cst1/openstreetmap-website
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
openstreetmap-website/app/controllers
History
Milan Cvetkovic 15623aa35a Social sign-in: avoid re-authorization in users_controller#create 
It does not add any additional guards against malicious users:

Malicious user may attempt to invoke `POST /users/new` with bogus
values for `auth_provider` and `auth_uid` resulting
with a new account to which user would have a way to login, other than
sending a password reset request.

In some cases, re-authorization would introduce additional
"Please login to your social account", or "Are you sure you want to be logged in"
popup triggered by identity provider.

This PR removes the re-authorization request from `POST /users/new` in authorization flow.
2024-05-30 05:43:45 +00:00
..
account Allow users to delete their own accounts 2022-02-09 16:15:24 +00:00
api Fix new rubocop warnings 2024-05-21 18:21:56 +01:00
concerns Merge pull request #4758 from tomhughes/login-referer 2024-05-22 12:09:31 +01:00
traces Drop redundant support for legacy trace files 2024-03-28 17:27:28 +00:00
accounts_controller.rb Switch to using rails builtin content security policy support 2024-05-22 16:38:59 +01:00
api_controller.rb Merge pull request #4496 from tomhughes/disabled-auth-error 2024-05-15 16:33:33 +01:00
application_controller.rb Switch to using rails builtin content security policy support 2024-05-22 16:38:59 +01:00
browse_controller.rb Move current element actions to their own controllers 2024-03-15 03:24:45 +03:00
changeset_comments_controller.rb Prefer keyword arguments when method has optional boolean arguments 2020-11-12 11:24:44 +00:00
changesets_controller.rb Fix new rubocop warnings 2024-05-21 18:21:56 +01:00
confirmations_controller.rb Drop user tokens table 2024-02-28 21:02:54 +00:00
dashboards_controller.rb Split the non-public information off of the profile page 2021-08-18 13:32:36 +01:00
diary_entries_controller.rb Switch to using rails builtin content security policy support 2024-05-22 16:38:59 +01:00
directions_controller.rb Use CanCanCan for directions controller 2019-01-09 10:12:14 +01:00
errors_controller.rb Add framework for parameter validation using rails_param gem 2024-04-11 10:08:20 +01:00
export_controller.rb Switch to using rails builtin content security policy support 2024-05-22 16:38:59 +01:00
friendships_controller.rb Fix new rubocop warnings 2024-05-21 18:21:56 +01:00
geocoder_controller.rb Take exclude_place_ids from Nominatim results directly 2023-08-08 18:27:53 +01:00
issue_comments_controller.rb Fix predicate method names in the user model 2023-08-15 18:53:14 +01:00
issues_controller.rb Avoid using _id in queries 2023-08-30 17:08:16 +01:00
messages_controller.rb Switch to using rails builtin content security policy support 2024-05-22 16:38:59 +01:00
nodes_controller.rb Move current element actions to their own controllers 2024-03-15 03:24:45 +03:00
notes_controller.rb Add validation for page number passed to notes#index 2024-04-11 10:08:20 +01:00
oauth2_applications_controller.rb Introduce privileged scopes that only an administrator can enable 2021-08-26 17:22:24 +01:00
oauth2_authorizations_controller.rb Switch to using rails builtin content security policy support 2024-05-22 16:38:59 +01:00
oauth2_authorized_applications_controller.rb Add support for OAuth2 using doorkeeper 2021-05-18 12:05:32 +01:00
oauth_clients_controller.rb Allow registration of OAuth 1.0 applications to be disabled 2024-01-31 19:18:16 +00:00
oauth_controller.rb Switch to using rails builtin content security policy support 2024-05-22 16:38:59 +01:00
old_nodes_controller.rb Move element history actions to old element controllers 2024-03-14 18:10:18 +03:00
old_relations_controller.rb Move element history actions to old element controllers 2024-03-14 18:10:18 +03:00
old_ways_controller.rb Move element history actions to old element controllers 2024-03-14 18:10:18 +03:00
passwords_controller.rb Merge pull request #4550 from tomhughes/drop-user-tokens 2024-03-07 13:51:44 +00:00
preferences_controller.rb Fix new rubocop warnings 2022-09-09 22:45:58 +01:00
profiles_controller.rb Fix new rubocop warnings 2022-09-09 22:45:58 +01:00
redactions_controller.rb Enable the ActionOrder cop for remaining controllers 2022-11-02 11:06:00 +00:00
relations_controller.rb Move current element actions to their own controllers 2024-03-15 03:24:45 +03:00
reports_controller.rb Add database checks to issue and report controllers 2023-01-11 11:12:36 +00:00
sessions_controller.rb Switch to using rails builtin content security policy support 2024-05-22 16:38:59 +01:00
site_controller.rb Merge remote-tracking branch 'upstream/pull/4841' 2024-05-27 10:33:34 +01:00
traces_controller.rb Use "visible" scope when finding traces 2024-03-28 08:34:18 +03:00
user_blocks_controller.rb Use before/after pagination on users page 2024-03-29 18:21:15 +03:00
user_mutes_controller.rb Add basic structures for UserMute and Message muting logic 2023-12-19 12:57:47 -05:00
user_roles_controller.rb Avoid using _id in queries 2023-08-30 17:08:16 +01:00
users_controller.rb Social sign-in: avoid re-authorization in users_controller#create 2024-05-30 05:43:45 +00:00
ways_controller.rb Move current element actions to their own controllers 2024-03-15 03:24:45 +03:00