]> git.openstreetmap.org Git - rails.git/blob - app/controllers/oauth_controller.rb
Merge remote-tracking branch 'upstream/pull/4406'
[rails.git] / app / controllers / oauth_controller.rb
1 class OauthController < ApplicationController
2   include OAuth::Controllers::ProviderController
3
4   # The ProviderController will call login_required for any action that needs
5   # a login, but we want to check authorization on every action.
6   authorize_resource :class => false
7
8   layout "site"
9
10   def revoke
11     @token = current_user.oauth_tokens.find_by :token => params[:token]
12     if @token
13       @token.invalidate!
14       flash[:notice] = t(".flash", :application => @token.client_application.name)
15     end
16     redirect_to oauth_clients_url(:display_name => @token.user.display_name)
17   end
18
19   protected
20
21   def login_required
22     authorize_web
23     set_locale
24   end
25
26   def user_authorizes_token?
27     any_auth = false
28
29     @token.client_application.permissions.each do |pref|
30       if params[pref].to_i.nonzero?
31         @token.write_attribute(pref, true)
32         any_auth ||= true
33       else
34         @token.write_attribute(pref, false)
35       end
36     end
37
38     any_auth
39   end
40
41   def oauth1_authorize
42     override_content_security_policy_directives(:form_action => []) if Settings.csp_enforce || Settings.key?(:csp_report_url)
43
44     if @token.invalidated?
45       @message = t "oauth.authorize_failure.invalid"
46       render :action => "authorize_failure"
47     elsif request.post?
48       if user_authorizes_token?
49         @token.authorize!(current_user)
50         callback_url = if @token.oauth10?
51                          params[:oauth_callback] || @token.client_application.callback_url
52                        else
53                          @token.oob? ? @token.client_application.callback_url : @token.callback_url
54                        end
55         @redirect_url = URI.parse(callback_url) if callback_url.present?
56
57         if @redirect_url.to_s.blank?
58           render :action => "authorize_success"
59         else
60           @redirect_url.query = if @redirect_url.query.blank?
61                                   "oauth_token=#{@token.token}"
62                                 else
63                                   @redirect_url.query +
64                                     "&oauth_token=#{@token.token}"
65                                 end
66
67           @redirect_url.query += "&oauth_verifier=#{@token.verifier}" unless @token.oauth10?
68
69           redirect_to @redirect_url.to_s, :allow_other_host => true
70         end
71       else
72         @token.invalidate!
73         @message = t("oauth.authorize_failure.denied", :app_name => @token.client_application.name)
74         render :action => "authorize_failure"
75       end
76     end
77   end
78 end