# * version conflict when POIs and ways are reverted
module Api
- class AmfController < ApplicationController
+ class AmfController < ApiController
include Potlatch
- skip_before_action :verify_authenticity_token
before_action :check_api_writable
# AMF Controller implements its own authentication and authorization checks
module Api
- class CapabilitiesController < ApplicationController
- skip_before_action :verify_authenticity_token
- before_action :api_deny_access_handler
-
+ class CapabilitiesController < ApiController
authorize_resource :class => false
around_action :api_call_handle_error, :api_call_timeout
module Api
- class ChangesController < ApplicationController
- skip_before_action :verify_authenticity_token
- before_action :api_deny_access_handler
-
+ class ChangesController < ApiController
authorize_resource :class => false
before_action :check_api_readable
module Api
- class ChangesetCommentsController < ApplicationController
- skip_before_action :verify_authenticity_token
+ class ChangesetCommentsController < ApiController
before_action :authorize
- before_action :api_deny_access_handler
authorize_resource
# The ChangesetController is the RESTful interface to Changeset objects
module Api
- class ChangesetsController < ApplicationController
+ class ChangesetsController < ApiController
layout "site"
require "xml/libxml"
- skip_before_action :verify_authenticity_token
before_action :authorize, :only => [:create, :update, :upload, :close, :subscribe, :unsubscribe]
- before_action :api_deny_access_handler, :only => [:create, :update, :upload, :close, :subscribe, :unsubscribe, :expand_bbox]
authorize_resource
before_action :require_public_data, :only => [:create, :update, :upload, :close, :subscribe, :unsubscribe]
before_action :check_api_writable, :only => [:create, :update, :upload, :subscribe, :unsubscribe]
before_action :check_api_readable, :except => [:create, :update, :upload, :download, :query, :subscribe, :unsubscribe]
- before_action(:only => [:index, :feed]) { |c| c.check_database_readable(true) }
around_action :api_call_handle_error
around_action :api_call_timeout, :except => [:upload]
module Api
- class MapController < ApplicationController
- skip_before_action :verify_authenticity_token
- before_action :api_deny_access_handler
-
+ class MapController < ApiController
authorize_resource :class => false
before_action :check_api_readable
# The NodeController is the RESTful interface to Node objects
module Api
- class NodesController < ApplicationController
+ class NodesController < ApiController
require "xml/libxml"
- skip_before_action :verify_authenticity_token
before_action :authorize, :only => [:create, :update, :delete]
- before_action :api_deny_access_handler
authorize_resource
module Api
- class NotesController < ApplicationController
+ class NotesController < ApiController
layout "site", :only => [:mine]
- skip_before_action :verify_authenticity_token
before_action :check_api_readable
before_action :setup_user_auth, :only => [:create, :comment, :show]
before_action :authorize, :only => [:close, :reopen, :destroy]
- before_action :api_deny_access_handler
authorize_resource
# into one place. as it turns out, the API methods for historical
# nodes, ways and relations are basically identical.
module Api
- class OldController < ApplicationController
+ class OldController < ApiController
require "xml/libxml"
- skip_before_action :verify_authenticity_token
before_action :setup_user_auth, :only => [:history, :version]
- before_action :api_deny_access_handler
before_action :authorize, :only => [:redact]
authorize_resource
module Api
- class PermissionsController < ApplicationController
- skip_before_action :verify_authenticity_token
- before_action :api_deny_access_handler
-
+ class PermissionsController < ApiController
authorize_resource :class => false
before_action :check_api_readable
module Api
- class RelationsController < ApplicationController
+ class RelationsController < ApiController
require "xml/libxml"
- skip_before_action :verify_authenticity_token
before_action :authorize, :only => [:create, :update, :delete]
