]> git.openstreetmap.org Git - rails.git/commitdiff
projects / rails.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (from parent 1: 6ef6ddc)
Check API status before authorizing access
authorTom Hughes <tom@compton.nu>
Mon, 11 Apr 2022 19:47:52 +0000 (20:47 +0100)
committerTom Hughes <tom@compton.nu>
Mon, 11 Apr 2022 19:47:52 +0000 (20:47 +0100)
Fixes #3530

12 files changed:
app/controllers/api/changeset_comments_controller.rb patch | blob | history
app/controllers/api/changesets_controller.rb patch | blob | history
app/controllers/api/map_controller.rb patch | blob | history
app/controllers/api/nodes_controller.rb patch | blob | history
app/controllers/api/notes_controller.rb patch | blob | history
app/controllers/api/old_controller.rb patch | blob | history
app/controllers/api/permissions_controller.rb patch | blob | history
app/controllers/api/relations_controller.rb patch | blob | history
app/controllers/api/tracepoints_controller.rb patch | blob | history
app/controllers/api/traces_controller.rb patch | blob | history
app/controllers/api/users_controller.rb patch | blob | history
app/controllers/api/ways_controller.rb patch | blob | history

diff --git a/app/controllers/api/changeset_comments_controller.rb b/app/controllers/api/changeset_comments_controller.rb
index 86ac612777bc1e320f5403dfe2fe71978ce7333b..8b971834d76432d2728a2d7c0bd059691a9328e4 100644 (file)
--- a/app/controllers/api/changeset_comments_controller.rb
+++ b/app/controllers/api/changeset_comments_controller.rb
@@ -1,12 +1,12 @@
 module Api
   class ChangesetCommentsController < ApiController
+    before_action :check_api_writable
+    before_action :check_api_readable, :except => [:create]
     before_action :authorize
 
     authorize_resource
 
     before_action :require_public_data, :only => [:create]
-    before_action :check_api_writable
-    before_action :check_api_readable, :except => [:create]
     before_action :set_request_formats
     around_action :api_call_handle_error
     around_action :api_call_timeout
diff --git a/app/controllers/api/changesets_controller.rb b/app/controllers/api/changesets_controller.rb
index 354b0b9c224b43dc96b569593b8fd3b94d26d80c..24e7fb9252ca12e161bdae5ac444bb1824b16e49 100644 (file)
--- a/app/controllers/api/changesets_controller.rb
+++ b/app/controllers/api/changesets_controller.rb
@@ -4,13 +4,13 @@ module Api
   class ChangesetsController < ApiController
     require "xml/libxml"
 
+    before_action :check_api_writable, :only => [:create, :update, :upload, :subscribe, :unsubscribe]
+    before_action :check_api_readable, :except => [:create, :update, :upload, :download, :query, :subscribe, :unsubscribe]
     before_action :authorize, :only => [:create, :update, :upload, :close, :subscribe, :unsubscribe]
 
     authorize_resource
 
     before_action :require_public_data, :only => [:create, :update, :upload, :close, :subscribe, :unsubscribe]
-    before_action :check_api_writable, :only => [:create, :update, :upload, :subscribe, :unsubscribe]
-    before_action :check_api_readable, :except => [:create, :update, :upload, :download, :query, :subscribe, :unsubscribe]
     before_action :set_request_formats, :except => [:create, :close, :upload]
 
     around_action :api_call_handle_error
diff --git a/app/controllers/api/map_controller.rb b/app/controllers/api/map_controller.rb
index 1b5150537bccb8299a990d4e0c47b20598a7df53..0d123fc3e7851f2d0eae4748d4cacf38575e8e47 100644 (file)
--- a/app/controllers/api/map_controller.rb
+++ b/app/controllers/api/map_controller.rb
@@ -1,8 +1,9 @@
 module Api
   class MapController < ApiController
+    before_action :check_api_readable
+
     authorize_resource :class => false
 
