From: Matt Amos Date: Fri, 2 Oct 2009 15:36:46 +0000 (+0000) Subject: Merging 17905:17944 from trunk. X-Git-Tag: live~6596^2~2 X-Git-Url: https://git.openstreetmap.org/rails.git/commitdiff_plain/17f05fdb13cab3fc2f430c54ec7ad6557c53eeeb?hp=d0f228879741a8d35ae7d9e98d3fe3c9e227a1fa Merging 17905:17944 from trunk. --- diff --git a/app/controllers/amf_controller.rb b/app/controllers/amf_controller.rb index 86ca3f5fb..32ed9b653 100644 --- a/app/controllers/amf_controller.rb +++ b/app/controllers/amf_controller.rb @@ -178,6 +178,7 @@ class AmfController < ApplicationController amf_handle_error("'startchangeset'",nil,nil) do user = getuser(usertoken) if !user then return -1,"You are not logged in, so Potlatch can't write any changes to the database." end + unless user.active_blocks.empty? then return -1,t('application.setup_user_auth.blocked') end # close previous changeset and add comment if closeid @@ -472,7 +473,8 @@ class AmfController < ApplicationController def findgpx(searchterm, usertoken) amf_handle_error_with_timeout("'findgpx'" ,nil,nil) do user = getuser(usertoken) - if !uid then return -1,"You must be logged in to search for GPX traces.",[] end + if !user then return -1,"You must be logged in to search for GPX traces.",[] end + unless user.active_blocks.empty? then return -1,t('application.setup_user_auth.blocked'),[] end gpxs = [] if searchterm.to_i>0 then @@ -538,6 +540,7 @@ class AmfController < ApplicationController amf_handle_error("'putrelation' #{relid}" ,'relation',relid) do user = getuser(usertoken) if !user then return -1,"You are not logged in, so the relation could not be saved." end + unless user.active_blocks.empty? then return -1,t('application.setup_user_auth.blocked') end if !tags_ok(tags) then return -1,"One of the tags is invalid. Please pester Adobe to fix Flash on Linux." end tags = strip_non_xml_chars tags @@ -625,6 +628,7 @@ class AmfController < ApplicationController user = getuser(usertoken) if !user then return -1,"You are not logged in, so the way could not be saved." end + unless user.active_blocks.empty? then return -1,t('application.setup_user_auth.blocked') end if pointlist.length < 2 then return -2,"Server error - way is only #{points.length} points long." end if !tags_ok(attributes) then return -1,"One of the tags is invalid. Please pester Adobe to fix Flash on Linux." end attributes = strip_non_xml_chars attributes @@ -729,6 +733,7 @@ class AmfController < ApplicationController amf_handle_error("'putpoi' #{id}", 'node',id) do user = getuser(usertoken) if !user then return -1,"You are not logged in, so the point could not be saved." end + unless user.active_blocks.empty? then return -1,t('application.setup_user_auth.blocked') end if !tags_ok(tags) then return -1,"One of the tags is invalid. Please pester Adobe to fix Flash on Linux." end tags = strip_non_xml_chars tags @@ -811,6 +816,7 @@ class AmfController < ApplicationController amf_handle_error("'deleteway' #{way_id}" ,'way',id) do user = getuser(usertoken) unless user then return -1,"You are not logged in, so the way could not be deleted." end + unless user.active_blocks.empty? then return -1,t('application.setup_user_auth.blocked') end way_id = way_id.to_i nodeversions = {} diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb index c43271b93..c701d8add 100644 --- a/app/controllers/application_controller.rb +++ b/app/controllers/application_controller.rb @@ -78,6 +78,12 @@ class ApplicationController < ActionController::Base @user = User.authenticate(:username => username, :password => passwd) # basic auth end end + + # check if the user has been banned + unless @user.nil? or @user.active_blocks.empty? + # NOTE: need slightly more helpful message than this. + render :text => t('application.setup_user_auth.blocked'), :status => :forbidden + end end def authorize(realm='Web Password', errormessage="Couldn't authenticate you") diff --git a/app/controllers/user_blocks_controller.rb b/app/controllers/user_blocks_controller.rb new file mode 100644 index 000000000..fd9f03c4a --- /dev/null +++ b/app/controllers/user_blocks_controller.rb @@ -0,0 +1,156 @@ +class UserBlocksController < ApplicationController + layout 'site' + + before_filter :authorize_web + before_filter :set_locale + before_filter :require_user, :only => [:new, :create, :edit, :update, :revoke] + before_filter :require_moderator, :only => [:create, :update, :revoke] + before_filter :lookup_this_user, :only => [:new, :create, :blocks_on, :blocks_by] + before_filter :lookup_user_block, :only => [:show, :edit, :update, :revoke] + before_filter :require_valid_params, :only => [:create, :update] + before_filter :check_database_readable + before_filter :check_database_writable, :only => [:create, :update, :revoke] + + def index + @user_blocks_pages, @user_blocks = paginate(:user_blocks, + :include => [:user, :creator, :revoker], + :order => "user_blocks.ends_at DESC", + :per_page => 20) + end + + def show + if @user and @user.id == @user_block.user_id + @user_block.needs_view = false + @user_block.save! + end + end + + def new + @user_block = UserBlock.new + end + + def edit + params[:user_block_period] = ((@user_block.ends_at - Time.now.getutc) / 1.hour).ceil.to_s + end + + def create + unless @valid_params + redirect_to :action => "new" + return + end + + @user_block = UserBlock.new(:user_id => @this_user.id, + :creator_id => @user.id, + :reason => params[:user_block][:reason], + :ends_at => Time.now.getutc() + @block_period.hours, + :needs_view => params[:user_block][:needs_view]) + + if @user_block.save + flash[:notice] = t('user_block.create.flash', :name => @this_user.display_name) + redirect_to @user_block + else + render :action => "new" + end + end + + def update + unless @valid_params + redirect_to :action => "edit" + return + end + + if @user_block.creator_id != @user.id + flash[:notice] = t('user_block.update.only_creator_can_edit') + redirect_to :action => "edit" + return + end + + if @user_block.update_attributes({ :ends_at => Time.now.getutc() + @block_period.hours, + :reason => params[:user_block][:reason], + :needs_view => params[:user_block][:needs_view] }) + flash[:notice] = t('user_block.update.success') + redirect_to(@user_block) + else + render :action => "edit" + end + end + + ## + # revokes the block, setting the end_time to now + def revoke + if params[:confirm] + if @user_block.revoke! @user + flash[:notice] = t'user_block.revoke.flash' + redirect_to(@user_block) + end + end + end + + ## + # shows a list of all the blocks on the given user + def blocks_on + @user_blocks_pages, @user_blocks = paginate(:user_blocks, + :include => [:user, :creator, :revoker], + :conditions => {:user_id => @this_user.id}, + :order => "user_blocks.ends_at DESC", + :per_page => 20) + end + + ## + # shows a list of all the blocks by the given user. + def blocks_by + @user_blocks_pages, @user_blocks = paginate(:user_blocks, + :include => [:user, :creator, :revoker], + :conditions => {:creator_id => @this_user.id}, + :order => "user_blocks.ends_at DESC", + :per_page => 20) + end + + private + ## + # require that the user is a moderator, or fill out a helpful error message + # and return them to the blocks index. + def require_moderator + unless @user.moderator? + flash[:notice] = t('user_block.filter.not_a_moderator') + redirect_to :action => 'index' + end + end + + ## + # ensure that there is a "this_user" instance variable + def lookup_this_user + @this_user = User.find_by_display_name(params[:display_name]) + rescue ActiveRecord::RecordNotFound + redirect_to :controller => 'user', :action => 'view', :display_name => params[:display_name] unless @this_user + end + + ## + # ensure that there is a "user_block" instance variable + def lookup_user_block + @user_block = UserBlock.find(params[:id]) + rescue ActiveRecord::RecordNotFound + render :action => "not_found", :status => :not_found + end + + ## + # check that the input parameters are valid, setting an instance + # variable if not. note that this doesn't do any redirection, as it's + # called before two different actions, each of which should redirect + # to a different place. + def require_valid_params + @block_period = params[:user_block_period].to_i + @valid_params = false + + if !UserBlock::PERIODS.include?(@block_period) + flash[:notice] = t('user_block.filter.block_period') + + elsif @user_block and !@user_block.active? + flash[:notice] = t('user_block.filter.block_expired') + + else + @valid_params = true + end + end + +end diff --git a/app/controllers/user_controller.rb b/app/controllers/user_controller.rb index cee66274f..93cc3a6a5 100644 --- a/app/controllers/user_controller.rb +++ b/app/controllers/user_controller.rb @@ -142,36 +142,36 @@ class UserController < ApplicationController end def login - if session[:user] - # The user is logged in already, if the referer param exists, redirect them to that - if params[:referer] - redirect_to params[:referer] - else - redirect_to :controller => 'site', :action => 'index' - end - return - end - - @title = t 'user.login.title' - - if params[:user] + if params[:user] and session[:user].nil? email_or_display_name = params[:user][:email] pass = params[:user][:password] user = User.authenticate(:username => email_or_display_name, :password => pass) if user session[:user] = user.id - if params[:referer] - redirect_to params[:referer] - else - redirect_to :controller => 'site', :action => 'index' - end - return elsif User.authenticate(:username => email_or_display_name, :password => pass, :inactive => true) @notice = t 'user.login.account not active' else @notice = t 'user.login.auth failure' end end + + if session[:user] + # The user is logged in, if the referer param exists, redirect them to that + # unless they've also got a block on them, in which case redirect them to + # the block so they can clear it. + user = User.find(session[:user]) + block = user.blocked_on_view + if block + redirect_to block, :referrer => params[:referrer] + elsif params[:referer] + redirect_to params[:referer] + else + redirect_to :controller => 'site', :action => 'index' + end + return + end + + @title = t 'user.login.title' end def logout diff --git a/app/controllers/user_roles_controller.rb b/app/controllers/user_roles_controller.rb new file mode 100644 index 000000000..ee4de7ce0 --- /dev/null +++ b/app/controllers/user_roles_controller.rb @@ -0,0 +1,83 @@ +class UserRolesController < ApplicationController + layout 'site' + + before_filter :authorize_web + before_filter :require_user + before_filter :lookup_this_user + before_filter :require_administrator + before_filter :require_valid_role + before_filter :not_in_role, :only => [:grant] + before_filter :in_role, :only => [:revoke] + around_filter :setup_nonce + + def grant + @this_user.roles.create(:role => @role, :granter_id => @user.id) + redirect_to :controller => 'user', :action => 'view', :display_name => @this_user.display_name + end + + def revoke + UserRole.delete_all({:user_id => @this_user.id, :role => @role}) + redirect_to :controller => 'user', :action => 'view', :display_name => @this_user.display_name + end + + private + def require_administrator + unless @user.administrator? + flash[:notice] = t'user_role.filter.not_an_administrator' + redirect_to :controller => 'user', :action => 'view', :display_name => @this_user.display_name + end + end + + ## + # ensure that there is a "this_user" instance variable + def lookup_this_user + @this_user = User.find_by_display_name(params[:display_name]) + rescue ActiveRecord::RecordNotFound + redirect_to :controller => 'user', :action => 'view', :display_name => params[:display_name] unless @this_user + end + + ## + # the random nonce here which isn't predictable, making an CSRF + # procedure much, much more difficult. setup the nonce. if the given + # nonce matches the session nonce then yield into the actual method. + # otherwise, just sets up the nonce for the form. + def setup_nonce + if params[:nonce] and params[:nonce] == session[:nonce] + @nonce = params[:nonce] + yield + else + @nonce = OAuth::Helper.generate_nonce + session[:nonce] = @nonce + render + end + end + + ## + # require that the given role is valid. the role is a URL + # parameter, so should always be present. + def require_valid_role + @role = params[:role] + unless UserRole::ALL_ROLES.include?