cst1/openstreetmap-website
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
14460 commits 4 branches 1 tag 499 MiB
Commit graph

2356 commits

Author SHA1 Message Date
Anton Khorev
64dfb88ddf Fix marking muted messages as read/unread 2024-07-18 18:48:14 +03:00
Tom Hughes
28726e5f11 Merge remote-tracking branch 'upstream/pull/4973' 2024-07-16 17:16:45 +01:00
nertc
08fa95cbfc When downloading image, allow other map styles 2024-07-15 19:08:49 +04:00
Tom Hughes
1859728558 Merge remote-tracking branch 'upstream/pull/4984' 2024-07-14 15:40:39 +01:00
Anton Khorev
7917a7db80 Parse lat and lon independently when using dms notation 2024-07-13 17:52:39 +03:00
Anton Khorev
a082caef3c Use casecmp?() instead of casecmp().zero? 2024-07-13 16:00:45 +03:00
Anton Khorev
392d3d1226 Merge branch 'pull/4961' 2024-07-13 14:48:44 +03:00
Anton Khorev
00c2589374 Move diary comment action to comments controller 2024-07-12 17:58:43 +03:00
Tom Hughes
29dba7318a Use bigdecimal to avoid scientfic notation in DMS decoding 2024-07-12 14:43:33 +01:00
Tom Hughes
e5057dd57a Use named captures to simplify latlon parsing 2024-07-12 14:43:32 +01:00
Tom Hughes
f047f86c1d Preserve lat and lon values as entered for reverse searches 2024-07-12 12:04:16 +01:00
Tom Hughes
3e77cae66c Clear current_user if we reject OAuth 1 
This ensures we don't try and do any further validation of the
user which might lead to trying to report additional errors.
 2024-07-07 19:40:28 +01:00
Tom Hughes
10cd2ce242 Merge remote-tracking branch 'upstream/pull/4944' 2024-07-07 15:24:05 +01:00
Tom Hughes
2061b5c257 Merge remote-tracking branch 'upstream/pull/4960' 2024-07-07 10:45:39 +01:00
Anton Khorev
4e01f6830a Don't call check_signup_allowed inside save_new_user 2024-07-06 18:51:54 +03:00
Anton Khorev
0d2010cd2f Remove "whereami" search parameter, use "lat" and "lon" instead 2024-07-06 16:56:49 +03:00
nertc
676aef5be6 Order of comments in changeset comments feeds 2024-07-05 19:00:15 +04:00
nertc
4b593412c2 Accept coordinates with a slash in search 2024-07-02 23:48:55 +04:00
Tom Hughes
b03eb84bb6 Only the sender of a message should be able to mark it as read/unread 2024-06-29 00:14:42 +01:00
Tom Hughes
271384e683 Simplify handling of geocoder URLs 
This avoids having to build them in multiple places and also
ensures we link to what was actually searched rather than some
random string from the locale file.
 2024-06-25 17:57:38 +01:00
Tom Hughes
ddc252016a Merge remote-tracking branch 'upstream/pull/4895' 2024-06-25 17:42:52 +01:00
Andy Allan
54aa89a4bf
Merge pull request #4884 from AntonKhorev/copyright-page-title 
Add title to copyright page
 2024-06-19 15:26:21 +01:00
Nenad Vujicic
839d203d51 Added link to nominatim results in searching results 
Fixes #3205. Added caching of nominatim URL query parameters in sources global variable (as parameters parameter) in GeocoderController#search for both direct and reverse geocoding. In app/views/geocoder/search.html.erb added displaying cached URL as forwarding link when clicked on "OpenStreetMap Nominatim" label. Updated GeocoderControllerTest to check only name (latlng, osm_nominatim, osm_nominatim_reverse) parameter of new sources variable.
 2024-06-19 15:44:56 +02:00
Anton Khorev
a128b4f585 Move diary comments hide/unhide actions to comments controller 2024-06-17 18:16:31 +03:00
Anton Khorev
6624beff11 Move diary comments index action to comments controller 2024-06-10 16:32:53 +03:00
Anton Khorev
2cf3a52d40 Add title to copyright page 2024-06-07 12:51:38 +03:00
Anton Khorev
a73e20cd5c Set Open Graph image to first image for diary entries 2024-06-06 17:28:57 +03:00
Tom Hughes
15e86708f1 Merge remote-tracking branch 'upstream/pull/4847' 2024-05-30 16:20:54 +01:00
Milan Cvetkovic
15623aa35a Social sign-in: avoid re-authorization in users_controller#create 
It does not add any additional guards against malicious users:

Malicious user may attempt to invoke `POST /users/new` with bogus
values for `auth_provider` and `auth_uid` resulting
with a new account to which user would have a way to login, other than
sending a password reset request.

