning and error flash types 
Fixes #2743
 2020-08-02 15:53:13 +01:00
Tom Hughes
d4130bcac8 Fix the Redirect warnings from Brakeman 
Unfortunately I've had to leave the check disabed as Brakeman
can't see inside the safe_referer method so doesn't realise that
it is cleaning the referer.
 2020-07-22 19:23:46 +01:00
Tom Hughes
9f993fe8c8 Fix new rubocop warnings 2020-07-07 10:44:52 +01:00
Tom Hughes
d6f518f627 More improvements to locale selection for the data browser 
Use the browser language preferences for non-logged in users.
 2020-06-07 19:10:48 +01:00
Tom Hughes
f3219ada14 Fix new rubocop warnings 2020-05-12 19:18:45 +01:00
mmd-osm
3159c3c3f7 JSON: return HTTP 406 for unsupported formats 2020-01-22 22:33:30 +01:00
Tom Hughes
9f57f60b87 Fix new rubocop warnings 2019-04-23 09:33:34 +01:00
Andy Allan
7b057545c0 Disentangle the api abilities from the web abilities 
This will allow us to rename api actions without causing permissions headaches. The choice of
abilities files is made by inheriting from either api_controller or application_controller.

Also rename capabilities to api_capabilites, for consistency.
 2019-03-27 18:07:29 +01:00
Tom Hughes
951564eed1 Merge remote-tracking branch 'upstream/pull/2186' 2019-03-23 12:01:05 +00:00
Tom Hughes
cba7945a5b Use strings consistently for database/api/gpx status 2019-03-23 11:59:42 +00:00
Andy Allan
19c2f6d485 Move more api-only methods into api_controller 2019-03-20 15:08:36 +01:00
Andy Allan
8d207e7de0 Mark all methods in api_controller and application_controller as private 
They aren't designed to be used as request endpoints, so there's no
need for them to be public.
 2019-03-20 15:08:36 +01:00
Andy Allan
94d19ae567 Move the authorize method to api_controller 2019-03-20 14:39:17 +01:00
Andy Allan
742291a840 Simplify deny_access handling 
Now that we have all api controllers inheriting from a common base,
it's easier to override the deny_access handler without having to
switch between both.

Fixes #2064
 2019-03-20 14:39:17 +01:00
Tom Hughes
141df02e67 Move status into the settings object 
Only the very early boot code needs to look at the value
from the environment directly.
 2019-03-17 11:15:34 +00:00
Andy Allan
d102c9aaf4 Move all settings to settings.yml 
We leave the STATUS setting alone, since it's required before rails
boots. The test-specific settings now live in config/settings/test.yml
 2019-03-13 18:06:23 +01:00
Andy Allan
3795da4014 Remove the require_terms_seen configuration option 
This option has been set to 'true' for over six years in production.

Refs #2097
 2019-02-06 14:54:56 +01:00
Simon Poole
26102f581f Remove old MapQuest Directions routing support 2019-01-29 20:19:36 +00:00
Simon Poole
067290f19f Remove old OSRM routing support 2019-01-29 20:19:36 +00:00
Simon Poole
8937099429 Add support for FOSSGIS routing server 2019-01-29 20:19:36 +00:00
Andy Allan
30a4fb85a9 Remove old authorization helpers 
These have been replaced by abilities and capabilities
 2019-01-16 11:55:01 +01:00
Andy Allan
131fd76cae Ensure authorization checks happen for all controller methods 2019-01-16 11:45:13 +01:00
Tom Hughes
801271363d Allow inline styling on pages that display the map 
Both leaflet itself and at least one of our plugins use inline
styling to style markers so we need to allow it.

