Merge remote-tracking branch 'upstream/pull/2107'

diff --git a/app/abilities/ability.rb b/app/abilities/ability.rb
index 9981f62ebc1c745a968bcb22ac890d21d7273f71..dcaa7e347a572f7040fdea42105f87255da96106 100644 (file)
--- a/app/abilities/ability.rb
+++ b/app/abilities/ability.rb
@@ -4,14 +4,19 @@ class Ability
   include CanCan::Ability
 
   def initialize(user)
+    can [:relation, :relation_history, :way, :way_history, :node, :node_history, :changeset, :note], :browse
     can [:index, :feed, :read, :download, :query], Changeset
     can :index, ChangesetComment
+    can :search, :direction
     can [:index, :permalink, :edit, :help, :fixthemap, :offline, :export, :about, :preview, :copyright, :key, :id], :site
     can [:index, :rss, :show, :comments], DiaryEntry
+    can [:finish, :embed], :export
     can [:search, :search_latlon, :search_ca_postcode, :search_osm_nominatim,
          :search_geonames, :search_osm_nominatim_reverse, :search_geonames_reverse], :geocoder
     can [:index, :create, :comment, :feed, :show, :search, :mine], Note
     can [:index, :show], Redaction
+    can [:search_all, :search_nodes, :search_ways, :search_relations], :search
+    can [:trackpoints], :swf
     can [:index, :show, :data, :georss, :picture, :icon], Trace
     can [:terms, :api_users, :login, :logout, :new, :create, :save, :confirm, :confirm_resend, :confirm_email, :lost_password, :reset_password, :show, :api_read, :auth_success, :auth_failure], User
     can [:index, :show, :blocks_on, :blocks_by], UserBlock

diff --git a/app/controllers/amf_controller.rb b/app/controllers/amf_controller.rb
index 4f6adae5da6b08dd38b763f5aff392e53d359ce2..fdad432a8d44802c592e309f54e95d0d9a334f4c 100644 (file)
--- a/app/controllers/amf_controller.rb
+++ b/app/controllers/amf_controller.rb
@@ -41,6 +41,11 @@ class AmfController < ApplicationController
   skip_before_action :verify_authenticity_token
   before_action :check_api_writable
 
+  # AMF Controller implements its own authentication and authorization checks
+  # completely independently of the rest of the codebase, so best just to let
+  # it keep doing its own thing.
+  skip_authorization_check
+
   # Main AMF handlers: process the raw AMF string (using AMF library) and
   # calls each action (private method) accordingly.
 

diff --git a/app/controllers/browse_controller.rb b/app/controllers/browse_controller.rb
index 6eb9675683f81df3089136e9fdfca2ba62e9ae57..0fccbb506bb2a19dae6db4087853a64b8f0933cf 100644 (file)
--- a/app/controllers/browse_controller.rb
+++ b/app/controllers/browse_controller.rb
@@ -6,6 +6,7 @@ class BrowseController < ApplicationController
   before_action(:except => [:query]) { |c| c.check_database_readable(true) }
   before_action :require_oauth
   around_action :web_timeout
+  authorize_resource :class => false
 
   def relation
     @type = "relation"

diff --git a/app/controllers/directions_controller.rb b/app/controllers/directions_controller.rb
index b04db6b6f6aea919cb99fa84fdda5283efb9d37b..ec23274006b8062d30bc84dda00752d4d9cfd54f 100644 (file)
--- a/app/controllers/directions_controller.rb
+++ b/app/controllers/directions_controller.rb
@@ -2,6 +2,7 @@ class DirectionsController < ApplicationController
   before_action :authorize_web
   before_action :set_locale
   before_action :require_oauth, :only => [:search]
+  authorize_resource :class => false
 
   def search
     render :layout => map_layout

diff --git a/app/controllers/export_controller.rb b/app/controllers/export_controller.rb
index afdf4d8d7e38005f89c310d2f8bf9f0033d84cbb..18ac15c101b47feeb1b518eb12a26a4b1dfe52e9 100644 (file)
--- a/app/controllers/export_controller.rb
+++ b/app/controllers/export_controller.rb
@@ -2,6 +2,7 @@ class ExportController < ApplicationController
   before_action :authorize_web
   before_action :set_locale
   before_action :update_totp, :only => [:finish]
+  authorize_resource :class => false
 
   caches_page :embed
 

diff --git a/app/controllers/geocoder_controller.rb b/app/controllers/geocoder_controller.rb
index da5245687f73db3fb97871fac05a47876420f017..b9cf8d096f35a635e8e9ad957258f097e51e8300 100644 (file)
--- a/app/controllers/geocoder_controller.rb
+++ b/app/controllers/geocoder_controller.rb
@@ -6,6 +6,7 @@ class GeocoderController < ApplicationController
   before_action :authorize_web
   before_action :set_locale
   before_action :require_oauth, :only => [:search]
+  authorize_resource :class => false
 
   def search
     @params = normalize_params

diff --git a/app/controllers/search_controller.rb b/app/controllers/search_controller.rb
index 0d40b6691ab4e69e6fac431004d61a9327522e64..3a2e4040f894b5048f6ef804e94a767b40ce9086 100644 (file)
--- a/app/controllers/search_controller.rb
+++ b/app/controllers/search_controller.rb
@@ -3,6 +3,7 @@ class SearchController < ApplicationController
   # Can search by tag k, v, or both (type->k,value->v)
   # Can search by name (k=name,v=....)
   skip_before_action :verify_authenticity_token
+  authorize_resource :class => false
 
   def search_all
     do_search(true, true, true)

diff --git a/app/controllers/swf_controller.rb b/app/controllers/swf_controller.rb
index 96237f029c3eaa075d2137eec7b47bb16142131f..1a424c387b693611db04c5bf69e8e465d86b5209 100644 (file)
--- a/app/controllers/swf_controller.rb
+++ b/app/controllers/swf_controller.rb
@@ -1,6 +1,7 @@
 class SwfController < ApplicationController
   skip_before_action :verify_authenticity_token
   before_action :check_api_readable
+  authorize_resource :class => false
 
   # to log:
   # RAILS_DEFAULT_LOGGER.error("Args: #{args[0]}, #{args[1]}, #{args[2]}, #{args[3]}")