- before_action :api_deny_access_handler
authorize_resource
module Api
- class SearchController < ApplicationController
+ class SearchController < ApiController
# Support searching for nodes, ways, or all
# Can search by tag k, v, or both (type->k,value->v)
# Can search by name (k=name,v=....)
- skip_before_action :verify_authenticity_token
authorize_resource :class => false
def search_all
module Api
- class SwfController < ApplicationController
- skip_before_action :verify_authenticity_token
+ class SwfController < ApiController
before_action :check_api_readable
authorize_resource :class => false
module Api
- class TracepointsController < ApplicationController
- skip_before_action :verify_authenticity_token
- before_action :api_deny_access_handler
-
+ class TracepointsController < ApiController
authorize_resource
before_action :check_api_readable
module Api
- class TracesController < ApplicationController
+ class TracesController < ApiController
layout "site", :except => :georss
- skip_before_action :verify_authenticity_token
before_action :authorize_web
before_action :set_locale
before_action :authorize
- before_action :api_deny_access_handler
authorize_resource
# Update and read user preferences, which are arbitrayr key/val pairs
module Api
- class UserPreferencesController < ApplicationController
- skip_before_action :verify_authenticity_token
+ class UserPreferencesController < ApiController
before_action :authorize
authorize_resource
module Api
- class UsersController < ApplicationController
+ class UsersController < ApiController
layout "site", :except => [:api_details]
- skip_before_action :verify_authenticity_token
before_action :disable_terms_redirect, :only => [:api_details]
before_action :authorize, :only => [:api_details, :api_gpx_files]
- before_action :api_deny_access_handler
authorize_resource
module Api
- class WaysController < ApplicationController
+ class WaysController < ApiController
require "xml/libxml"
- skip_before_action :verify_authenticity_token
before_action :authorize, :only => [:create, :update, :delete]
- before_action :api_deny_access_handler
authorize_resource
--- /dev/null
+class ApiController < ApplicationController
+ skip_before_action :verify_authenticity_token
+
+ private
+
+ def authorize(realm = "Web Password", errormessage = "Couldn't authenticate you")
+ # make the current_user object from any auth sources we have
+ setup_user_auth
+
+ # handle authenticate pass/fail
+ unless current_user
+ # no auth, the user does not exist or the password was wrong
+ response.headers["WWW-Authenticate"] = "Basic realm=\"#{realm}\""
+ render :plain => errormessage, :status => :unauthorized
+ return false
+ end
+ end
+
+ def deny_access(_exception)
+ if current_token
+ set_locale
+ report_error t("oauth.permissions.missing"), :forbidden
+ elsif current_user
+ head :forbidden
+ else
+ realm = "Web Password"
+ errormessage = "Couldn't authenticate you"
+ response.headers["WWW-Authenticate"] = "Basic realm=\"#{realm}\""
+ render :plain => errormessage, :status => :unauthorized
+ end
+ end
+
+ def gpx_status
+ status = database_status
+ status = "offline" if status == "online" && Settings.status == "gpx_offline"
+ status
+ end
+
+ ##
+ # sets up the current_user for use by other methods. this is mostly called
+ # from the authorize method, but can be called elsewhere if authorisation
+ # is optional.
+ def setup_user_auth
+ # try and setup using OAuth
+ unless Authenticator.new(self, [:token]).allow?
+ username, passwd = get_auth_data # parse from headers
+ # authenticate per-scheme
+ self.current_user = if username.nil?
+ nil # no authentication provided - perhaps first connect (client should retry after 401)
+ elsif username == "token"
+ User.authenticate(:token => passwd) # preferred - random token for user from db, passed in basic auth
+ else
+ User.authenticate(:username => username, :password => passwd) # basic auth
+ end
+ end
+
+ # have we identified the user?
+ if current_user
+ # check if the user has been banned
+ user_block = current_user.blocks.active.take
+ unless user_block.nil?
+ set_locale
+ if user_block.zero_hour?
+ report_error t("application.setup_user_auth.blocked_zero_hour"), :forbidden
+ else
+ report_error t("application.setup_user_auth.blocked"), :forbidden
+ end
+ end
+
+ # if the user hasn't seen the contributor terms then don't
+ # allow editing - they have to go to the web site and see
+ # (but can decline) the CTs to continue.
+ if !current_user.terms_seen && flash[:skip_terms].nil?