(@role) + flash[:notice] = t('user_role.filter.not_a_role', :role => @role) + redirect_to :controller => 'user', :action => 'view', :display_name => @this_user.display_name + end + end + + ## + # checks that the user doesn't already have this role + def not_in_role + if @this_user.has_role? @role + flash[:notice] = t('user_role.filter.already_has_role', :role => @role) + redirect_to :controller => 'user', :action => 'view', :display_name => @this_user.display_name + end + end + + ## + # checks that the user already has this role + def in_role + unless @this_user.has_role? @role + flash[:notice] = t('user_role.filter.doesnt_have_role', :role => @role) + redirect_to :controller => 'user', :action => 'view', :display_name => @this_user.display_name + end + end +end diff --git a/app/helpers/user_blocks_helper.rb b/app/helpers/user_blocks_helper.rb new file mode 100644 index 000000000..3cd9373c1 --- /dev/null +++ b/app/helpers/user_blocks_helper.rb @@ -0,0 +1,20 @@ +module UserBlocksHelper + ## + # returns a translated string representing the status of the + # user block (i.e: whether it's active, what the expiry time is) + def block_status(block) + if block.active? + if block.needs_view? + I18n.t('user_block.helper.until_login') + else + I18n.t('user_block.helper.time_future', :time => distance_of_time_in_words_to_now(block.ends_at)) + end + else + # the max of the last update time or the ends_at time is when this block finished + # either because the user viewed the block (updated_at) or it expired or was + # revoked (ends_at) + last_time = [block.ends_at, block.updated_at].max + I18n.t('user_block.helper.time_past', :time => distance_of_time_in_words_to_now(last_time)) + end + end +end diff --git a/app/models/user.rb b/app/models/user.rb index 9d7d233b7..54b3fa371 100644 --- a/app/models/user.rb +++ b/app/models/user.rb @@ -14,6 +14,9 @@ class User < ActiveRecord::Base has_many :client_applications has_many :oauth_tokens, :class_name => "OauthToken", :order => "authorized_at desc", :include => [:client_application] + has_many :active_blocks, :class_name => "UserBlock", :conditions => ['user_blocks.ends_at > \'#{Time.now.getutc.xmlschema(5)}\' or user_blocks.needs_view'] + has_many :roles, :class_name => "UserRole" + validates_presence_of :email, :display_name validates_confirmation_of :email#, :message => ' addresses must match' validates_confirmation_of :pass_crypt#, :message => ' must match the confirmation password' @@ -125,6 +128,31 @@ class User < ActiveRecord::Base return false end + ## + # returns true if the user has the moderator role, false otherwise + def moderator? + has_role? 'moderator' + end + + ## + # returns true if the user has the administrator role, false otherwise + def administrator? + has_role? 'administrator' + end + + ## + # returns true if the user has the requested role + def has_role?(role) + roles.any? { |r| r.role == role } + end + + ## + # returns the first active block which would require users to view + # a message, or nil if there are none. + def blocked_on_view + active_blocks.detect { |b| b.needs_view? } + end + def delete self.active = false self.display_name = "user_#{self.id}" diff --git a/app/models/user_block.rb b/app/models/user_block.rb new file mode 100644 index 000000000..23e1bcab6 --- /dev/null +++ b/app/models/user_block.rb @@ -0,0 +1,35 @@ +class UserBlock < ActiveRecord::Base + validate :moderator_permissions + + belongs_to :user, :class_name => "User", :foreign_key => :user_id + belongs_to :creator, :class_name => "User", :foreign_key => :creator_id + belongs_to :revoker, :class_name => "User", :foreign_key => :revoker_id + + PERIODS = APP_CONFIG['user_block_periods'] + + ## + # returns true if the block is currently active (i.e: the user can't + # use the API). + def active? + needs_view or ends_at > Time.now.getutc + end + + ## + # revokes the block, allowing the user to use the API again. the argument + # is the user object who is revoking the ban. + def revoke!(revoker) + update_attributes({ :ends_at => Time.now.getutc(), + :revoker_id => revoker.id, + :needs_view => false }) + end + + private + ## + # validate that only moderators are allowed to change the + # block. this should be caught and dealt with in the controller, + # but i've also included it here just in case. + def moderator_permissions + errors.add_to_base(I18n.t('user_block.model.non_moderator_update')) if creator_id_changed? and !creator.moderator? + errors.add_to_base(I18n.t('user_block.model.non_moderator_revoke')) unless revoker_id.nil? or revoker.moderator? + end +end diff --git a/app/models/user_role.rb b/app/models/user_role.rb new file mode 100644 index 000000000..fb783281e --- /dev/null +++ b/app/models/user_role.rb @@ -0,0 +1,8 @@ +class UserRole < ActiveRecord::Base + belongs_to :user + + ALL_ROLES = ['administrator', 'moderator'] + + validates_inclusion_of :role, :in => ALL_ROLES + validates_uniqueness_of :role, :scope => :user_id +end diff --git a/app/views/user/view.html.erb b/app/views/user/view.html.erb index 7769ffaa6..4a8fde862 100644 --- a/app/views/user/view.html.erb +++ b/app/views/user/view.html.erb @@ -1,4 +1,15 @@ -

