X-Git-Url: https://git.openstreetmap.org/rails.git/blobdiff_plain/970e1a99d7dce64f0631e88c5b9f060fb48d75fe..6e5240e1987a429e29d230e811af9176772a8228:/app/controllers/application_controller.rb diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb index 09a35beb3..2ceeda7be 100644 --- a/app/controllers/application_controller.rb +++ b/app/controllers/application_controller.rb @@ -61,7 +61,8 @@ class ApplicationController < ActionController::Base # method, otherwise an OAuth token was used, which has to be checked. unless current_token.nil? unless current_token.read_attribute(cap) - report_error "OAuth token doesn't have that capability.", :forbidden + set_locale + report_error t("oauth.permissions.missing"), :forbidden false end end @@ -152,9 +153,14 @@ class ApplicationController < ActionController::Base # have we identified the user? if @user # check if the user has been banned - if @user.blocks.active.exists? - # NOTE: need slightly more helpful message than this. - report_error t("application.setup_user_auth.blocked"), :forbidden + user_block = @user.blocks.active.take + unless user_block.nil? + set_locale + if user_block.zero_hour? + report_error t("application.setup_user_auth.blocked_zero_hour"), :forbidden + else + report_error t("application.setup_user_auth.blocked"), :forbidden + end end # if the user hasn't seen the contributor terms then don't @@ -359,7 +365,8 @@ class ApplicationController < ActionController::Base rescue ActionView::Template::Error => ex ex = ex.original_exception - if ex.is_a?(ActiveRecord::StatementInvalid) && ex.message =~ /execution expired/ + if ex.is_a?(Timeout::Error) || + (ex.is_a?(ActiveRecord::StatementInvalid) && ex.message =~ /execution expired/) render :action => "timeout" else raise @@ -402,6 +409,18 @@ class ApplicationController < ActionController::Base end def map_layout + append_content_security_policy_directives( + :connect_src => %w(nominatim.openstreetmap.org overpass-api.de router.project-osrm.org valhalla.mapzen.com), + :script_src => %w(graphhopper.com open.mapquestapi.com), + :img_src => %w(developer.mapquest.com) + ) + + if STATUS == :database_offline || STATUS == :api_offline + flash.now[:warning] = t("layouts.osm_offline") + elsif STATUS == :database_readonly || STATUS == :api_readonly + flash.now[:warning] = t("layouts.osm_read_only") + end + request.xhr? ? "xhr" : "map" end @@ -419,6 +438,16 @@ class ApplicationController < ActionController::Base helper_method :preferred_editor + def update_totp + if defined?(TOTP_KEY) + cookies["_osm_totp_token"] = { + :value => ROTP::TOTP.new(TOTP_KEY, :interval => 3600).now, + :domain => "openstreetmap.org", + :expires => 1.hour.from_now + } + end + end + private # extract authorisation credentials from headers, returns user = nil if none