+ set_locale
+ report_error t("application.setup_user_auth.need_to_see_terms"), :forbidden
+ end
+ end
+ end
+end
attr_accessor :current_user
helper_method :current_user
+ private
+
def authorize_web
if session[:user]
self.current_user = User.where(:id => session[:user]).where("status IN ('active', 'confirmed', 'suspended')").first
end
end
- ##
- # sets up the current_user for use by other methods. this is mostly called
- # from the authorize method, but can be called elsewhere if authorisation
- # is optional.
- def setup_user_auth
- # try and setup using OAuth
- unless Authenticator.new(self, [:token]).allow?
- username, passwd = get_auth_data # parse from headers
- # authenticate per-scheme
- self.current_user = if username.nil?
- nil # no authentication provided - perhaps first connect (client should retry after 401)
- elsif username == "token"
- User.authenticate(:token => passwd) # preferred - random token for user from db, passed in basic auth
- else
- User.authenticate(:username => username, :password => passwd) # basic auth
- end
- end
-
- # have we identified the user?
- if current_user
- # check if the user has been banned
- user_block = current_user.blocks.active.take
- unless user_block.nil?
- set_locale
- if user_block.zero_hour?
- report_error t("application.setup_user_auth.blocked_zero_hour"), :forbidden
- else
- report_error t("application.setup_user_auth.blocked"), :forbidden
- end
- end
-
- # if the user hasn't seen the contributor terms then don't
- # allow editing - they have to go to the web site and see
- # (but can decline) the CTs to continue.
- if !current_user.terms_seen && flash[:skip_terms].nil?
- set_locale
- report_error t("application.setup_user_auth.need_to_see_terms"), :forbidden
- end
- end
- end
-
- def authorize(realm = "Web Password", errormessage = "Couldn't authenticate you")
- # make the current_user object from any auth sources we have
- setup_user_auth
-
- # handle authenticate pass/fail
- unless current_user
- # no auth, the user does not exist or the password was wrong
- response.headers["WWW-Authenticate"] = "Basic realm=\"#{realm}\""
- render :plain => errormessage, :status => :unauthorized
- return false
- end
- end
-
def check_database_readable(need_api = false)
if Settings.status == "database_offline" || (need_api && Settings.status == "api_offline")
if request.xhr?
status
end
- def gpx_status
- status = database_status
- status = "offline" if status == "online" && Settings.status == "gpx_offline"
- status
- end
-
def require_public_data
unless current_user.data_public?
report_error "You must make your edits public to upload new data", :forbidden
end
end
- def deny_access(exception)
- if @api_deny_access_handling
- api_deny_access(exception)
- else
- web_deny_access(exception)
- end
- end
-
- def web_deny_access(_exception)
+ def deny_access(_exception)
if current_token
set_locale
report_error t("oauth.permissions.missing"), :forbidden
end
end
- def api_deny_access(_exception)
- if current_token
- set_locale
- report_error t("oauth.permissions.missing"), :forbidden
- elsif current_user
- head :forbidden
- else
- realm = "Web Password"
- errormessage = "Couldn't authenticate you"
- response.headers["WWW-Authenticate"] = "Basic realm=\"#{realm}\""
- render :plain => errormessage, :status => :unauthorized
- end
- end
-
- attr_accessor :api_access_handling
-
- def api_deny_access_handler
- @api_deny_access_handling = true
- end
-
- private
-
# extract authorisation credentials from headers, returns user = nil if none
def get_auth_data
if request.env.key? "X-HTTP_AUTHORIZATION" # where mod_rewrite might have put it
before_action :authorize_web
before_action :set_locale
- before_action(:except => [:query]) { |c| c.check_database_readable(true) }
+ before_action -> { check_database_readable(true) }
before_action :require_oauth
around_action :web_timeout
authorize_resource :class => false
authorize_resource
- before_action(:only => [:index]) { |c| c.check_database_readable(true) }
+ before_action -> { check_database_readable(true) }
around_action :web_timeout
##
skip_before_action :verify_authenticity_token, :except => [:index]
before_action :authorize_web
before_action :set_locale
- before_action(:only => [:index, :feed]) { |c| c.check_database_readable(true) }
+ before_action -> { check_database_readable(true) }, :only => [:index, :feed]
authorize_resource
projects / rails.git / commitdiff