X-Git-Url: https://git.openstreetmap.org/rails.git/blobdiff_plain/63100ae8a0f0ac810355ffb9578c8b5d1641a8d0..c3e2e6462f293596aef5d5de18b0a173edc046c7:/app/controllers/trace_controller.rb

diff --git a/app/controllers/trace_controller.rb b/app/controllers/trace_controller.rb
index 9d0e05530..e1553cbb0 100644
--- a/app/controllers/trace_controller.rb
+++ b/app/controllers/trace_controller.rb
@@ -49,13 +49,13 @@ class TraceController < ApplicationController
       if @user
         @traces = Trace.visible_to(@user) #1
       else
-        @traces = Trace.public #2
+        @traces = Trace.visible_to_all #2
       end
     else
       if @user and @user == target_user
         @traces = @user.traces #3 (check vs user id, so no join + can't pick up non-public traces by changing name)
       else
-        @traces = target_user.traces.public #4
+        @traces = target_user.traces.visible_to_all #4
       end
     end
 
@@ -151,8 +151,10 @@ class TraceController < ApplicationController
     if trace.visible? and (trace.public? or (@user and @user == trace.user))
       if Acl.no_trace_download(request.remote_ip)
         render :text => "", :status => :forbidden
-      elsif request.format == Mime::XML or request.format == Mime::GPX
+      elsif request.format == Mime::XML
         send_file(trace.xml_file, :filename => "#{trace.id}.xml", :type => request.format.to_s, :disposition => 'attachment')
+      elsif request.format == Mime::GPX
+        send_file(trace.xml_file, :filename => "#{trace.id}.gpx", :type => request.format.to_s, :disposition => 'attachment')
       else
         send_file(trace.trace_name, :filename => "#{trace.id}#{trace.extension_name}", :type => trace.mime_type, :disposition => 'attachment')
       end
@@ -166,8 +168,13 @@ class TraceController < ApplicationController
   def edit
     @trace = Trace.find(params[:id])
 
-    if @user and @trace.user == @user
+    if not @trace.visible?
+      render :text => "", :status => :not_found
+    elsif @user.nil? or @trace.user != @user
+      render :text => "", :status => :forbidden
+    else
       @title = t 'trace.edit.title', :name => @trace.name
+
       if params[:trace]
         @trace.description = params[:trace][:description]
         @trace.tagstring = params[:trace][:tagstring]
@@ -176,8 +183,6 @@ class TraceController < ApplicationController
           redirect_to :action => 'view', :display_name => @user.display_name
         end
       end
-    else
-      render :text => "", :status => :forbidden
     end
   rescue ActiveRecord::RecordNotFound
     render :text => "", :status => :not_found
@@ -186,24 +191,22 @@ class TraceController < ApplicationController
   def delete
     trace = Trace.find(params[:id])
 
-    if @user and trace.user == @user
-      if trace.visible?
-        trace.visible = false
-        trace.save
-        flash[:notice] = t 'trace.delete.scheduled_for_deletion'
-        redirect_to :action => :list, :display_name => @user.display_name
-      else
-        render :text => "", :status => :not_found
-      end
-    else
+    if not trace.visible?
+      render :text => "", :status => :not_found
+    elsif @user.nil? or trace.user != @user
       render :text => "", :status => :forbidden
+    else
+      trace.visible = false
+      trace.save
+      flash[:notice] = t 'trace.delete.scheduled_for_deletion'
+      redirect_to :action => :list, :display_name => @user.display_name
     end
   rescue ActiveRecord::RecordNotFound
     render :text => "", :status => :not_found
   end
 
   def georss
-    @traces = Trace.public.visible
+    @traces = Trace.visible_to_all.visible
 
     if params[:display_name]
       @traces = @traces.joins(:user).where(:users => {:display_name => params[:display_name]})