<%= h(@this_user.display_name) %>

+

<%= h(@this_user.display_name) %> +<% UserRole::ALL_ROLES.each do |role| %> +<% if @user and @user.administrator? %> +<% if @this_user.has_role? role %> +<%= link_to(image_tag("roles/#{role}.png", :size => "20x20", :border => 0, :alt => t("user.view.role.revoke.#{role}"), :title => t("user.view.role.revoke.#{role}")), :controller => 'user_roles', :action => 'revoke', :display_name => @this_user.display_name, :role => role) %> +<% else %> +<%= link_to(image_tag("roles/blank_#{role}.png", :size => "20x20", :border => 0, :alt => t("user.view.role.grant.#{role}"), :title => t("user.view.role.grant.#{role}")), :controller => 'user_roles', :action => 'grant', :display_name => @this_user.display_name, :role => role) %> +<% end %> +<% elsif @this_user.has_role? role %> +<%= image_tag("roles/#{role}.png", :size => "20x20", :border => 0, :alt => t("user.view.role.#{role}"), :title => t("user.view.role.#{role}")) %> +<% end %> +<% end %>

<% if @user and @this_user.id == @user.id %> @@ -7,6 +18,10 @@ | <%= link_to t('user.view.my edits'), :controller => 'changeset', :action => 'list', :display_name => @user.display_name %> | <%= link_to t('user.view.my traces'), :controller => 'trace', :action=>'mine' %> | <%= link_to t('user.view.my settings'), :controller => 'user', :action => 'account', :display_name => @user.display_name %> +| <%= link_to t('user.view.blocks on me'), :controller => 'user_blocks', :action => 'blocks_on', :display_name => @user.display_name %> +<% if @user and @user.moderator? %> +| <%= link_to t('user.view.blocks by me'), :controller => 'user_blocks', :action => 'blocks_by', :display_name => @user.display_name %> +<% end %> <% else %> <%= link_to t('user.view.send message'), :controller => 'message', :action => 'new', :display_name => @this_user.display_name %> @@ -18,6 +33,13 @@ <% else %> <%= link_to t('user.view.add as friend'), :controller => 'user', :action => 'make_friend', :display_name => @this_user.display_name %> <% end %> +| <%= link_to t('user.view.block_history'), :controller => 'user_blocks', :action => 'blocks_on', :display_name => @this_user.display_name %> +<% if @this_user.moderator? %> +| <%= link_to t('user.view.moderator_history'), :controller => 'user_blocks', :action => 'blocks_by', :display_name => @this_user.display_name %> +<% end %> +<% if @user and @user.moderator? %> +| <%= link_to t('user.view.create_block'), :controller => 'user_blocks', :action => 'new', :display_name => @this_user.display_name %> +<% end %> <% end %>
diff --git a/app/views/user_blocks/_block.html.erb b/app/views/user_blocks/_block.html.erb new file mode 100644 index 000000000..0e2b3a287 --- /dev/null +++ b/app/views/user_blocks/_block.html.erb @@ -0,0 +1,24 @@ + + <% c1 = cycle('table0', 'table1') %> + + <% if show_user_name %> + <%= link_to h(block.user.display_name), :controller => 'user', :action => 'view', :display_name => block.user.display_name %> + <% end %> + <% if show_creator_name %> + <%= link_to h(block.creator.display_name), :controller => 'user', :action => 'view', :display_name => block.creator.display_name %> + <% end %> + <%=h truncate(block.reason) %> + <%=h block_status(block) %> + + <% if block.revoker_id.nil? %> + <%= t('user_block.partial.not_revoked') %> + <% else %> + <%= link_to h(block.revoker.display_name), :controller => 'user', :action => 'view', :display_name => block.revoker.display_name %> + <% end %> + + <%= link_to t('user_block.partial.show'), block %> + <% if @user and @user.id == block.creator_id and block.active? %><%= link_to t('user_block.partial.edit'), edit_user_block_path(block) %><% end %> + <% if show_revoke_link %> + <% if block.active? %><%= link_to t('user_block.partial.revoke'), block, :confirm => t('user_block.partial.confirm'), :action => :revoke %><% end %> + <% end %> + diff --git a/app/views/user_blocks/_blocks.html.erb b/app/views/user_blocks/_blocks.html.erb new file mode 100644 index 000000000..cdb224c2e --- /dev/null +++ b/app/views/user_blocks/_blocks.html.erb @@ -0,0 +1,23 @@ +<% unless @user_blocks.empty? %> + + + <% if show_user_name %> + + <% end %> + <% if show_creator_name %> + + <% end %> + + + + + + <% if show_revoke_link %> + + <% end %> + + <%= render :partial => 'block', :locals => {:show_revoke_link => show_revoke_link, :show_user_name => show_user_name, :show_creator_name => show_creator_name }, :collection => @user_blocks %> +
<%= t'user_block.partial.display_name' %><%= t'user_block.partial.creator_name' %><%= t'user_block.partial.reason' %><%= t'user_block.partial.status' %><%= t'user_block.partial.revoker_name' %>
+<% else %> +

<%= t "user_block.#{blocks_by_on}.empty", :name => h(@this_user.display_name) %>

+<% end %> diff --git a/app/views/user_blocks/blocks_by.html.erb b/app/views/user_blocks/blocks_by.html.erb new file mode 100644 index 000000000..1a910001f --- /dev/null +++ b/app/views/user_blocks/blocks_by.html.erb @@ -0,0 +1,4 @@ +<% @title = t('user_block.blocks_by.title', :name => h(@this_user.display_name)) %> +

<%= t('user_block.blocks_by.heading', :name => link_to(h(@this_user.display_name), {:controller => 'user', :action => 'view', :display_name => @this_user.display_name})) %>

+ +<%= render :partial => 'blocks', :locals => { :blocks_by_on => 'blocks_by', :show_revoke_link => (@user and @user.moderator?), :show_user_name => true, :show_creator_name => false } %> diff --git a/app/views/user_blocks/blocks_on.html.erb b/app/views/user_blocks/blocks_on.html.erb new file mode 100644 index 000000000..9a2b8bc5f --- /dev/null +++ b/app/views/user_blocks/blocks_on.html.erb @@ -0,0 +1,4 @@ +<% @title = t('user_block.blocks_on.title', :name => h(@this_user.display_name)) %> +

<%= t('user_block.blocks_on.heading', :name => link_to(h(@this_user.display_name), {:controller => 'user', :action => 'view', :display_name => @this_user.display_name})) %>

+ +<%= render :partial => 'blocks', :locals => { :blocks_by_on => 'blocks_on', :show_revoke_link => (@user and @user.moderator?), :show_user_name => false, :show_creator_name => true } %> diff --git a/app/views/user_blocks/edit.html.erb b/app/views/user_blocks/edit.html.erb new file mode 100644 index 000000000..387335d9d --- /dev/null +++ b/app/views/user_blocks/edit.html.erb @@ -0,0 +1,28 @@ +<% @title = t 'user_block.edit.title', :name => h(@user_block.user.display_name) %> +

<%= t('user_block.edit.title', + :name => link_to( + h(@user_block.user.display_name), + {:controller => 'user', :action => 'view', :display_name => @user_block.user.display_name})) %>

+ +<% form_for(@user_block) do |f| %> + <%= f.error_messages %> + +

+ <%= f.label :reason, t('user_block.edit.reason', :name => h(@user_block.user.display_name)) %>
+ <%= f.text_area :reason, :cols => 80, :rows => 5 %> +

+

+ <%= label_tag 'user_block_period', t('user_block.edit.period') %>
+ <%= select_tag('user_block_period', options_for_select(UserBlock::PERIODS.collect { |h| [t('user_block.period', :count => h), h.to_s] }, params[:user_block_period])) %> +

