Merge pull request #4550 from tomhughes/drop-user-tokens

[rails.git] / app / controllers / browse_controller.rb

diff --git a/app/controllers/browse_controller.rb b/app/controllers/browse_controller.rb
index 82cbe6f9808e68083c44d71c9abd24fdc4e4952c..db291f6eb89a8fc5900cd8c4da953f987473c55e 100644 (file)
--- a/app/controllers/browse_controller.rb
+++ b/app/controllers/browse_controller.rb
@@ -6,6 +6,7 @@ class BrowseController < ApplicationController
   before_action -> { check_database_readable(:need_api => true) }
   before_action :require_oauth
   before_action :update_totp, :only => [:query]
+  before_action :require_moderator_for_unredacted_history, :only => [:relation_history, :way_history, :node_history]
   around_action :web_timeout
   authorize_resource :class => false
 
@@ -58,4 +59,10 @@ class BrowseController < ApplicationController
   end
 
   def query; end
+
+  private
+
+  def require_moderator_for_unredacted_history
+    deny_access(nil) if params[:show_redactions] && !current_user&.moderator?
+  end
 end