Enforce rate limit for API calls which make changes

[rails.git] / app / controllers / api / changesets_controller.rb

diff --git a/app/controllers/api/changesets_controller.rb b/app/controllers/api/changesets_controller.rb
index 66014042718126ceca06b3bd3f864a7bb6985be6..9bdf0f2bd3b075a5a5eb09e5755bfa76ee224bde 100644 (file)
--- a/app/controllers/api/changesets_controller.rb
+++ b/app/controllers/api/changesets_controller.rb
@@ -92,6 +92,10 @@ module Api
       diff_reader = DiffReader.new(request.raw_post, changeset)
       Changeset.transaction do
         result = diff_reader.commit
+        # the number of changes in this changeset has already been
+        # updated and is visible in this transaction so we don't need
+        # to allow for any more when checking the limit
+        check_rate_limit(0)
         render :xml => result.to_s
       end
     end
@@ -157,6 +161,8 @@ module Api
     ##
     # query changesets by bounding box, time, user or open/closed status.
     def query
+      raise OSM::APIBadUserInput, "cannot use order=oldest with time" if params[:time] && params[:order] == "oldest"
+
       # find any bounding box
       bbox = BoundingBox.from_bbox_params(params) if params["bbox"]
 
@@ -166,15 +172,16 @@ module Api
       changesets = conditions_bbox(changesets, bbox)
       changesets = conditions_user(changesets, params["user"], params["display_name"])
       changesets = conditions_time(changesets, params["time"])
+      changesets = conditions_from_to(changesets, params["from"], params["to"])
       changesets = conditions_open(changesets, params["open"])
       changesets = conditions_closed(changesets, params["closed"])
       changesets = conditions_ids(changesets, params["changesets"])
 
       # sort the changesets
       changesets = if params[:order] == "oldest"
-                     changesets.order("created_at ASC")
+                     changesets.order(:created_at => :asc)
                    else
-                     changesets.order("created_at DESC")
+                     changesets.order(:created_at => :desc)
                    end
 
       # limit the result
@@ -304,7 +311,7 @@ module Api
               # user input checking, we don't have any UIDs < 1
               raise OSM::APIBadUserInput, "invalid user ID" if user.to_i < 1
 
-              u = User.find(user.to_i)
+              u = User.find_by(:id => user.to_i)
             else
               u = User.find_by(:display_name => name)
             end
@@ -322,12 +329,12 @@ module Api
           raise OSM::APINotFoundError if current_user.nil? || current_user != u
         end
 
-        changesets.where(:user_id => u.id)
+        changesets.where(:user => u)
       end
     end
 
     ##
-    # restrict changes to those closed during a particular time period
+    # restrict changesets to those during a particular time period
     def conditions_time(changesets, time)
       if time.nil?
         changesets
@@ -351,6 +358,33 @@ module Api
       raise OSM::APIBadUserInput, e.message.to_s
     end
 
+    ##
+    # restrict changesets to those opened during a particular time period
+    # works similar to from..to of notes controller, including the requirement of 'from' when specifying 'to'
+    def conditions_from_to(changesets, from, to)
+      if from
+        begin
+          from = Time.parse(from).utc
+        rescue ArgumentError
+          raise OSM::APIBadUserInput, "Date #{from} is in a wrong format"
+        end
+
+        begin
+          to = if to
+                 Time.parse(to).utc
+               else
+                 Time.now.utc
+               end
+        rescue ArgumentError
+          raise OSM::APIBadUserInput, "Date #{to} is in a wrong format"
+        end
+
+        changesets.where(:created_at => from..to)
+      else
+        changesets
+      end
+    end
+
     ##
     # return changesets which are open (haven't been closed yet)
     # we do this by seeing if the 'closed at' time is in the future. Also if we've