+

+ <%= f.check_box :needs_view %> + <%= f.label :needs_view, t('user_block.edit.needs_view') %> +

+

+ <%= f.submit t('user_block.edit.submit') %> +

+<% end %> + +<%= link_to t('user_block.edit.show'), @user_block %> | +<%= link_to t('user_block.edit.back'), user_blocks_path %> diff --git a/app/views/user_blocks/index.html.erb b/app/views/user_blocks/index.html.erb new file mode 100644 index 000000000..8d645f465 --- /dev/null +++ b/app/views/user_blocks/index.html.erb @@ -0,0 +1,4 @@ +<% @title = t('user_block.index.title') %> +

<%= t('user_block.index.heading') %>

+ +<%= render :partial => 'blocks', :locals => { :show_revoke_link => (@user and @user.moderator?), :show_user_name => true, :show_creator_name => true } %> diff --git a/app/views/user_blocks/new.html.erb b/app/views/user_blocks/new.html.erb new file mode 100644 index 000000000..3d3e6855c --- /dev/null +++ b/app/views/user_blocks/new.html.erb @@ -0,0 +1,28 @@ +<% @title = t 'user_block.new.title', :name => h(@this_user.display_name) %> +

<%= t('user_block.new.heading', + :name => link_to( + h(@this_user.display_name), + {:controller => 'user', :action => 'view', :display_name => @this_user.display_name})) %>

+ +<% form_for(@user_block) do |f| %> + <%= f.error_messages %> + +

+ <%= f.label :reason, t('user_block.new.reason', :name => @this_user.display_name) %>
+ <%= f.text_area :reason, :cols => 80, :rows => 5 %> +

+

+ <%= label_tag 'user_block_period', t('user_block.new.period') %>
+ <%= select_tag('user_block_period', options_for_select(UserBlock::PERIODS.collect { |h| [t('user_block.period', :count => h), h.to_s] }, params[:user_block_period] )) %> +

+

+ <%= f.check_box :needs_view %> + <%= f.label :needs_view, t('user_block.new.needs_view') %> +

+

+ <%= hidden_field_tag 'display_name', @this_user.display_name %> + <%= f.submit t('user_block.new.submit') %> +

+<% end %> + +<%= link_to t('user_block.new.back'), user_blocks_path %> diff --git a/app/views/user_blocks/not_found.html.erb b/app/views/user_blocks/not_found.html.erb new file mode 100644 index 000000000..3b5323d72 --- /dev/null +++ b/app/views/user_blocks/not_found.html.erb @@ -0,0 +1,3 @@ +

<%= t'user_block.not_found.sorry', :id => params[:id] %>

+ +<%= link_to t('user_block.not_found.back'), user_blocks_path %> diff --git a/app/views/user_blocks/revoke.html.erb b/app/views/user_blocks/revoke.html.erb new file mode 100644 index 000000000..9f142c802 --- /dev/null +++ b/app/views/user_blocks/revoke.html.erb @@ -0,0 +1,32 @@ +<% @title = t('user_block.revoke.title', + :block_on => h(@user_block.user.display_name), + :block_by => h(@user_block.creator.display_name)) %> +

<%= t('user_block.revoke.heading', + :block_on => link_to( + h(@user_block.user.display_name), + {:controller => 'user', :action => 'view', :display_name => @user_block.user.display_name}), + :block_by => link_to( + h(@user_block.creator.display_name), + {:controller => 'user', :action => 'view', :display_name => @user_block.creator.display_name})) %>

+ +<% if @user_block.ends_at > Time.now %> +

+ <%= t('user_block.revoke.time_future', :time => distance_of_time_in_words_to_now(@user_block.ends_at)) %> +

+ +<% form_for :revoke, :url => { :action => "revoke" } do |f| %> + <%= f.error_messages %> +

+ <%= check_box_tag 'confirm', 'yes' %> + <%= label_tag 'confirm', t('user_block.revoke.confirm') %> +

+

+ <%= submit_tag t('user_block.revoke.revoke') %> +

+<% end %> + +<% else %> +

+ <%= t('user_block.revoke.past', :time => distance_of_time_in_words_to_now(@user_block.ends_at)) %> +

+<% end %> diff --git a/app/views/user_blocks/show.html.erb b/app/views/user_blocks/show.html.erb new file mode 100644 index 000000000..24a1d1e66 --- /dev/null +++ b/app/views/user_blocks/show.html.erb @@ -0,0 +1,34 @@ +<% @title = t('user_block.show.title', + :block_on => @user_block.user.display_name, + :block_by => @user_block.creator.display_name) %> +

<%= t('user_block.show.heading', + :block_on => link_to( + h(@user_block.user.display_name), + {:controller => 'user', :action => 'view', :display_name => @user_block.user.display_name}), + :block_by => link_to( + h(@user_block.creator.display_name), + {:controller => 'user', :action => 'view', :display_name => @user_block.creator.display_name})) %>

+<% if @user_block.revoker %> +

+ <%= t'user_block.show.revoker' %> + <%= link_to h(@user_block.revoker.display_name), :controller => 'user', :action => 'view', :display_name => @user_block.revoker.display_name %> +

+<% end %> + +

<%= t'user_block.show.status' %>: <%= block_status(@user_block) %>

+ +

+ <%= t'user_block.show.reason' %> + <%=h @user_block.reason %> +

+ + +<% if @user_block.ends_at > Time.now.getutc %> +<% if @user and @user.id == @user_block.creator_id %> +<%= link_to t('user_block.show.edit'), edit_user_block_path(@user_block) %> | +<% end %> +<% if @user and @user.moderator? %> +<%= link_to(t('user_block.show.revoke'),{:controller => 'user_blocks', :action => 'revoke', :id => @user_block.id}) %> | +<% end %> +<% end %> +<%= link_to t('user_block.show.back'), user_blocks_path %> diff --git a/app/views/user_roles/grant.html.erb b/app/views/user_roles/grant.html.erb new file mode 100644 index 000000000..f9e54fd1c --- /dev/null +++ b/app/views/user_roles/grant.html.erb @@ -0,0 +1,7 @@ +<% form_tag request.request_uri do %> +<%= hidden_field_tag 'nonce', @nonce %> +<% @title = t('user_role.grant.heading') %> +

