]> git.openstreetmap.org Git - rails.git/blob - app/controllers/accounts_controller.rb
Fix CSP failures for Microsoft social sign-in
[rails.git] / app / controllers / accounts_controller.rb
1 class AccountsController < ApplicationController
2   include SessionMethods
3   include UserMethods
4
5   layout "site"
6
7   before_action :authorize_web
8   before_action :set_locale
9
10   authorize_resource :class => false
11
12   before_action :check_database_readable
13   before_action :check_database_writable, :only => [:update]
14   before_action :allow_thirdparty_images, :only => [:edit, :update]
15
16   def edit
17     @tokens = current_user.oauth_tokens.authorized
18
19     append_content_security_policy_directives(
20       :form_action => %w[accounts.google.com *.facebook.com login.live.com login.microsoftonline.com github.com meta.wikimedia.org]
21     )
22
23     if errors = session.delete(:user_errors)
24       errors.each do |attribute, error|
25         current_user.errors.add(attribute, error)
26       end
27     end
28     @title = t ".title"
29   end
30
31   def update
32     @tokens = current_user.oauth_tokens.authorized
33
34     append_content_security_policy_directives(
35       :form_action => %w[accounts.google.com *.facebook.com login.live.com login.microsoftonline.com github.com meta.wikimedia.org]
36     )
37
38     user_params = params.require(:user).permit(:display_name, :new_email, :pass_crypt, :pass_crypt_confirmation, :auth_provider)
39
40     if params[:user][:auth_provider].blank? ||
41        (params[:user][:auth_provider] == current_user.auth_provider &&
42         params[:user][:auth_uid] == current_user.auth_uid)
43       update_user(current_user, user_params)
44       if current_user.errors.count.zero?
45         redirect_to edit_account_path
46       else
47         render :edit
48       end
49     else
50       session[:new_user_settings] = user_params.to_h
51       redirect_to auth_url(params[:user][:auth_provider], params[:user][:auth_uid]), :status => :temporary_redirect
52     end
53   end
54
55   def destroy
56     if current_user.deletion_allowed?
57       current_user.soft_destroy!
58
59       session.delete(:user)
60       session_expires_automatically
61
62       flash[:notice] = t ".success"
63       redirect_to root_path
64     else
65       head :bad_request
66     end
67   end
68 end