]> git.openstreetmap.org Git - rails.git/blob - app/controllers/friendships_controller.rb
Improve fallback behaviour for unsafe referer redirects
[rails.git] / app / controllers / friendships_controller.rb
1 class FriendshipsController < ApplicationController
2   layout "site"
3
4   before_action :authorize_web
5   before_action :set_locale
6   before_action :check_database_readable
7
8   authorize_resource
9
10   before_action :check_database_writable, :only => [:make_friend, :remove_friend]
11
12   def make_friend
13     @new_friend = User.find_by(:display_name => params[:display_name])
14
15     if @new_friend
16       if request.post?
17         friendship = Friendship.new
18         friendship.befriender = current_user
19         friendship.befriendee = @new_friend
20         if current_user.is_friends_with?(@new_friend)
21           flash[:warning] = t "friendships.make_friend.already_a_friend", :name => @new_friend.display_name
22         elsif current_user.friendships.where("created_at >= ?", Time.now.getutc - 1.hour).count >= current_user.max_friends_per_hour
23           flash.now[:error] = t "friendships.make_friend.limit_exceeded"
24         elsif friendship.save
25           flash[:notice] = t "friendships.make_friend.success", :name => @new_friend.display_name
26           UserMailer.friendship_notification(friendship).deliver_later
27         else
28           friendship.add_error(t("friendships.make_friend.failed", :name => @new_friend.display_name))
29         end
30
31         referer = safe_referer(params[:referer]) if params[:referer]
32
33         redirect_to referer || user_path
34       end
35     else
36       render_unknown_user params[:display_name]
37     end
38   end
39
40   def remove_friend
41     @friend = User.find_by(:display_name => params[:display_name])
42
43     if @friend
44       if request.post?
45         if current_user.is_friends_with?(@friend)
46           Friendship.where(:befriender => current_user, :befriendee => @friend).delete_all
47           flash[:notice] = t "friendships.remove_friend.success", :name => @friend.display_name
48         else
49           flash[:error] = t "friendships.remove_friend.not_a_friend", :name => @friend.display_name
50         end
51
52         referer = safe_referer(params[:referer]) if params[:referer]
53
54         redirect_to referer || user_path
55       end
56     else
57       render_unknown_user params[:display_name]
58     end
59   end
60 end