<%= t('user_role.grant.heading') %>

+

<%= t('user_role.grant.are_you_sure', :name => params[:display_name], :role => params[:role]) %>

+

<%= submit_tag t'user_role.grant.confirm' %>

+<% end %> diff --git a/app/views/user_roles/revoke.html.erb b/app/views/user_roles/revoke.html.erb new file mode 100644 index 000000000..e5aadeae0 --- /dev/null +++ b/app/views/user_roles/revoke.html.erb @@ -0,0 +1,7 @@ +<% form_tag request.request_uri do %> +<%= hidden_field_tag 'nonce', @nonce %> +<% @title = t('user_role.revoke.heading') %> +

<%= t('user_role.revoke.heading') %>

+

<%= t('user_role.revoke.are_you_sure', :name => params[:display_name], :role => params[:role]) %>

+

<%= submit_tag t'user_role.revoke.confirm' %>

+<% end %> diff --git a/config/application.yml b/config/application.yml index 6241fb621..6a67a5123 100644 --- a/config/application.yml +++ b/config/application.yml @@ -13,6 +13,8 @@ standard_settings: &standard_settings geonames_zoom: 12 # Timeout for API calls in seconds api_timeout: 300 + # Periods (in hours) which are allowed for user blocks + user_block_periods: [0, 1, 3, 6, 12, 24, 48, 96] development: <<: *standard_settings diff --git a/config/locales/en.yml b/config/locales/en.yml index 025c73357..e0902df81 100644 --- a/config/locales/en.yml +++ b/config/locales/en.yml @@ -805,6 +805,9 @@ en: scheduled_for_deletion: "Track scheduled for deletion" make_public: made_public: "Track made public" + application: + setup_user_auth: + blocked: "Your access to the API has been blocked. Please log-in to the web interface to find out more." oauth: oauthorize: request_access: "The application {{app_name}} is requesting access to your account. Please check whether you would like the application to have the following capabilities. You may choose as many or as few as you like." @@ -924,6 +927,8 @@ en: my edits: my edits my traces: my traces my settings: my settings + blocks on me: blocks on me + blocks by me: blocks by me send message: send message diary: diary edits: edits @@ -949,6 +954,18 @@ en: no nearby users: "There are no users who admit to mapping nearby yet." change your settings: change your settings my_oauth_details: "View my OAuth details" + role: + administrator: "This user is an administrator" + moderator: "This user is a moderator" + grant: + administrator: "Grant administrator access" + moderator: "Grant moderator access" + revoke: + administrator: "Revoke administrator access" + moderator: "Revoke moderator access" + block_history: "view blocks received" + moderator_history: "view blocks given" + create_block: "block this user" friend_map: your location: Your location nearby mapper: "Nearby mapper: [[nearby_user]]" @@ -998,3 +1015,110 @@ en: remove_friend: success: "{{name}} was removed from your friends." not_a_friend: "{{name}} is not one of your friends." + user_role: + filter: + not_an_administrator: "Only administrators can perform user role management, and you are not an administrator." + not_a_role: "The string `{{role}}' isn't a valid role." + already_has_role: "The user already has role {{role}}." + doesnt_have_role: "The user does not have role {{role}}." + grant: + title: Confirm role granting + heading: Confirm role granting + are_you_sure: "Are you sure you want to grant the role `{{role}}' to the user `{{name}}'?" + confirm: "Confirm" + fail: "Couldn't grant role `{{role}}' to user `{{name}}'. Please check that the user and role are both valid." + revoke: + title: Confirm role revoking + heading: Confirm role revoking + are_you_sure: "Are you sure you want to revoke the role `{{role}}' from the user `{{name}}'?" + confirm: "Confirm" + fail: "Couldn't revoke role `{{role}}' from user `{{name}}'. Please check that the user and role are both valid." + user_block: + model: + non_moderator_update: "Must be a moderator to create or update a block." + non_moderator_revoke: "Must be a moderator to revoke a block." + not_found: + sorry: "Sorry, the user block with ID {{id}} could not be found." + back: "Back to index" + new: + title: "Creating block on {{name}}" + heading: "Creating block on {{name}}" + reason: "The reason why {{name}} is being blocked. Please be as calm and as reasonable as possible, giving as much detail as you can about the situation, remembering that the message will be publicly visible. Bear in mind that not all users understand the community jargon, so please try to use laymans terms." + period: "How long, starting now, the user will be blocked from the API for." + submit: "Create block" + tried_contacting: "I have contacted the user and asked them to stop." + tried_waiting: "I have given a reasonable amount of time for the user to respond to those communications." + needs_view: "Does the user need to log in before this block will be cleared?" + back: "View all blocks" + edit: + title: "Editing block on {{name}}" + heading: "Editing block on {{name}}" + reason: "The reason why {{name}} is being blocked. Please be as calm and as reasonable as possible, giving as much detail as you can about the situation. Bear in mind that not all users understand the community jargon, so please try to use laymans terms." + period: "How long, starting now, the user will be blocked from the API for." + submit: "Update block" + show: "View this block" + back: "View all blocks" + needs_view: "Does the user need to log in before this block will be cleared?" + filter: + not_a_moderator: "You need to be a moderator to perform that action." + block_expired: "The block has already expired and cannot be edited." + block_period: "The blocking period must be one of the values selectable in the drop-down list." + create: + try_contacting: "Please try contacting the user before blocking them and giving them a reasonable time to respond." + try_waiting: "Please try giving the user a reasonable time to respond before blocking them." + flash: "Created a block on user {{name}}." + update: + only_creator_can_edit: "Only the moderator who created this block can edit it." + success: "Block updated." + index: + title: "User blocks" + heading: "List of user blocks" + revoke: + title: "Revoking block on {{block_on}}" + heading: "Revoking block on {{block_on}} by {{block_by}}" + time_future: "This block will end in {{time}}." + past: "This block ended {{time}} ago and cannot be revoked now." + confirm: "Are you sure you wish to revoke