]> git.openstreetmap.org Git - rails.git/blob - app/controllers/user_blocks_controller.rb
Fix remote editing security policy
[rails.git] / app / controllers / user_blocks_controller.rb
1 class UserBlocksController < ApplicationController
2   layout "site"
3
4   before_action :authorize_web
5   before_action :set_locale
6   before_action :require_user, :only => [:new, :create, :edit, :update, :revoke]
7   before_action :require_moderator, :only => [:new, :create, :edit, :update, :revoke]
8   before_action :lookup_this_user, :only => [:new, :create, :blocks_on, :blocks_by]
9   before_action :lookup_user_block, :only => [:show, :edit, :update, :revoke]
10   before_action :require_valid_params, :only => [:create, :update]
11   before_action :check_database_readable
12   before_action :check_database_writable, :only => [:create, :update, :revoke]
13
14   def index
15     @params = params.permit
16     @user_blocks_pages, @user_blocks = paginate(:user_blocks,
17                                                 :include => [:user, :creator, :revoker],
18                                                 :order => "user_blocks.ends_at DESC",
19                                                 :per_page => 20)
20   end
21
22   def show
23     if current_user && current_user == @user_block.user
24       @user_block.needs_view = false
25       @user_block.save!
26     end
27   end
28
29   def new
30     @user_block = UserBlock.new
31   end
32
33   def edit
34     params[:user_block_period] = ((@user_block.ends_at - Time.now.getutc) / 1.hour).ceil.to_s
35   end
36
37   def create
38     if @valid_params
39       @user_block = UserBlock.new(
40         :user => @this_user,
41         :creator => current_user,
42         :reason => params[:user_block][:reason],
43         :ends_at => Time.now.getutc + @block_period.hours,
44         :needs_view => params[:user_block][:needs_view]
45       )
46
47       if @user_block.save
48         flash[:notice] = t("user_block.create.flash", :name => @this_user.display_name)
49         redirect_to @user_block
50       else
51         render :action => "new"
52       end
53     else
54       redirect_to new_user_block_path(:display_name => params[:display_name])
55     end
56   end
57
58   def update
59     if @valid_params
60       if @user_block.creator != current_user
61         flash[:error] = t("user_block.update.only_creator_can_edit")
62         redirect_to :action => "edit"
63       elsif @user_block.update_attributes(
64         :ends_at => Time.now.getutc + @block_period.hours,
65         :reason => params[:user_block][:reason],
66         :needs_view => params[:user_block][:needs_view]
67       )
68         flash[:notice] = t("user_block.update.success")
69         redirect_to(@user_block)
70       else
71         render :action => "edit"
72       end
73     else
74       redirect_to edit_user_block_path(:id => params[:id])
75     end
76   end
77
78   ##
79   # revokes the block, setting the end_time to now
80   def revoke
81     if params[:confirm]
82       if @user_block.revoke! current_user
83         flash[:notice] = t "user_block.revoke.flash"
84         redirect_to(@user_block)
85       end
86     end
87   end
88
89   ##
90   # shows a list of all the blocks on the given user
91   def blocks_on
92     @params = params.permit(:display_name)
93     @user_blocks_pages, @user_blocks = paginate(:user_blocks,
94                                                 :include => [:user, :creator, :revoker],
95                                                 :conditions => { :user_id => @this_user.id },
96                                                 :order => "user_blocks.ends_at DESC",
97                                                 :per_page => 20)
98   end
99
100   ##
101   # shows a list of all the blocks by the given user.
102   def blocks_by
103     @params = params.permit(:display_name)
104     @user_blocks_pages, @user_blocks = paginate(:user_blocks,
105                                                 :include => [:user, :creator, :revoker],
106                                                 :conditions => { :creator_id => @this_user.id },
107                                                 :order => "user_blocks.ends_at DESC",
108                                                 :per_page => 20)
109   end
110
111   private
112
113   ##
114   # ensure that there is a "user_block" instance variable
115   def lookup_user_block
116     @user_block = UserBlock.find(params[:id])
117   rescue ActiveRecord::RecordNotFound
118     render :action => "not_found", :status => :not_found
119   end
120
121   ##
122   # check that the input parameters are valid, setting an instance
123   # variable if not. note that this doesn't do any redirection, as it's
124   # called before two different actions, each of which should redirect
125   # to a different place.
126   def require_valid_params
127     @block_period = params[:user_block_period].to_i
128     @valid_params = false
129
130     if !UserBlock::PERIODS.include?(@block_period)
131       flash[:error] = t("user_block.filter.block_period")
132
133     elsif @user_block && !@user_block.active?
134       flash[:error] = t("user_block.filter.block_expired")
135
136     else
137       @valid_params = true
138     end
139   end
140 end