In some cases, re-authorization would introduce additional
"Please login to your social account", or "Are you sure you want to be logged in"
popup triggered by identity provider.

This PR removes the re-authorization request from `POST /users/new` in authorization flow.
 2024-05-30 05:43:45 +00:00
Andy Allan
c1cccd40fc Move check_api_readable to api_controller 
It's easier to skip the check in the two places that we need to, and
include it by default everywhere else.
 2024-05-29 14:54:16 +01:00
Andy Allan
f2aaec4735 Standardise on avoiding except lists for check_api_readable 
Although this is technically duplicative, it's much easier to read
and therefore to maintain, particularly if you put the _readable one
first.
 2024-05-29 14:51:47 +01:00
Andy Allan
995bfa91ff Remove duplicate database status checks 
These are already done as part of the api checks
 2024-05-29 14:51:20 +01:00
Andy Allan
91fc588556 Add api_status checks for user preferences API 2024-05-29 14:51:20 +01:00
Martin Raifer
ed15352f56
reintroduce unsafe-eval CSP rule for iD 
fixes https://github.com/openstreetmap/iD/issues/10265
 2024-05-29 11:26:08 +02:00
Tom Hughes
49b98c1fdd Merge remote-tracking branch 'upstream/pull/4846' 2024-05-27 15:00:51 +01:00
Milan Cvetkovic
22bceff40b Add proper referrer for authorization scenario 
Fixes the following:
- `users_controller#new` loses referer in authorization scenario, when it was invoked after social signup succeded
- the second invocation of `auth_success`, triggered by re-authorization initiated from `users_controller#create`
  does not have referrer field set
- as a result, the final welcome screen does not offer final authorization, and drops into ID instead

Introduced by #4758.
 2024-05-27 13:31:20 +00:00
Tom Hughes
c834f9afe7 Merge remote-tracking branch 'upstream/pull/4841' 2024-05-27 10:33:34 +01:00
Martin Raifer
416fca5703
update script-src CSP rules for iD 2024-05-26 15:24:57 +02:00
Martin Raifer
4ef6876b32
allow data URIs for images in iD 2024-05-26 15:01:30 +02:00
Tom Hughes
20bdbb05c3 Switch to using rails builtin content security policy support 2024-05-22 16:38:59 +01:00
Andy Allan
8a5c9a8052
Merge pull request #4758 from tomhughes/login-referer 
Stop using the session to persist the referer during login
 2024-05-22 12:09:31 +01:00
Tom Hughes
ca893c1153 Fix new rubocop warnings 2024-05-21 18:21:56 +01:00
Tom Hughes
64af2816a3 Treat the body as UTF-8 for user_preferences#update 2024-05-16 17:51:33 +01:00
Andy Allan
ffda8d7ac5
Merge pull request #4680 from tomhughes/validate-page-numbers 
Add parameter validation to pagination
 2024-05-15 17:43:04 +01:00
Andy Allan
39963d8c70
Merge pull request #4633 from tomhughes/trace-images 
Trace image cleanups
 2024-05-15 16:38:00 +01:00
Andy Allan
ad4ab4603b
Merge pull request #4496 from tomhughes/disabled-auth-error 
Return an error when a disabled authentication mechanism is used
 2024-05-15 16:33:33 +01:00
Tom Hughes
ebb1fba41d Really remove login.live.com from CSP allow list 2024-05-10 17:55:11 +01:00
Milan Cvetkovic
b07c758345 Fix CSP failures for Microsoft social sign-in 
Replace login.live.com with login.microsoftonline.com in CSP allow list.

The URL changed with the move from using the omniauth-windowslive plugin
to the omniauth-microsoft_graph plugin but wasn't noticed until now.
 2024-05-10 17:40:14 +01:00
Tom Hughes
74cc88fce4 Stop using the session to persist the referer during login 2024-05-06 10:55:07 +01:00
Tom Hughes
b625eefdeb Merge remote-tracking branch 'upstream/pull/4455' 2024-05-06 09:15:03 +01:00