From: Tom Hughes Date: Thu, 16 May 2024 17:02:03 +0000 (+0100) Subject: Merge remote-tracking branch 'upstream/pull/4802' X-Git-Tag: live~1021 X-Git-Url: https://git.openstreetmap.org/rails.git/commitdiff_plain/25e1145c32c34318edab7a5ce0a059034703ccb0?hp=a1fca17cc75995d1eeb0ea52afb2af1f1c346e6b Merge remote-tracking branch 'upstream/pull/4802' --- diff --git a/Gemfile b/Gemfile index 04395b49a..75387b5d5 100644 --- a/Gemfile +++ b/Gemfile @@ -63,6 +63,7 @@ gem "oauth-plugin", ">= 0.5.1" gem "openstreetmap-deadlock_retry", ">= 1.3.1", :require => "deadlock_retry" gem "rack-cors" gem "rails-i18n", "~> 7.0.0" +gem "rails_param" gem "rinku", ">= 2.0.6", :require => "rails_rinku" gem "strong_migrations" gem "validates_email_format_of", ">= 1.5.1" diff --git a/Gemfile.lock b/Gemfile.lock index 087e19f45..14beee830 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -458,6 +458,9 @@ GEM rails-i18n (7.0.9) i18n (>= 0.7, < 2) railties (>= 6.0.0, < 8) + rails_param (1.3.1) + actionpack (>= 3.2.0) + activesupport (>= 3.2.0) railties (7.1.3.2) actionpack (= 7.1.3.2) activesupport (= 7.1.3.2) @@ -672,6 +675,7 @@ DEPENDENCIES rails (~> 7.1.0) rails-controller-testing rails-i18n (~> 7.0.0) + rails_param rinku (>= 2.0.6) rotp rtlcss diff --git a/app/controllers/api_controller.rb b/app/controllers/api_controller.rb index e4e156ee8..edafac7cc 100644 --- a/app/controllers/api_controller.rb +++ b/app/controllers/api_controller.rb @@ -106,8 +106,12 @@ class ApiController < ApplicationController if doorkeeper_token&.accessible? self.current_user = User.find(doorkeeper_token.resource_owner_id) elsif Authenticator.new(self, [:token]).allow? - # self.current_user setup by OAuth - elsif Settings.basic_auth_support + if Settings.oauth_10a_support + # self.current_user setup by OAuth + else + report_error t("application.oauth_10a_disabled", :link => t("application.auth_disabled_link")), :forbidden + end + else username, passwd = auth_data # parse from headers # authenticate per-scheme self.current_user = if username.nil? @@ -115,8 +119,14 @@ class ApiController < ApplicationController else User.authenticate(:username => username, :password => passwd) # basic auth end - # log if we have authenticated using basic auth - logger.info "Authenticated as user #{current_user.id} using basic authentication" if current_user + if username && current_user + if Settings.basic_auth_support + # log if we have authenticated using basic auth + logger.info "Authenticated as user #{current_user.id} using basic authentication" + else + report_error t("application.basic_auth_disabled", :link => t("application.auth_disabled_link")), :forbidden + end + end end # have we identified the user? diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb index 488e6a818..f5accc3c4 100644 --- a/app/controllers/application_controller.rb +++ b/app/controllers/application_controller.rb @@ -10,6 +10,8 @@ class ApplicationController < ActionController::Base rescue_from CanCan::AccessDenied, :with => :deny_access check_authorization + rescue_from RailsParam::InvalidParameterError, :with => :invalid_parameter + before_action :fetch_body around_action :better_errors_allow_inline, :if => proc { Rails.env.development? } @@ -67,6 +69,10 @@ class ApplicationController < ActionController::Base @oauth_token = current_user.oauth_token(Settings.oauth_application) if current_user && Settings.key?(:oauth_application) end + def require_oauth_10a_support + report_error t("application.oauth_10a_disabled", :link => t("application.auth_disabled_link")), :forbidden unless Settings.oauth_10a_support + end + ## # require the user to have cookies enabled in their browser def require_cookies @@ -306,6 +312,17 @@ class ApplicationController < ActionController::Base end end + def invalid_parameter(_exception) + if request.get? + respond_to do |format| + format.html { redirect_to :controller => "/errors", :action => "bad_request" } + format.any { head :bad_request } + end + else + head :bad_request + end + end + # extract authorisation credentials from headers, returns user = nil if none def auth_data if request.env.key? "X-HTTP_AUTHORIZATION" # where mod_rewrite might have put it diff --git a/app/controllers/changesets_controller.rb b/app/controllers/changesets_controller.rb index 6a80f260a..19ec9c91e 100644 --- a/app/controllers/changesets_controller.rb +++ b/app/controllers/changesets_controller.rb @@ -18,6 +18,8 @@ class ChangesetsController < ApplicationController ## # list non-empty changesets in reverse chronological order def index + param! :max_id, Integer, :min => 1 + @params = params.permit(:display_name, :bbox, :friends, :nearby, :max_id, :list) if request.format == :atom && @params[:max_id] diff --git a/app/controllers/concerns/pagination_methods.rb b/app/controllers/concerns/pagination_methods.rb index 3dc9f52aa..79ab10bfb 100644 --- a/app/controllers/concerns/pagination_methods.rb +++ b/app/controllers/concerns/pagination_methods.rb @@ -6,6 +6,9 @@ module PaginationMethods ## # limit selected items to one page, get ids of first item before/after the page def get_page_items(items, includes: [], limit: 20) + param! :before, Integer, :min => 1 + param! :after, Integer, :min => 1 + id_column = "#{items.table_name}.id" page_items = if params[:before] items.where("#{id_column} < ?", params[:before]).order(:id => :desc) diff --git a/app/controllers/errors_controller.rb b/app/controllers/errors_controller.rb index ee1fcca6f..605403348 100644 --- a/app/controllers/errors_controller.rb +++ b/app/controllers/errors_controller.rb @@ -5,6 +5,13 @@ class ErrorsController < ApplicationController before_action :set_locale + def bad_request + respond_to do |format| + format.html { render :status => :bad_request } + format.any { render :status => :bad_request, :plain => "" } + end + end + def forbidden respond_to do |format| format.html { render :status => :forbidden } diff --git a/app/controllers/notes_controller.rb b/app/controllers/notes_controller.rb index 97efc3eda..26d27692e 100644 --- a/app/controllers/notes_controller.rb +++ b/app/controllers/notes_controller.rb @@ -16,6 +16,8 @@ class NotesController < ApplicationController ## # Display a list of notes by a specified user def index + param! :page, Integer, :min => 1 + @params = params.permit(:display_name) @title = t ".title", :user => @user.display_name @page = (params[:page] || 1).to_i diff --git a/app/controllers/oauth_controller.rb b/app/controllers/oauth_controller.rb index cd7e48277..49af05b0d 100644 --- a/app/controllers/oauth_controller.rb +++ b/app/controllers/oauth_controller.rb @@ -5,6 +5,8 @@ class OauthController < ApplicationController # a login, but we want to check authorization on every action. authorize_resource :class => false + before_action :require_oauth_10a_support + layout "site" def revoke diff --git a/app/controllers/traces/icons_controller.rb b/app/controllers/traces/icons_controller.rb index ec67a6bb1..a62e6af86 100644 --- a/app/controllers/traces/icons_controller.rb +++ b/app/controllers/traces/icons_controller.rb @@ -6,21 +6,12 @@ module Traces authorize_resource :trace def show - trace = Trace.visible.find(params[:trace_id]) + trace = Trace.visible.imported.find(params[:trace_id]) - if trace.inserted? - if trace.public? || (current_user && current_user == trace.user) - if trace.icon.attached? - redirect_to rails_blob_path(trace.icon, :disposition => "inline") - else - expires_in 7.days, :private => !trace.public?, :public => trace.public? - send_file(trace.icon_picture_name, :filename => "#{trace.id}_icon.gif", :type => "image/gif", :disposition => "inline") - end - else - head :forbidden - end + if trace.public? || (current_user && current_user == trace.user) + redirect_to rails_blob_path(trace.icon, :disposition => "inline") else - head :not_found + head :forbidden end rescue ActiveRecord::RecordNotFound head :not_found diff --git a/app/controllers/traces/pictures_controller.rb b/app/controllers/traces/pictures_controller.rb index 0e0d588cb..0b26ed884 100644 --- a/app/controllers/traces/pictures_controller.rb +++ b/app/controllers/traces/pictures_controller.rb @@ -6,21 +6,12 @@ module Traces authorize_resource :trace def show - trace = Trace.visible.find(params[:trace_id]) + trace = Trace.visible.imported.find(params[:trace_id]) - if trace.inserted? - if trace.public? || (current_user && current_user == trace.user) - if trace.icon.attached? - redirect_to rails_blob_path(trace.image, :disposition => "inline") - else - expires_in 7.days, :private => !trace.public?, :public => trace.public? - send_file(trace.large_picture_name, :filename => "#{trace.id}.gif", :type => "image/gif", :disposition => "inline") - end - else - head :forbidden - end + if trace.public? || (current_user && current_user == trace.user) + redirect_to rails_blob_path(trace.image, :disposition => "inline") else - head :not_found + head :forbidden end rescue ActiveRecord::RecordNotFound head :not_found diff --git a/app/models/trace.rb b/app/models/trace.rb index 818cc363b..d1f917571 100644 --- a/app/models/trace.rb +++ b/app/models/trace.rb @@ -38,6 +38,7 @@ class Trace < ApplicationRecord scope :visible_to, ->(u) { visible.where(:visibility => %w[public identifiable]).or(visible.where(:user => u)) } scope :visible_to_all, -> { where(:visibility => %w[public identifiable]) } scope :tagged, ->(t) { joins(:tags).where(:gpx_file_tags => { :tag => t }) } + scope :imported, -> { where(:inserted => true) } has_one_attached :file, :service => Settings.trace_file_storage has_one_attached :image, :service => Settings.trace_image_storage diff --git a/app/views/errors/bad_request.html.erb b/app/views/errors/bad_request.html.erb new file mode 100644 index 000000000..036517bdd --- /dev/null +++ b/app/views/errors/bad_request.html.erb @@ -0,0 +1,3 @@ +

