From: Tom Hughes <tom@compton.nu>
Date: Thu, 17 Nov 2022 17:51:46 +0000 (+0000)
Subject: Merge remote-tracking branch 'upstream/pull/3805'
X-Git-Tag: live~1958
X-Git-Url: https://git.openstreetmap.org/rails.git/commitdiff_plain/17e87ab67a88c165a11d67a4a8ecafa9bd7a376f?hp=97b7bac95669e838b2a507e21cb7d05416e52c0a

Merge remote-tracking branch 'upstream/pull/3805'
---

diff --git a/app/controllers/sessions_controller.rb b/app/controllers/sessions_controller.rb
index 9489553a8..2e2233939 100644
--- a/app/controllers/sessions_controller.rb
+++ b/app/controllers/sessions_controller.rb
@@ -52,7 +52,7 @@ class SessionsController < ApplicationController
     elsif (user = User.authenticate(:username => username, :password => password, :pending => true))
       unconfirmed_login(user)
     elsif User.authenticate(:username => username, :password => password, :suspended => true)
-      failed_login t("sessions.new.account is suspended", :webmaster => "mailto:#{Settings.support_email}").html_safe, username
+      failed_login({ :partial => "sessions/suspended_flash" }, username)
     else
       failed_login t("sessions.new.auth failure"), username
     end
diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb
index 603feb4db..1e927aa01 100644
--- a/app/controllers/users_controller.rb
+++ b/app/controllers/users_controller.rb
@@ -290,7 +290,7 @@ class UsersController < ApplicationController
         when "active", "confirmed"
           successful_login(user, request.env["omniauth.params"]["referer"])
         when "suspended"
-          failed_login t("sessions.new.account is suspended", :webmaster => "mailto:#{Settings.support_email}").html_safe
+          failed_login({ :partial => "sessions/suspended_flash" })
         else
           failed_login t("sessions.new.auth failure")
         end
diff --git a/app/views/changesets/history.html.erb b/app/views/changesets/history.html.erb
index b11453958..a9970e652 100644
--- a/app/views/changesets/history.html.erb
+++ b/app/views/changesets/history.html.erb
@@ -6,7 +6,7 @@
 
 <% set_title(changeset_index_title(params, current_user))
    @heading = if params[:display_name]
-                t("changesets.index.title_user", :user => link_to(params[:display_name], user_path(:display_name => params[:display_name]))).html_safe
+                t("changesets.index.title_user_link_html", :user_link => link_to(params[:display_name], user_path(:display_name => params[:display_name])))
               else
                 @title
               end %>
diff --git a/app/views/sessions/_suspended_flash.html.erb b/app/views/sessions/_suspended_flash.html.erb
new file mode 100644
index 000000000..b8ca5504b
--- /dev/null
+++ b/app/views/sessions/_suspended_flash.html.erb
@@ -0,0 +1,2 @@
+<p><%= t ".suspended" %></p>
+<p><%= t ".contact_support_html", :support_link => mail_to(Settings.support_email, t(".support")) %></p>
diff --git a/config/brakeman.yml b/config/brakeman.yml
index 48faf7b6d..bbf75df03 100644
--- a/config/brakeman.yml
+++ b/config/brakeman.yml
@@ -1,7 +1,5 @@
 :skip_checks:
 # These checks are skipped, but should be considered TODO
-- CheckFileAccess
-- CheckRedirect
 - CheckRender
 - CheckSendFile
 - CheckSQL
diff --git a/config/locales/en.yml b/config/locales/en.yml
index b2d3065cb..8a0651609 100644
--- a/config/locales/en.yml
+++ b/config/locales/en.yml
@@ -447,6 +447,7 @@ en:
     index:
       title: "Changesets"
       title_user: "Changesets by %{user}"
+      title_user_link_html: "Changesets by %{user_link}"
       title_friend: "Changesets by my friends"
       title_nearby: "Changesets by nearby users"
       empty: "No changesets found."
@@ -1783,7 +1784,6 @@ en:
       create account minute: Create an account. It only takes a minute.
       no account: Don't have an account?
       account not active: "Sorry, your account is not active yet.<br />Please use the link in the account confirmation email to activate your account, or <a href=\"%{reconfirm}\">request a new confirmation email</a>."
-      account is suspended: Sorry, your account has been suspended due to suspicious activity.<br />Please contact <a href="%{webmaster}">support</a> if you wish to discuss this.
       auth failure: "Sorry, could not log in with those details."
       openid_logo_alt: "Log in with an OpenID"
       auth_providers:
@@ -1815,6 +1815,10 @@ en:
       title: "Logout"
       heading: "Logout from OpenStreetMap"
       logout_button: "Logout"
+    suspended_flash:
+      suspended: Sorry, your account has been suspended due to suspicious activity.
+      contact_support_html: Please contact %{support_link} if you wish to discuss this.
+      support: support
   shared:
     markdown_help:
       title_html: Parsed with <a href="https://kramdown.gettalong.org/quickref.html">kramdown</a>
