From: Tom Hughes Date: Wed, 9 Jan 2019 17:16:01 +0000 (+0000) Subject: Merge remote-tracking branch 'upstream/pull/2106' X-Git-Tag: live~2750 X-Git-Url: https://git.openstreetmap.org/rails.git/commitdiff_plain/09b6560e81f56712c6241c7f525df45daf7580c5?hp=1b292d2389986ab5c8a5db19dccdb635f4d7d2d0 Merge remote-tracking branch 'upstream/pull/2106' --- diff --git a/app/abilities/ability.rb b/app/abilities/ability.rb index 6dbeb0b64..9981f62eb 100644 --- a/app/abilities/ability.rb +++ b/app/abilities/ability.rb @@ -12,6 +12,7 @@ class Ability :search_geonames, :search_osm_nominatim_reverse, :search_geonames_reverse], :geocoder can [:index, :create, :comment, :feed, :show, :search, :mine], Note can [:index, :show], Redaction + can [:index, :show, :data, :georss, :picture, :icon], Trace can [:terms, :api_users, :login, :logout, :new, :create, :save, :confirm, :confirm_resend, :confirm_email, :lost_password, :reset_password, :show, :api_read, :auth_success, :auth_failure], User can [:index, :show, :blocks_on, :blocks_by], UserBlock @@ -20,6 +21,7 @@ class Ability can [:create, :edit, :comment, :subscribe, :unsubscribe], DiaryEntry can [:close, :reopen], Note can [:new, :create], Report + can [:mine, :new, :create, :edit, :update, :delete, :api_create, :api_read, :api_update, :api_delete, :api_data], Trace can [:account, :go_public, :make_friend, :remove_friend, :api_details, :api_gpx_files], User can [:read, :read_one, :update, :update_one, :delete_one], UserPreference diff --git a/app/abilities/capability.rb b/app/abilities/capability.rb index fdc53891a..556d4036c 100644 --- a/app/abilities/capability.rb +++ b/app/abilities/capability.rb @@ -5,6 +5,8 @@ class Capability def initialize(token) can [:create, :comment, :close, :reopen], Note if capability?(token, :allow_write_notes) + can [:api_read, :api_data], Trace if capability?(token, :allow_read_gpx) + can [:api_create, :api_update, :api_delete], Trace if capability?(token, :allow_write_gpx) can [:api_details], User if capability?(token, :allow_read_prefs) can [:api_gpx_files], User if capability?(token, :allow_read_gpx) can [:read, :read_one], UserPreference if capability?(token, :allow_read_prefs) diff --git a/app/controllers/traces_controller.rb b/app/controllers/traces_controller.rb index b78ae2959..253bc4160 100644 --- a/app/controllers/traces_controller.rb +++ b/app/controllers/traces_controller.rb @@ -4,14 +4,15 @@ class TracesController < ApplicationController skip_before_action :verify_authenticity_token, :only => [:api_create, :api_read, :api_update, :api_delete, :api_data] before_action :authorize_web before_action :set_locale - before_action :require_user, :only => [:mine, :new, :create, :edit, :delete] before_action :authorize, :only => [:api_create, :api_read, :api_update, :api_delete, :api_data] + before_action :api_deny_access_handler, :only => [:api_create, :api_read, :api_update, :api_delete, :api_data] + + authorize_resource + before_action :check_database_readable, :except => [:api_read, :api_data] before_action :check_database_writable, :only => [:new, :create, :edit, :delete, :api_create, :api_update, :api_delete] before_action :check_api_readable, :only => [:api_read, :api_data] before_action :check_api_writable, :only => [:api_create, :api_update, :api_delete] - before_action :require_allow_read_gpx, :only => [:api_read, :api_data] - before_action :require_allow_write_gpx, :only => [:api_create, :api_update, :api_delete] before_action :offline_warning, :only => [:mine, :show] before_action :offline_redirect, :only => [:new, :create, :edit, :delete, :data, :api_create, :api_delete, :api_data] around_action :api_call_handle_error, :only => [:api_create, :api_read, :api_update, :api_delete, :api_data]