this block?" + revoke: "Revoke!" + flash: "This block has been revoked." + period: + one: "1 hour" + other: "{{count}} hours" + partial: + show: "Show" + edit: "Edit" + revoke: "Revoke!" + confirm: "Are you sure?" + display_name: "Blocked User" + creator_name: "Creator" + reason: "Reason for block" + status: "Status" + revoker_name: "Revoked by" + not_revoked: "(not revoked)" + helper: + time_future: "Ends in {{time}}." + until_login: "Active until the user logs in." + time_past: "Ended {{time}} ago." + blocks_on: + title: "Blocks on {{name}}" + heading: "List of blocks on {{name}}" + empty: "{{name}} has not been blocked yet." + blocks_by: + title: "Blocks by {{name}}" + heading: "List of blocks by {{name}}" + empty: "{{name}} has not made any blocks yet." + show: + title: "{{block_on}} blocked by {{block_by}}" + heading: "{{block_on}} blocked by {{block_by}}" + time_future: "Ends in {{time}}" + time_past: "Ended {{time}} ago" + status: "Status" + show: "Show" + edit: "Edit" + revoke: "Revoke!" + confirm: "Are you sure?" + reason: "Reason for block:" + back: "View all blocks" + revoker: "Revoker:" + needs_view: "The user needs to log in before this block will be cleared." + diff --git a/config/routes.rb b/config/routes.rb index b8d3fa1a0..1e59ed074 100644 --- a/config/routes.rb +++ b/config/routes.rb @@ -1,5 +1,4 @@ ActionController::Routing::Routes.draw do |map| - # API map.connect "api/capabilities", :controller => 'api', :action => 'capabilities' map.connect "api/#{API_VERSION}/capabilities", :controller => 'api', :action => 'capabilities' @@ -202,6 +201,15 @@ ActionController::Routing::Routes.draw do |map| map.access_token '/oauth/access_token', :controller => 'oauth', :action => 'access_token' map.test_request '/oauth/test_request', :controller => 'oauth', :action => 'test_request' + # roles and banning pages + map.connect '/user/:display_name/role/:role/grant', :controller => 'user_roles', :action => 'grant' + map.connect '/user/:display_name/role/:role/revoke', :controller => 'user_roles', :action => 'revoke' + map.connect '/user/:display_name/blocks', :controller => 'user_blocks', :action => 'blocks_on' + map.connect '/user/:display_name/blocks_by', :controller => 'user_blocks', :action => 'blocks_by' + map.resources :user_blocks, :as => 'blocks' + map.connect '/blocks/:id/revoke', :controller => 'user_blocks', :action => 'revoke' + map.connect '/blocks/new/:display_name', :controller => 'user_blocks', :action => 'new' + # fall through map.connect ':controller/:id/:action' map.connect ':controller/:action' diff --git a/db/migrate/044_create_user_roles.rb b/db/migrate/044_create_user_roles.rb new file mode 100644 index 000000000..10ec3ee7b --- /dev/null +++ b/db/migrate/044_create_user_roles.rb @@ -0,0 +1,32 @@ +require 'lib/migrate' + +class CreateUserRoles < ActiveRecord::Migration + def self.up + create_enumeration :user_role_enum, ["administrator", "moderator"] + + create_table :user_roles do |t| + t.column :user_id, :bigint, :null => false + + t.timestamps + end + add_column :user_roles, :role, :user_role_enum, :null => false + + User.all(:conditions => ['administrator = ?', true]).each do |user| + UserRole.create(:user_id => user.id, :role => "administrator") + end + remove_column :users, :administrator + + add_foreign_key :user_roles, [:user_id], :users, [:id] + end + + def self.down + add_column :users, :administrator, :boolean, :default => false, :null => false + UserRole.all(:conditions => ['role = ?', "administrator"]).each do |role| + user = User.find(role.user_id) + user.administrator = true + user.save! + end + drop_table :user_roles + drop_enumeration :user_role_enum + end +end diff --git a/db/migrate/045_create_user_blocks.rb b/db/migrate/045_create_user_blocks.rb new file mode 100644 index 000000000..7276ef1a5 --- /dev/null +++ b/db/migrate/045_create_user_blocks.rb @@ -0,0 +1,26 @@ +require 'lib/migrate' + +class CreateUserBlocks < ActiveRecord::Migration + def self.up + create_table :user_blocks do |t| + t.column :user_id, :bigint, :null => false + t.column :moderator_id, :bigint, :null => false + t.column :reason, :text, :null => false + t.column :end_at, :datetime, :null => false + t.column :needs_view, :boolean, :null => false, :default => false + t.column :revoker_id, :bigint + + t.timestamps + end + + add_foreign_key :user_blocks, [:user_id], :users, [:id] + add_foreign_key :user_blocks, [:moderator_id], :users, [:id] + add_foreign_key :user_blocks, [:revoker_id], :users, [:id] + + add_index :user_blocks, [:user_id] + end + + def self.down + drop_table :user_blocks + end +end diff --git a/db/migrate/046_alter_user_roles_and_blocks.rb b/db/migrate/046_alter_user_roles_and_blocks.rb new file mode 100644 index 000000000..db0813e33 --- /dev/null +++ b/db/migrate/046_alter_user_roles_and_blocks.rb @@ -0,0 +1,29 @@ +require 'lib/migrate' + +class AlterUserRolesAndBlocks < ActiveRecord::Migration + def self.up + # the initial granter IDs can be "self" - there are none of these + # in the current live DB, but there may be some in people's own local + # copies. + add_column :user_roles, :granter_id, :bigint + UserRole.update_all("granter_id = user_id") + change_column :user_roles, :granter_id, :bigint, :null => false + add_foreign_key :user_roles, [:granter_id], :users, [:id] + + # make sure that [user_id, role] is unique + add_index :user_roles, [:user_id, :role], :name => "user_roles_id_role_unique", :unique => true + + # change the user_blocks to have a creator_id rather than moderator_id + rename_column :user_blocks, :moderator_id, :creator_id + + # change the "end_at" column to the more grammatically correct "ends_at" + rename_column :user_blocks, :end_at, :ends_at + end + + def self.down + remove_column :user_roles, :granter_id + remove_index :user_roles, :name => "user_roles_id_role_unique" + rename_column :user_blocks, :creator_id, :moderator_id + rename_column :user_blocks, :ends_at, :end_at + end +end diff --git a/public/403.html b/public/403.html new file mode 100644 index 000000000..667b7c7e8 --- /dev/null +++ b/public/403.html @@ -0,0 +1,12 @@ + + + + +
+

Forbidden

+

The operation you requested on the OpenStreetMap server is only available to administrators (HTTP 403)

+

Feel free to contact the OpenStreetMap community if you have found a broken link / bug. Make a note of the exact URL of your request.