-    before_action :check_api_readable
     around_action :api_call_handle_error, :api_call_timeout
 
     before_action :set_request_formats
diff --git a/app/controllers/api/nodes_controller.rb b/app/controllers/api/nodes_controller.rb
index 62eb76505b6228f4c6530476024e7c8afbdae397..92779dd67f18ca160a83772bc311b5dde29b875a 100644 (file)
--- a/app/controllers/api/nodes_controller.rb
+++ b/app/controllers/api/nodes_controller.rb
@@ -4,13 +4,13 @@ module Api
   class NodesController < ApiController
     require "xml/libxml"
 
+    before_action :check_api_writable, :only => [:create, :update, :delete]
+    before_action :check_api_readable, :except => [:create, :update, :delete]
     before_action :authorize, :only => [:create, :update, :delete]
 
     authorize_resource
 
     before_action :require_public_data, :only => [:create, :update, :delete]
-    before_action :check_api_writable, :only => [:create, :update, :delete]
-    before_action :check_api_readable, :except => [:create, :update, :delete]
     around_action :api_call_handle_error, :api_call_timeout
 
     before_action :set_request_formats, :except => [:create, :update, :delete]
diff --git a/app/controllers/api/notes_controller.rb b/app/controllers/api/notes_controller.rb
index 8a41d5db804b2eac4a156404d7213b1d2fadc644..7454e7f19387ee178c97ce8efb8f751b2bb4972d 100644 (file)
--- a/app/controllers/api/notes_controller.rb
+++ b/app/controllers/api/notes_controller.rb
@@ -1,12 +1,12 @@
 module Api
   class NotesController < ApiController
     before_action :check_api_readable
+    before_action :check_api_writable, :only => [:create, :comment, :close, :reopen, :destroy]
     before_action :setup_user_auth, :only => [:create, :comment, :show]
     before_action :authorize, :only => [:close, :reopen, :destroy, :comment]
 
     authorize_resource
 
-    before_action :check_api_writable, :only => [:create, :comment, :close, :reopen, :destroy]
     before_action :set_locale
     around_action :api_call_handle_error, :api_call_timeout
 
diff --git a/app/controllers/api/old_controller.rb b/app/controllers/api/old_controller.rb
index f8e42476f878c11aaa6aac42f81b5f5ddf7d5536..ceed10978d9b614dbab6fa16298189ee9b5565ea 100644 (file)
--- a/app/controllers/api/old_controller.rb
+++ b/app/controllers/api/old_controller.rb
@@ -5,13 +5,13 @@ module Api
   class OldController < ApiController
     require "xml/libxml"
 
+    before_action :check_api_readable
+    before_action :check_api_writable, :only => [:redact]
     before_action :setup_user_auth, :only => [:history, :version]
     before_action :authorize, :only => [:redact]
 
     authorize_resource
 
-    before_action :check_api_readable
-    before_action :check_api_writable, :only => [:redact]
     around_action :api_call_handle_error, :api_call_timeout
     before_action :lookup_old_element, :except => [:history]
     before_action :lookup_old_element_versions, :only => [:history]
diff --git a/app/controllers/api/permissions_controller.rb b/app/controllers/api/permissions_controller.rb
index 07685ed6806546e58a795f7cdb74ba61774e9be5..8c0c949dc2c71302f64b1611f2977961a71d7718 100644 (file)
--- a/app/controllers/api/permissions_controller.rb
+++ b/app/controllers/api/permissions_controller.rb
@@ -1,8 +1,9 @@
 module Api
   class PermissionsController < ApiController
+    before_action :check_api_readable
+
     authorize_resource :class => false
 
-    before_action :check_api_readable
     before_action :setup_user_auth
     before_action :set_request_formats
     around_action :api_call_handle_error, :api_call_timeout
diff --git a/app/controllers/api/relations_controller.rb b/app/controllers/api/relations_controller.rb
index 9bb3eb87c4ebf4e2f2c4404a30981957b859a70d..5dd5632ba89aff98187c763b654b9c5efdfe9eb3 100644 (file)
--- a/app/controllers/api/relations_controller.rb
+++ b/app/controllers/api/relations_controller.rb
@@ -2,13 +2,13 @@ module Api
   class RelationsController < ApiController
     require "xml/libxml"
 
