X-Git-Url: https://git.openstreetmap.org/rails.git/blobdiff_plain/41000078b9e0131d75ce610f148655fb7b32da73..0f5ad1f3cc5d82efef93d2d17809145c5f68f233:/app/controllers/user_controller.rb diff --git a/app/controllers/user_controller.rb b/app/controllers/user_controller.rb index a6a78f192..0c3ad0b05 100644 --- a/app/controllers/user_controller.rb +++ b/app/controllers/user_controller.rb @@ -18,6 +18,7 @@ class UserController < ApplicationController around_action :api_call_handle_error, :only => [:api_read, :api_details, :api_gpx_files] before_action :lookup_user_by_id, :only => [:api_read] before_action :lookup_user_by_name, :only => [:set_status, :delete] + before_action :allow_thirdparty_images, :only => [:view, :account] def terms @legale = params[:legale] || OSM.ip_to_country(request.remote_ip) || DEFAULT_LEGALE @@ -44,9 +45,7 @@ class UserController < ApplicationController if current_user current_user.terms_seen = true - if current_user.save - flash[:notice] = t("user.new.terms declined", :url => t("user.new.terms declined url")).html_safe - end + flash[:notice] = t("user.new.terms declined", :url => t("user.new.terms declined url")).html_safe if current_user.save if params[:referer] redirect_to params[:referer] @@ -99,7 +98,7 @@ class UserController < ApplicationController "lat" => m[2], "lon" => m[3] }.merge(editor)) end - rescue + rescue StandardError # Use default end @@ -202,6 +201,10 @@ class UserController < ApplicationController @title = t "user.new.title" @referer = params[:referer] || session[:referer] + append_content_security_policy_directives( + :form_action => %w[accounts.google.com *.facebook.com login.live.com github.com meta.wikimedia.org] + ) + if current_user # The user is logged in already, so don't show them the signup # page, instead send them to the home page @@ -220,6 +223,8 @@ class UserController < ApplicationController flash.now[:notice] = render_to_string :partial => "auth_association" else check_signup_allowed + + self.current_user = User.new end end @@ -409,8 +414,8 @@ class UserController < ApplicationController if @new_friend if request.post? friend = Friend.new - friend.user_id = current_user.id - friend.friend_user_id = @new_friend.id + friend.befriender = current_user + friend.befriendee = @new_friend if current_user.is_friends_with?(@new_friend) flash[:warning] = t "user.make_friend.already_a_friend", :name => @new_friend.display_name elsif friend.save @@ -526,9 +531,7 @@ class UserController < ApplicationController session[:new_user].auth_provider = provider session[:new_user].auth_uid = uid - if email_verified && email == session[:new_user].email - session[:new_user].status = "active" - end + session[:new_user].status = "active" if email_verified && email == session[:new_user].email redirect_to :action => "terms" else @@ -547,7 +550,7 @@ class UserController < ApplicationController when "active", "confirmed" then successful_login(user, request.env["omniauth.params"]["referer"]) when "suspended" then - failed_login t("user.login.account is suspended", :webmaster => "mailto:#{SUPPORT_EMAIL}") + failed_login t("user.login.account is suspended", :webmaster => "mailto:#{SUPPORT_EMAIL}").html_safe else failed_login t("user.login.auth failure") end @@ -575,7 +578,7 @@ class UserController < ApplicationController elsif user = User.authenticate(:username => username, :password => password, :pending => true) unconfirmed_login(user) elsif User.authenticate(:username => username, :password => password, :suspended => true) - failed_login t("user.login.account is suspended", :webmaster => "mailto:#{SUPPORT_EMAIL}"), username + failed_login t("user.login.account is suspended", :webmaster => "mailto:#{SUPPORT_EMAIL}").html_safe, username else failed_login t("user.login.auth failure"), username end @@ -721,7 +724,7 @@ class UserController < ApplicationController begin Notifier.email_confirm(user, user.tokens.create).deliver_now - rescue + rescue StandardError # Ignore errors sending email end else