X-Git-Url: https://git.openstreetmap.org/rails.git/blobdiff_plain/428e7d6baa28ecb7d06f1f851fdd69ef00249bfb..81deb3533118f8a14b632a4ad05213b896a892f8:/app/controllers/application_controller.rb

diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
index 26bb92f9a..534b37058 100644
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -1,7 +1,7 @@
 class ApplicationController < ActionController::Base
   include SessionPersistence
 
-  protect_from_forgery
+  protect_from_forgery :with => :exception
 
   before_action :fetch_body
 
@@ -41,7 +41,7 @@ class ApplicationController < ActionController::Base
       if request.get?
         redirect_to :controller => "user", :action => "login", :referer => request.fullpath
       else
-        render :text => "", :status => :forbidden
+        head :forbidden
       end
     end
   end
@@ -74,7 +74,7 @@ class ApplicationController < ActionController::Base
     if request.cookies["_osm_session"].to_s == ""
       if params[:cookie_test].nil?
         session[:cookie_test] = true
-        redirect_to Hash[params].merge(:cookie_test => "true")
+        redirect_to params.to_unsafe_h.merge(:cookie_test => "true")
         false
       else
         flash.now[:warning] = t "application.require_cookies.cookies_needed"
@@ -127,7 +127,7 @@ class ApplicationController < ActionController::Base
         flash[:error] = t("application.require_moderator.not_a_moderator")
         redirect_to :action => "index"
       else
-        render :text => "", :status => :forbidden
+        head :forbidden
       end
     end
   end
@@ -181,7 +181,7 @@ class ApplicationController < ActionController::Base
     unless @user
       # no auth, the user does not exist or the password was wrong
       response.headers["WWW-Authenticate"] = "Basic realm=\"#{realm}\""
-      render :text => errormessage, :status => :unauthorized
+      render :plain => errormessage, :status => :unauthorized
       return false
     end
   end
@@ -197,7 +197,7 @@ class ApplicationController < ActionController::Base
   def authorize_moderator(errormessage = "Access restricted to moderators")
     # check user is a moderator
     unless @user.moderator?
-      render :text => errormessage, :status => :forbidden
+      render :plain => errormessage, :status => :forbidden
       false
     end
   end
@@ -288,9 +288,9 @@ class ApplicationController < ActionController::Base
       result.root << (XML::Node.new("status") << "#{Rack::Utils.status_code(status)} #{Rack::Utils::HTTP_STATUS_CODES[status]}")
       result.root << (XML::Node.new("message") << message)
 
-      render :text => result.to_s, :content_type => "text/xml"
+      render :xml => result.to_s
     else
-      render :text => message, :status => status, :content_type => "text/plain"
+      render :plain => message, :status => status
     end
   end
 
@@ -321,7 +321,7 @@ class ApplicationController < ActionController::Base
   def api_call_handle_error
     yield
   rescue ActiveRecord::RecordNotFound => ex
-    render :text => "", :status => :not_found
+    head :not_found
   rescue LibXML::XML::Error, ArgumentError => ex
     report_error ex.message, :bad_request
   rescue ActiveRecord::RecordInvalid => ex
@@ -365,7 +365,8 @@ class ApplicationController < ActionController::Base
   rescue ActionView::Template::Error => ex
     ex = ex.original_exception
 
-    if ex.is_a?(ActiveRecord::StatementInvalid) && ex.message =~ /execution expired/
+    if ex.is_a?(Timeout::Error) ||
+       (ex.is_a?(ActiveRecord::StatementInvalid) && ex.message =~ /execution expired/)
       render :action => "timeout"
     else
       raise
@@ -390,7 +391,7 @@ class ApplicationController < ActionController::Base
 
     respond_to do |format|
       format.html { render :template => "user/no_such_user", :status => :not_found }
-      format.all { render :text => "", :status => :not_found }
+      format.all { head :not_found }
     end
   end
 
@@ -409,10 +410,17 @@ class ApplicationController < ActionController::Base
 
   def map_layout
     append_content_security_policy_directives(
-      :connect_src => %w(nominatim.openstreetmap.org overpass-api.de router.project-osrm.org valhalla.mapzen.com),
-      :script_src => %w(graphhopper.com open.mapquestapi.com)
+      :connect_src => %w[nominatim.openstreetmap.org overpass-api.de router.project-osrm.org valhalla.mapzen.com],
+      :script_src => %w[graphhopper.com open.mapquestapi.com],
+      :img_src => %w[developer.mapquest.com]
     )
 
+    if STATUS == :database_offline || STATUS == :api_offline
+      flash.now[:warning] = t("layouts.osm_offline")
+    elsif STATUS == :database_readonly || STATUS == :api_readonly
+      flash.now[:warning] = t("layouts.osm_read_only")
+    end
+
     request.xhr? ? "xhr" : "map"
   end