+    before_action :check_api_writable, :only => [:create, :update, :delete]
+    before_action :check_api_readable, :except => [:create, :update, :delete]
     before_action :authorize, :only => [:create, :update, :delete]
 
     authorize_resource
 
     before_action :require_public_data, :only => [:create, :update, :delete]
-    before_action :check_api_writable, :only => [:create, :update, :delete]
-    before_action :check_api_readable, :except => [:create, :update, :delete]
     around_action :api_call_handle_error, :api_call_timeout
 
     before_action :set_request_formats, :except => [:create, :update, :delete]
diff --git a/app/controllers/api/tracepoints_controller.rb b/app/controllers/api/tracepoints_controller.rb
index e758d559f99d0bb69eaeaca8ec7cecd8a1740862..e8bd97b64196503f9d3279dd9e749496880cf38c 100644 (file)
--- a/app/controllers/api/tracepoints_controller.rb
+++ b/app/controllers/api/tracepoints_controller.rb
@@ -1,8 +1,9 @@
 module Api
   class TracepointsController < ApiController
+    before_action :check_api_readable
+
     authorize_resource
 
-    before_action :check_api_readable
     around_action :api_call_handle_error, :api_call_timeout
 
     # Get an XML response containing a list of tracepoints that have been uploaded
diff --git a/app/controllers/api/traces_controller.rb b/app/controllers/api/traces_controller.rb
index 6a0ec81ec72d82f698beebecd5773c92ede80ce0..8121764a1b4f7f8fb76ace6db6865613f0c500e5 100644 (file)
--- a/app/controllers/api/traces_controller.rb
+++ b/app/controllers/api/traces_controller.rb
@@ -1,13 +1,13 @@
 module Api
   class TracesController < ApiController
+    before_action :check_database_readable, :except => [:show, :data]
+    before_action :check_database_writable, :only => [:create, :update, :destroy]
     before_action :authorize_web
     before_action :set_locale
     before_action :authorize
 
     authorize_resource
 
-    before_action :check_database_readable, :except => [:show, :data]
-    before_action :check_database_writable, :only => [:create, :update, :destroy]
     before_action :check_api_readable, :only => [:show, :data]
     before_action :check_api_writable, :only => [:create, :update, :destroy]
     before_action :offline_error, :only => [:create, :destroy, :data]
diff --git a/app/controllers/api/users_controller.rb b/app/controllers/api/users_controller.rb
index a452cb9301ead6467f3c8ed6852156c55ba71e56..d4baf4a820a0c1dada9c5a4f13342d440f536a0f 100644 (file)
--- a/app/controllers/api/users_controller.rb
+++ b/app/controllers/api/users_controller.rb
@@ -1,12 +1,12 @@
 module Api
   class UsersController < ApiController
+    before_action :check_api_readable
     before_action :disable_terms_redirect, :only => [:details]
     before_action :setup_user_auth, :only => [:show, :index]
     before_action :authorize, :only => [:details, :gpx_files]
 
     authorize_resource
 
-    before_action :check_api_readable
     around_action :api_call_handle_error
     before_action :lookup_user_by_id, :only => [:show]
 
diff --git a/app/controllers/api/ways_controller.rb b/app/controllers/api/ways_controller.rb
index f88f3a1d011d7609c0c0eb8a3704ee2c31746fe1..ca4acd6113797ff373dc7eb503e1fd453154e561 100644 (file)
--- a/app/controllers/api/ways_controller.rb
+++ b/app/controllers/api/ways_controller.rb
@@ -2,13 +2,13 @@ module Api
   class WaysController < ApiController
     require "xml/libxml"
 
+    before_action :check_api_writable, :only => [:create, :update, :delete]
+    before_action :check_api_readable, :except => [:create, :update, :delete]
     before_action :authorize, :only => [:create, :update, :delete]
 
     authorize_resource
 
     before_action :require_public_data, :only => [:create, :update, :delete]
-    before_action :check_api_writable, :only => [:create, :update, :delete]
-    before_action :check_api_readable, :except => [:create, :update, :delete]
     around_action :api_call_handle_error, :api_call_timeout
 
     before_action :set_request_formats, :except => [:create, :update, :delete]
The OpenStreetMap web site