include CanCan::Ability
def initialize(user)
+ can [:relation, :relation_history, :way, :way_history, :node, :node_history, :changeset, :note], :browse
+ can [:index, :feed, :read, :download, :query], Changeset
can :index, ChangesetComment
+ can :search, :direction
can [:index, :permalink, :edit, :help, :fixthemap, :offline, :export, :about, :preview, :copyright, :key, :id], :site
can [:index, :rss, :show, :comments], DiaryEntry
+ can [:finish, :embed], :export
can [:search, :search_latlon, :search_ca_postcode, :search_osm_nominatim,
:search_geonames, :search_osm_nominatim_reverse, :search_geonames_reverse], :geocoder
can [:index, :create, :comment, :feed, :show, :search, :mine], Note
can [:index, :show], Redaction
+ can [:search_all, :search_nodes, :search_ways, :search_relations], :search
+ can [:trackpoints], :swf
+ can [:index, :show, :data, :georss, :picture, :icon], Trace
can [:terms, :api_users, :login, :logout, :new, :create, :save, :confirm, :confirm_resend, :confirm_email, :lost_password, :reset_password, :show, :api_read, :auth_success, :auth_failure], User
can [:index, :show, :blocks_on, :blocks_by], UserBlock
can [:create, :edit, :comment, :subscribe, :unsubscribe], DiaryEntry
can [:close, :reopen], Note
can [:new, :create], Report
+ can [:mine, :new, :create, :edit, :update, :delete, :api_create, :api_read, :api_update, :api_delete, :api_data], Trace
can [:account, :go_public, :make_friend, :remove_friend, :api_details, :api_gpx_files], User
can [:read, :read_one, :update, :update_one, :delete_one], UserPreference
- if user.terms_agreed? || !REQUIRE_TERMS_AGREED # rubocop:disable Style/IfUnlessModifier
+ if user.terms_agreed? || !REQUIRE_TERMS_AGREED
+ can [:create, :update, :upload, :close, :subscribe, :unsubscribe, :expand_bbox], Changeset
can :create, ChangesetComment
end
def initialize(token)
can [:create, :comment, :close, :reopen], Note if capability?(token, :allow_write_notes)
+ can [:api_read, :api_data], Trace if capability?(token, :allow_read_gpx)
+ can [:api_create, :api_update, :api_delete], Trace if capability?(token, :allow_write_gpx)
can [:api_details], User if capability?(token, :allow_read_prefs)
can [:api_gpx_files], User if capability?(token, :allow_read_gpx)
can [:read, :read_one], UserPreference if capability?(token, :allow_read_prefs)
can [:update, :update_one, :delete_one], UserPreference if capability?(token, :allow_write_prefs)
if token&.user&.terms_agreed? || !REQUIRE_TERMS_AGREED
+ can [:create, :update, :upload, :close, :subscribe, :unsubscribe, :expand_bbox], Changeset if capability?(token, :allow_write_api)
can :create, ChangesetComment if capability?(token, :allow_write_api)
end
skip_before_action :verify_authenticity_token
before_action :check_api_writable
+ # AMF Controller implements its own authentication and authorization checks
+ # completely independently of the rest of the codebase, so best just to let
+ # it keep doing its own thing.
+ skip_authorization_check
+
# Main AMF handlers: process the raw AMF string (using AMF library) and
# calls each action (private method) accordingly.
before_action(:except => [:query]) { |c| c.check_database_readable(true) }
before_action :require_oauth
around_action :web_timeout
+ authorize_resource :class => false
def relation
@type = "relation"
before_action :authorize_web, :only => [:index, :feed]
before_action :set_locale, :only => [:index, :feed]
before_action :authorize, :only => [:create, :update, :upload, :close, :subscribe, :unsubscribe]
- before_action :require_allow_write_api, :only => [:create, :update, :upload, :close, :subscribe, :unsubscribe]
+ before_action :api_deny_access_handler, :only => [:create, :update, :upload, :close, :subscribe, :unsubscribe, :expand_bbox]
+
+ authorize_resource
+
before_action :require_public_data, :only => [:create, :update, :upload, :close, :subscribe, :unsubscribe]
before_action :check_api_writable, :only => [:create, :update, :upload, :subscribe, :unsubscribe]
before_action :check_api_readable, :except => [:create, :update, :upload, :download, :query, :index, :feed, :subscribe, :unsubscribe]
before_action :authorize_web
before_action :set_locale
before_action :require_oauth, :only => [:search]
+ authorize_resource :class => false
def search
render :layout => map_layout
before_action :authorize_web
before_action :set_locale
before_action :update_totp, :only => [:finish]
+ authorize_resource :class => false
caches_page :embed
before_action :authorize_web
before_action :set_locale
before_action :require_oauth, :only => [:search]
+ authorize_resource :class => false
def search
@params = normalize_params
# Can search by tag k, v, or both (type->k,value->v)
# Can search by name (k=name,v=....)
skip_before_action :verify_authenticity_token
+ authorize_resource :class => false
def search_all
do_search(true, true, true)
class SwfController < ApplicationController
skip_before_action :verify_authenticity_token
before_action :check_api_readable
+ authorize_resource :class => false
# to log:
# RAILS_DEFAULT_LOGGER.error("Args: #{args[0]}, #{args[1]}, #{args[2]}, #{args[3]}")
skip_before_action :verify_authenticity_token, :only => [:api_create, :api_read, :api_update, :api_delete, :api_data]
before_action :authorize_web
before_action :set_locale
- before_action :require_user, :only => [:mine, :new, :create, :edit, :delete]
before_action :authorize, :only => [:api_create, :api_read, :api_update, :api_delete, :api_data]
+ before_action :api_deny_access_handler, :only => [:api_create, :api_read, :api_update, :api_delete, :api_data]
+
+ authorize_resource
+
before_action :check_database_readable, :except => [:api_read, :api_data]
before_action :check_database_writable, :only => [:new, :create, :edit, :delete, :api_create, :api_update, :api_delete]
before_action :check_api_readable, :only => [:api_read, :api_data]
before_action :check_api_writable, :only => [:api_create, :api_update, :api_delete]
- before_action :require_allow_read_gpx, :only => [:api_read, :api_data]
- before_action :require_allow_write_gpx, :only => [:api_create, :api_update, :api_delete]
before_action :offline_warning, :only => [:mine, :show]
before_action :offline_redirect, :only => [:new, :create, :edit, :delete, :data, :api_create, :api_delete, :api_data]
around_action :api_call_handle_error, :only => [:api_create, :api_read, :api_update, :api_delete, :api_data]