+
+ + diff --git a/public/images/roles/administrator.png b/public/images/roles/administrator.png new file mode 100644 index 000000000..b566decb4 Binary files /dev/null and b/public/images/roles/administrator.png differ diff --git a/public/images/roles/blank_administrator.png b/public/images/roles/blank_administrator.png new file mode 100644 index 000000000..c68f9e427 Binary files /dev/null and b/public/images/roles/blank_administrator.png differ diff --git a/public/images/roles/blank_moderator.png b/public/images/roles/blank_moderator.png new file mode 100644 index 000000000..cf5ceea36 Binary files /dev/null and b/public/images/roles/blank_moderator.png differ diff --git a/public/images/roles/moderator.png b/public/images/roles/moderator.png new file mode 100644 index 000000000..eaedf95d2 Binary files /dev/null and b/public/images/roles/moderator.png differ diff --git a/test/fixtures/user_roles.yml b/test/fixtures/user_roles.yml new file mode 100644 index 000000000..a5f814255 --- /dev/null +++ b/test/fixtures/user_roles.yml @@ -0,0 +1,11 @@ +# Read about fixtures at http://ar.rubyonrails.org/classes/Fixtures.html + +administrator: + user_id: 6 + role: administrator + granter_id: 6 + +moderator: + user_id: 5 + role: moderator + granter_id: 6 diff --git a/test/fixtures/users.yml b/test/fixtures/users.yml index ac0029a62..1849fd4d9 100644 --- a/test/fixtures/users.yml +++ b/test/fixtures/users.yml @@ -51,3 +51,20 @@ second_public_user: home_lon: 87 home_zoom: 12 +moderator_user: + id: 5 + email: moderator@example.com + active: true + pass_crypt: <%= Digest::MD5.hexdigest('test') %> + creation_time: "2008-05-01 01:23:45" + display_name: moderator + data_public: true + +administrator_user: + id: 6 + email: administrator@example.com + active: true + pass_crypt: <%= Digest::MD5.hexdigest('test') %> + creation_time: "2008-05-01 01:23:45" + display_name: administrator + data_public: true diff --git a/test/integration/user_blocks_test.rb b/test/integration/user_blocks_test.rb new file mode 100644 index 000000000..f0b9070d6 --- /dev/null +++ b/test/integration/user_blocks_test.rb @@ -0,0 +1,56 @@ +require File.dirname(__FILE__) + '/../test_helper' + +class UserBlocksTest < ActionController::IntegrationTest + fixtures :users, :user_blocks, :user_roles + + def auth_header(user, pass) + {"HTTP_AUTHORIZATION" => "Basic %s" % Base64.encode64("#{user}:#{pass}")} + end + + def test_api_blocked + blocked_user = users(:public_user) + + get "/api/#{API_VERSION}/user/details" + assert_response :unauthorized + + get "/api/#{API_VERSION}/user/details", nil, auth_header(blocked_user.display_name, "test") + assert_response :success + + # now block the user + UserBlock.create(:user_id => blocked_user.id, + :creator_id => users(:moderator_user).id, + :reason => "testing", + :ends_at => Time.now.getutc + 5.minutes) + get "/api/#{API_VERSION}/user/details", nil, auth_header(blocked_user.display_name, "test") + assert_response :forbidden + end + + def test_api_revoke + blocked_user = users(:public_user) + moderator = users(:moderator_user) + + block = UserBlock.create(:user_id => blocked_user.id, + :creator_id => moderator.id, + :reason => "testing", + :ends_at => Time.now.getutc + 5.minutes) + get "/api/#{API_VERSION}/user/details", nil, auth_header(blocked_user.display_name, "test") + assert_response :forbidden + + # revoke the ban + post '/login', {'user[email]' => moderator.email, 'user[password]' => "test", :referer => "/blocks/#{block.id}/revoke"} + assert_response :redirect + follow_redirect! + assert_response :success + assert_template 'user_blocks/revoke' + post "/blocks/#{block.id}/revoke", {'confirm' => "yes"} + assert_response :redirect + follow_redirect! + assert_response :success + assert_template 'user_blocks/show' + reset! + + # access the API again. this time it should work + get "/api/#{API_VERSION}/user/details", nil, auth_header(blocked_user.display_name, "test") + assert_response :success + end +end diff --git a/test/integration/user_roles_test.rb b/test/integration/user_roles_test.rb new file mode 100644 index 000000000..df8b1561f --- /dev/null +++ b/test/integration/user_roles_test.rb @@ -0,0 +1,46 @@ +require File.dirname(__FILE__) + '/../test_helper' + +class UserRolesControllerTest < ActionController::IntegrationTest + fixtures :users, :user_roles + + test "grant" do + check_fail(:grant, :public_user, :moderator) + check_fail(:grant, :moderator_user, :moderator) + check_success(:grant, :administrator_user, :moderator) + end + + test "revoke" do + check_fail(:revoke, :public_user, :moderator) + check_fail(:revoke, :moderator_user, :moderator) + # this other user doesn't have moderator role, so this fails + check_fail(:revoke, :administrator_user, :moderator) + end + + def check_fail(action, user, role) + post '/login', {'user[email]' => users(user).email, 'user[password]' => "test", :referer => "/"} + assert_response :redirect + follow_redirect! + assert_response :success + + get "/user/#{users(:second_public_user).display_name}/role/#{role}/#{action}" + assert_response :redirect + assert_redirected_to :controller => 'user', :action => 'view', :display_name => users(:second_public_user).display_name + + reset! + end + + def check_success(action, user, role) + post '/login', {'user[email]' => users(user).email, 'user[password]' => "test", :referer => "/"} + assert_response :redirect + follow_redirect! + assert_response :success + + get "/user/#{users(:second_public_user).display_name}/role/#{role}/#{action}" + assert_response :success + post "/user/#{users(:second_public_user).display_name}/role/#{role}/#{action}", {:confirm => "yes", :nonce => session[:nonce]} + assert_response :redirect + assert_redirected_to :controller => 'user', :action => 'view', :display_name => users(:second_public_user).display_name + + reset! + end +end