Merge branch 'authz' of https://github.com/rubyforgood/openstreetmap-website into...

author Andy Allan <git@gravitystorm.co.uk>

Wed, 10 Oct 2018 09:26:30 +0000 (11:26 +0200)

committer Andy Allan <git@gravitystorm.co.uk>

Wed, 10 Oct 2018 09:26:30 +0000 (11:26 +0200)
author Andy Allan <git@gravitystorm.co.uk>
Wed, 10 Oct 2018 09:26:30 +0000 (11:26 +0200)
committer Andy Allan <git@gravitystorm.co.uk>
Wed, 10 Oct 2018 09:26:30 +0000 (11:26 +0200)
diff --cc Gemfile

index 9ba2703134d5d9b9bf8e5c47904c188396a762e7,a385851ff7aa631b2d901eb5ccfe46e1232d700b..b559027c2062fc1625604bc679417dca36e28831
--- 1/Gemfile
--- 2/Gemfile
+++ b/Gemfile
@@@ -45,7 -42,8 +45,8 @@@ gem "image_optim_rails
   
   # Load rails plugins
   gem "actionpack-page_caching"
- -gem "composite_primary_keys", "~> 10.0.0"
+ gem "cancancan"
+ +gem "composite_primary_keys", "~> 11.0.0"
   gem "dynamic_form"
   gem "http_accept_language", "~> 2.0.0"
   gem "i18n-js", ">= 3.0.0"
diff --cc Gemfile.lock

index 76a31e169e59a8c4aacd58ef738f2de056957302,06ddc0fe20b1cb111ce5433677bc1d2ab146d1d6..cd94df5e102759d260642e7a06f226a667655a1d
--- 1/Gemfile.lock
--- 2/Gemfile.lock
+++ b/Gemfile.lock
@@@ -63,10 -58,9 +63,11 @@@ GE
       bigdecimal (1.1.0)
       binding_of_caller (0.8.0)
         debug_inspector (>= 0.0.1)
+ +    bootsnap (1.3.2)
+ +      msgpack (~> 1.0)
       builder (3.2.3)
- -    canonical-rails (0.2.3)
+     cancancan (2.1.3)
+ +    canonical-rails (0.2.4)
         rails (>= 4.1, < 5.3)
       capybara (2.18.0)
         addressable
@@@ -386,7 -370,7 +387,8 @@@ DEPENDENCIE
     better_errors
     bigdecimal (~> 1.1.0)
     binding_of_caller
+ +  bootsnap (>= 1.1.0)
+   cancancan
     canonical-rails
     capybara (~> 2.13)
     coffee-rails (~> 4.2)
diff --cc app/controllers/application_controller.rb
Simple merge
diff --cc app/controllers/diary_entry_controller.rb

index 723fff17ec0e885c129087e003c343bfcf748bcd,6e926800817d4ff3e11152e62c8a219baa96cc36..d3d7f6a7cee9d7fbbe4836d4fd3e17d05813c108
--- 1/app/controllers/diary_entry_controller.rb
--- 2/app/controllers/diary_entry_controller.rb
+++ b/app/controllers/diary_entry_controller.rb
@@@ -3,12 -3,13 +3,13 @@@ class DiaryEntryController < Applicatio
   
     before_action :authorize_web
     before_action :set_locale
-   before_action :require_user, :only => [:new, :edit, :comment, :hide, :hidecomment, :subscribe, :unsubscribe]
+ 
+   authorize_resource
+ 
- -  before_action :lookup_user, :only => [:view, :comments]
+ +  before_action :lookup_user, :only => [:show, :comments]
     before_action :check_database_readable
     before_action :check_database_writable, :only => [:new, :edit, :comment, :hide, :hidecomment, :subscribe, :unsubscribe]
-   before_action :require_administrator, :only => [:hide, :hidecomment]
- -  before_action :allow_thirdparty_images, :only => [:new, :edit, :list, :view, :comments]
+ +  before_action :allow_thirdparty_images, :only => [:new, :edit, :index, :show, :comments]
   
     def new
       @title = t "diary_entry.new.title"
diff --cc app/controllers/site_controller.rb
Simple merge
diff --cc app/controllers/users_controller.rb

index d18cf188cf669ef002fbc975f6f08d091f697d6f,d853d4822979b6ab956a166cd6946c12f5f7e752..09bdd6d3ec873d6f926e0d570afd0cc1f40cfc52
--- 1/app/controllers/users_controller.rb
--- 2/app/controllers/user_controller.rb
+++ b/app/controllers/users_controller.rb
@@@ -1,16 -1,18 +1,18 @@@
- -class UserController < ApplicationController
+ +class UsersController < ApplicationController
     layout "site", :except => [:api_details]
   
- -  skip_before_action :verify_authenticity_token, :only => [:api_read, :api_details, :api_gpx_files, :auth_success]
+   skip_authorization_check :only => [:login, :logout]
+ 
+ +  skip_before_action :verify_authenticity_token, :only => [:api_read, :api_users, :api_details, :api_gpx_files, :auth_success]
     before_action :disable_terms_redirect, :only => [:terms, :save, :logout, :api_details]
     before_action :authorize, :only => [:api_details, :api_gpx_files]
- -  before_action :authorize_web, :except => [:api_read, :api_details, :api_gpx_files]
- -  before_action :set_locale, :except => [:api_read, :api_details, :api_gpx_files]
+ +  before_action :authorize_web, :except => [:api_read, :api_users, :api_details, :api_gpx_files]
+ +  before_action :set_locale, :except => [:api_read, :api_users, :api_details, :api_gpx_files]
     before_action :require_user, :only => [:account, :go_public, :make_friend, :remove_friend]
     before_action :require_self, :only => [:account]
- -  before_action :check_database_readable, :except => [:login, :api_read, :api_details, :api_gpx_files]
+ +  before_action :check_database_readable, :except => [:login, :api_read, :api_users, :api_details, :api_gpx_files]
     before_action :check_database_writable, :only => [:new, :account, :confirm, :confirm_email, :lost_password, :reset_password, :go_public, :make_friend, :remove_friend]
- -  before_action :check_api_readable, :only => [:api_read, :api_details, :api_gpx_files]
+ +  before_action :check_api_readable, :only => [:api_read, :api_users, :api_details, :api_gpx_files]
     before_action :require_allow_read_prefs, :only => [:api_details]
     before_action :require_allow_read_gpx, :only => [:api_gpx_files]
     before_action :require_cookies, :only => [:new, :login, :confirm]
diff --cc test/test_helper.rb
Simple merge
author	Andy Allan <git@gravitystorm.co.uk>
	Wed, 10 Oct 2018 09:26:30 +0000 (11:26 +0200)
committer	Andy Allan <git@gravitystorm.co.uk>
	Wed, 10 Oct 2018 09:26:30 +0000 (11:26 +0200)
		1	2
Gemfile	patch \|	diff1 \|	diff2 \|	blob \| history
Gemfile.lock	patch \|	diff1 \|	diff2 \|	blob \| history
app/controllers/application_controller.rb	patch \|	diff1 \|	diff2 \|	blob \| history
app/controllers/diary_entry_controller.rb	patch \|	diff1 \|	diff2 \|	blob \| history
app/controllers/site_controller.rb	patch \|	diff1 \|	diff2 \|	blob \| history
app/controllers/users_controller.rb	patch \|	diff1 \|	diff2 \|	blob \| history
test/test_helper.rb	patch \|	diff1 \|	diff2 \|	blob \| history