X-Git-Url: https://git.openstreetmap.org/rails.git/blobdiff_plain/bed9cd00ed166ce346da4b8a9b654ddf86e64e70..67dd9e4c9d487bdb5f38a09dc0c99def4989326e:/app/controllers/old_node_controller.rb

diff --git a/app/controllers/old_node_controller.rb b/app/controllers/old_node_controller.rb
index 56397625c..e6170fbda 100644
--- a/app/controllers/old_node_controller.rb
+++ b/app/controllers/old_node_controller.rb
@@ -1,42 +1,60 @@
 class OldNodeController < ApplicationController
   require 'xml/libxml'
 
-  session :off
-  before_filter :check_read_availability
+  skip_before_filter :verify_authenticity_token
+  before_filter :authorize, :only => [ :redact ]
+  before_filter :require_allow_write_api, :only => [ :redact ]
+  before_filter :check_api_readable
+  before_filter :check_api_writable, :only => [ :redact ]
   after_filter :compress_output
+  around_filter :api_call_handle_error, :api_call_timeout
 
   def history
-    begin
-      node = Node.find(params[:id])
+    # TODO - maybe a bit heavyweight to do this on every
+    # call, perhaps try lazy auth.
+    setup_user_auth
 
-      doc = OSM::API.new.get_xml_doc
-
-      node.old_nodes.each do |old_node|
+    node = Node.find(params[:id].to_i)
+    
+    doc = OSM::API.new.get_xml_doc
+    
+    node.old_nodes.each do |old_node|
+      unless old_node.redacted? and (@user.nil? or not @user.moderator?)
         doc.root << old_node.to_xml_node
       end
-
-      render :text => doc.to_s, :content_type => "text/xml"
-    rescue ActiveRecord::RecordNotFound
-      render :nothing => true, :status => :not_found
-    rescue
-      render :nothing => true, :status => :internal_server_error
     end
+    
+    render :text => doc.to_s, :content_type => "text/xml"
   end
   
   def version
-    begin
-      old_node = OldNode.find(:first, :conditions => {:id => params[:id], :version => params[:version]} )
+    if old_node = OldNode.where(:node_id => params[:id], :version => params[:version]).first
+      # TODO - maybe a bit heavyweight to do this on every
+      # call, perhaps try lazy auth.
+      setup_user_auth
       
-      response.headers['Last-Modified'] = old_node.timestamp.rfc822
+      if old_node.redacted? and (@user.nil? or not @user.moderator?)
+        render :nothing => true, :status => :forbidden
+      else
 
-      doc = OSM::API.new.get_xml_doc
-      doc.root << old_node.to_xml_node
-
-      render :text => doc.to_s, :content_type => "text/xml"
-    rescue ActiveRecord::RecordNotFound
+        response.last_modified = old_node.timestamp
+        
+        doc = OSM::API.new.get_xml_doc
+        doc.root << old_node.to_xml_node
+        
+        render :text => doc.to_s, :content_type => "text/xml"
+      end
+    else
       render :nothing => true, :status => :not_found
-    rescue
-      render :nothing => true, :status => :internal_server_error
+    end
+  end
+
+  def redact
+    if @user && @user.moderator?
+      render :nothing => true
+
+    else
+      render :nothing => true, :status => :forbidden
     end
   end
 end