Use CanCanCan for notes authorization

[rails.git] / app / controllers / application_controller.rb
diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb

index 2be8c16371546e9fe39e7491b8e11a66536e54a4..8fa279367efd3793150f02f2a582a3da01134415 100644 (file)
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -1,6 +1,5 @@
  class ApplicationController < ActionController::Base
    include SessionPersistence
-  # check_authorization
  
    protect_from_forgery :with => :exception
  
@@ -20,16 +19,16 @@ class ApplicationController < ActionController::Base
          session.delete(:user)
          session_expires_automatically
  
-        redirect_to :controller => "user", :action => "suspended"
+        redirect_to :controller => "users", :action => "suspended"
  
        # don't allow access to any auth-requiring part of the site unless
        # the new CTs have been seen (and accept/decline chosen).
        elsif !current_user.terms_seen && flash[:skip_terms].nil?
-        flash[:notice] = t "user.terms.you need to accept or decline"
+        flash[:notice] = t "users.terms.you need to accept or decline"
          if params[:referer]
-          redirect_to :controller => "user", :action => "terms", :referer => params[:referer]
+          redirect_to :controller => "users", :action => "terms", :referer => params[:referer]
          else
-          redirect_to :controller => "user", :action => "terms", :referer => request.fullpath
+          redirect_to :controller => "users", :action => "terms", :referer => request.fullpath
          end
        end
      elsif session[:token]
@@ -44,7 +43,7 @@ class ApplicationController < ActionController::Base
    def require_user
      unless current_user
        if request.get?
-        redirect_to :controller => "user", :action => "login", :referer => request.fullpath
+        redirect_to :controller => "users", :action => "login", :referer => request.fullpath
        else
          head :forbidden
        end
@@ -119,10 +118,6 @@ class ApplicationController < ActionController::Base
      require_capability(:allow_write_gpx)
    end
  
-  def require_allow_write_notes
-    require_capability(:allow_write_notes)
-  end
-
    ##
    # require that the user is a moderator, or fill out a helpful error message
    # and return them to the index for the controller this is wrapped from.
@@ -286,8 +281,7 @@ class ApplicationController < ActionController::Base
      # TODO: some sort of escaping of problem characters in the message
      response.headers["Error"] = message
  
-    if request.headers["X-Error-Format"] &&
-       request.headers["X-Error-Format"].casecmp("xml").zero?
+    if request.headers["X-Error-Format"]&.casecmp("xml")&.zero?
        result = OSM::API.new.get_xml_doc
        result.root.name = "osmError"
        result.root << (XML::Node.new("status") << "#{Rack::Utils.status_code(status)} #{Rack::Utils::HTTP_STATUS_CODES[status]}")
@@ -313,7 +307,7 @@ class ApplicationController < ActionController::Base
    helper_method :preferred_languages
  
    def set_locale(reset = false)
-    if current_user && current_user.languages.empty? && !http_accept_language.user_preferred_languages.empty?
+    if current_user&.languages&.empty? && !http_accept_language.user_preferred_languages.empty?
        current_user.languages = http_accept_language.user_preferred_languages
        current_user.save
      end
@@ -390,11 +384,11 @@ class ApplicationController < ActionController::Base
    ##
    # render a "no such user" page
    def render_unknown_user(name)
-    @title = t "user.no_such_user.title"
+    @title = t "users.no_such_user.title"
      @not_found_user = name
  
      respond_to do |format|
-      format.html { render :template => "user/no_such_user", :status => :not_found }
+      format.html { render :template => "users/no_such_user", :status => :not_found }
        format.all { head :not_found }
      end
    end
@@ -416,9 +410,9 @@ class ApplicationController < ActionController::Base
      append_content_security_policy_directives(
        :child_src => %w[http://127.0.0.1:8111 https://127.0.0.1:8112],
        :frame_src => %w[http://127.0.0.1:8111 https://127.0.0.1:8112],
-      :connect_src => %w[nominatim.openstreetmap.org overpass-api.de router.project-osrm.org graphhopper.com],
+      :connect_src => [NOMINATIM_URL, OVERPASS_URL, OSRM_URL, GRAPHHOPPER_URL],
        :form_action => %w[render.openstreetmap.org],
-      :script_src => %w[open.mapquestapi.com],
+      :script_src => [MAPQUEST_DIRECTIONS_URL],
        :img_src => %w[developer.mapquest.com]
      )
  
@@ -438,7 +432,7 @@ class ApplicationController < ActionController::Base
    def preferred_editor
      editor = if params[:editor]
                 params[:editor]
-             elsif current_user && current_user.preferred_editor
+             elsif current_user&.preferred_editor
                 current_user.preferred_editor
               else
                 DEFAULT_EDITOR
@@ -471,22 +465,62 @@ class ApplicationController < ActionController::Base
    end
  
    def current_ability
-    Ability.new(current_user).merge(granted_capabily)
+    # Add in capabilities from the oauth token if it exists and is a valid access token
+    if Authenticator.new(self, [:token]).allow?
+      Ability.new(current_user).merge(Capability.new(current_token))
+    else
+      Ability.new(current_user)
+    end
    end
  
-  def granted_capabily
-    Capability.new(current_user, current_token)
+  def deny_access(exception)
+    if @api_deny_access_handling
+      api_deny_access(exception)
+    else
+      web_deny_access(exception)
+    end
    end
  
-  def deny_access(exception)
-    if current_user
+  def web_deny_access(_exception)
+    if current_token
        set_locale
        report_error t("oauth.permissions.missing"), :forbidden
+    elsif current_user
+      set_locale
+      respond_to do |format|
+        format.html { redirect_to :controller => "errors", :action => "forbidden" }
+        format.any { report_error t("application.permission_denied"), :forbidden }
+      end
+    elsif request.get?
+      respond_to do |format|
+        format.html { redirect_to :controller => "users", :action => "login", :referer => request.fullpath }
+        format.any { head :forbidden }
+      end
      else
-      require_user
+      head :forbidden
      end
    end
  
+  def api_deny_access(_exception)
+    if current_token
+      set_locale
+      report_error t("oauth.permissions.missing"), :forbidden
+    elsif current_user
+      head :forbidden
+    else
+      realm = "Web Password"
+      errormessage = "Couldn't authenticate you"
+      response.headers["WWW-Authenticate"] = "Basic realm=\"#{realm}\""
+      render :plain => errormessage, :status => :unauthorized
+    end
+  end
+
+  attr_accessor :api_access_handling
+
+  def api_deny_access_handler
+    @api_deny_access_handling = true
+  end
+
    private
  
    # extract authorisation credentials from headers, returns user = nil if none