Fixes #2093
 2018-12-31 09:32:13 +00:00
Tom Hughes
eb7c4cdedd Allow abilities that require no login for token based access 
Fixes #2085
 2018-12-12 22:41:29 +00:00
Andy Allan
981e4a34b5 Use only token capabilities when a token is provided 
The Authenticate#allow? method (from oauth-plugin) sets current_user as a side
effect of checking the token. But this allows a valid token to access
all actions that are available to that user, beyond the capabilities for
that token.
 2018-12-12 16:16:23 +01:00
Andy Allan
3fd083d9d4 Remove the unused require_moderator filter 
Use of this filter has been refactored to use CanCanCan
 2018-11-28 15:59:47 +01:00
Andy Allan
ea766ec57d Use CanCanCan for notes authorization 2018-11-28 15:59:47 +01:00
Andy Allan
8f70fb2114 Use CanCanCan for changeset comments 
This introduces different deny_access handlers for web and api requests, since we want to avoid sending redirects as API responses. See #2064 for discussion.
 2018-11-28 12:35:45 +01:00
Tom Hughes
dc6a5bc1a6 Take security policy URLs from the configuration file 2018-11-15 18:48:05 +00:00
Tom Hughes
ccdec3ed4c Attempt to send pretty 403 errors to web browsers 2018-11-08 19:09:56 +00:00
Andy Allan
f11221f05b Merge branch 'master' into cancancan 2018-10-31 11:16:47 +01:00
Tom Hughes
22af018298 Update translation keys for renaming of user to users 2018-10-29 12:48:20 +00:00
Andy Allan
0888f43d7b Check the oauth token and then use the capabilities directly 2018-10-24 16:48:54 +02:00
Andy Allan
a50ad1c895 Rework the default denied access handler to give different responses to tokens, logged in users and other users 2018-10-24 09:39:02 +02:00
Andy Allan
b7baa2c10a Remove temporary development code 2018-10-10 16:54:16 +02:00
Andy Allan
901c29a820 Fix typo in method name 2018-10-10 11:55:00 +02:00
Andy Allan
420a7289a0 Merge branch 'authz' of https://github.com/rubyforgood/openstreetmap-website into rubyforgood-authz 2018-10-10 11:26:30 +02:00
Andy Allan
3ec67ea2d3 Rename user_controller to users_controller 2018-10-03 15:31:10 +02:00
Tom Hughes
64146b4f36 Fix Style/SafeNavigation rubocop warnings 2018-09-22 17:21:06 +01:00
Chris Flipse
25256a4849 Make rubocop happy 2018-06-17 20:40:48 -04:00
Chris Flipse
91fc65a2e3 separate ability and capability 
These are asking fundamentally different questions;

Abilities are asking the application if the user has a role that allows
the user to take a certain action
Capabilities are asking if the user has granted the application to
perform a certain type of action

CanCanCan makes no distinction, however, so the `granted_capabilities`
method is provided as a point that can be checked in rescue methods, so
that one can _attempt_ to continue to provide the more informative error
messages around permission refusals
 2018-06-17 13:57:32 -04:00
Chris Flipse
060c686c19 Use cancancan to authorize user_preference_controller 2018-06-17 13:57:06 -04:00
Chris Flipse
6b44a1976c use a controller method to handle cancan denials 
This will let controllers override for specific circumstances
 2018-06-17 13:57:06 -04:00
Chris Flipse
6da3ece683 use token in ability checks 2018-06-17 13:56:23 -04:00
Chris Flipse
2ab3d56102 don't check authorization everywhere 2018-06-17 13:56:23 -04:00
Andy Allan
ffa65d4d72 Add cancancan and the first ability definitions for site_controller 2018-06-17 13:56:23 -04:00
Tom Hughes
727ee97a3f Allow inline javascript and CSS in better_errors pages 2018-06-17 11:33:51 +01:00
J Guthrie
30756f72ca Change language immediately after updating settings 
Closes #1883
 2018-05-27 15:12:34 +01:00
Peter Karich
1cea6b363a Use XHR instead of jsonp for GraphHopper 
Closes #1872
 2018-05-17 20:47:58 +01:00
Tom Hughes
50f85248db Use https to launch the remote editor except for modern browsers 
Currently only Chrome 53+ and Firefox 55+ are known to support loading
of http resources from localhost for an https page.
 2018-05-15 14:21:09 +01:00