<%= t ".title" %>

+

<%= t ".description" %>

+<%= render :partial => "contact" %> diff --git a/app/views/site/welcome.html.erb b/app/views/site/welcome.html.erb index eacccf578..3f16e0845 100644 --- a/app/views/site/welcome.html.erb +++ b/app/views/site/welcome.html.erb @@ -11,14 +11,14 @@

<%= t ".whats_on_the_map.title" %>

-
+

<%= t ".whats_on_the_map.on_the_map_html", :real_and_current => tag.em(t(".whats_on_the_map.real_and_current")) %>

-
-
+
+

<%= t ".whats_on_the_map.off_the_map_html", :doesnt => tag.em(t(".whats_on_the_map.doesnt")) %>

diff --git a/config/brakeman.ignore b/config/brakeman.ignore new file mode 100644 index 000000000..b8fed1d9b --- /dev/null +++ b/config/brakeman.ignore @@ -0,0 +1,29 @@ +{ + "ignored_warnings": [ + { + "warning_type": "HTTP Verb Confusion", + "warning_code": 118, + "fingerprint": "9567bbac855c6ec5552572700ec809d7c1d77f59953e6725aeca54fee5091674", + "check_name": "VerbConfusion", + "message": "Potential HTTP verb confusion. `HEAD` is routed like `GET` but `request.get?` will return `false`", + "file": "app/controllers/application_controller.rb", + "line": 312, + "link": "https://brakemanscanner.org/docs/warning_types/http_verb_confusion/", + "code": "if request.get? then\n respond_to do\n format.html do\n redirect_to(:controller => \"/errors\", :action => \"bad_request\")\n end\n format.any do\n head(:bad_request)\n end\n end\nelse\n head(:bad_request)\nend", + "render_path": null, + "location": { + "type": "method", + "class": "ApplicationController", + "method": "invalid_parameter" + }, + "user_input": "request.get?", + "confidence": "Weak", + "cwe_id": [ + 352 + ], + "note": "" + } + ], + "updated": "2024-04-11 10:07:03 +0100", + "brakeman_version": "6.1.2" +} diff --git a/config/locales/cs.yml b/config/locales/cs.yml index 0bb05f844..f609f4850 100644 --- a/config/locales/cs.yml +++ b/config/locales/cs.yml @@ -91,6 +91,7 @@ cs: messages: invalid_email_address: není platná e-mailová adresa email_address_not_routable: není routovatelná + display_name_is_user_n: nemůže být user_n, pokud n není vaše ID uživatele models: user_mute: is_already_muted: již je ztlumen @@ -1767,7 +1768,7 @@ cs: odkaz. lost_password: subject: '[OpenStreetMap] Žádost o nové heslo' - greeting: Dobrý den, + greeting: Ahoj, hopefully_you: Někdo (patrně vy) požádal o vygenerování nového hesla pro uživatele serveru openstreetmap.org s touto e-mailovou adresou. click_the_link: Pokud jste to byli Vy, kliknutím na níže uvedený odkaz získáte @@ -2012,6 +2013,7 @@ cs: new: title: Přihlásit se tab_title: Přihlášení + login_to_authorize_html: Pro přístup k %{client_app_name} se přihlaste do OpenStreetMap. email or username: E-mailová adresa nebo uživatelské jméno password: Heslo remember: Zapamatuj si mě @@ -2019,6 +2021,7 @@ cs: login_button: Přihlásit se register now: Zaregistrujte se with external: nebo se přihlaste prostřednictvím třetí strany + or: nebo auth failure: Je mi líto, ale s uvedenými údaji se nemůžete přihlásit. destroy: title: Odhlásit se @@ -2627,6 +2630,8 @@ cs: identifiable: IDENTIFIKOVATELNÁ private: SOUKROMÁ trackable: STOPOVATELNÁ + details_with_tags_html: '%{time_ago} uživatelem %{user} v %{tags}' + details_without_tags_html: '%{time_ago} uživatelem %{user}' index: public_traces: Veřejné GPS stopy my_gps_traces: Moje GPS stopy @@ -2682,6 +2687,7 @@ cs: muted_users: Ztlumení uživatelé auth_providers: openid_logo_alt: Přihlášení pomocí OpenID + openid_login_button: Pokračovat openid: title: Přihlásit se pomocí OpenID alt: Přihlásit se pomocí OpenID URL @@ -2745,6 +2751,8 @@ cs: write_redactions: Upravte mapová data read_email: Přečíst e-mailovou adresu uživatele skip_authorization: Automaticky schválit aplikaci + for_roles: + moderator: Toto oprávnění je pro akce dostupné pouze moderátorům oauth_clients: new: title: Registrace nové aplikace @@ -2840,20 +2848,30 @@ cs: users: new: title: Zaregistrovat se + tab_title: Registrace + signup_to_authorize_html: Zaregistrujte se pomocí OpenStreetMap pro přístup + k %{client_app_name}. no_auto_account_create: Bohužel za vás momentálně nejsme schopni vytvořit účet automaticky. please_contact_support_html: Kontaktujte prosím %{support_link} a domluvte se na vytvoření účtu – pokusíme se žádost vyřídit co nejrychleji. support: podporu about: - header: Svobodná a editovatelná + header: Svobodná a editovatelná. paragraph_1: Na rozdíl od jiných map je OpenStreetMap kompletně vytvořena lidmi jako jste vy a kdokoli ji může zdarma opravit, aktualizovat, stáhnout a používat. - paragraph_2: Zaregistrujte se a začněte přispívat. Zašleme vám e-mail pro - potvrzení vašeho účtu. + paragraph_2: Zaregistrujte se a začněte přispívat. + welcome: Vítejte v OpenStreetMap + duplicate_social_email: Pokud již máte účet OpenStreetMap a chcete používat + poskytovatele identity třetí strany, přihlaste se pomocí svého hesla a upravte + nastavení svého účtu. display name description: Vaše veřejně zobrazované uživatelské jméno. Můžete si ho později změnit ve svém nastavení. + by_signing_up_html: Registrací souhlasíte s našimi %{tou_link}, %{privacy_policy_link} + a %{contributor_terms_link}. + tou: podmínkami užití + contributor_terms: podmínkami pro přispěvatele external auth: 'Autentizace třetí stranou:' continue: Zaregistrovat se terms accepted: Děkujeme za odsouhlasení nových podmínek pro přispěvatele! @@ -2862,7 +2880,10 @@ cs: privacy_policy: pravidlech ochrany osobních údajů privacy_policy_title: Pravidla ochrany osobních údajů OSMF, včetně části o e-mailových adresách - use external auth: Případně se přihlaste prostřednictvím třetí strany + consider_pd_html: Své příspěvky považuji za %{consider_pd_link}. + consider_pd: volné dílo + or: nebo + use external auth: nebo se přihlaste prostřednictvím třetí strany terms: title: Podmínky heading: Podmínky diff --git a/config/locales/el.yml b/config/locales/el.yml index 148cfe72b..58aac6fd6 100644 --- a/config/locales/el.yml +++ b/config/locales/el.yml @@ -708,6 +708,8 @@ el: contact_the_community_html: Μη διστάσετε να %{contact_link} με την κοινότητα του OpenStreetMap εάν έχετε βρει έναν κατεστραμμένο σύνδεσμο / σφάλμα. Σημειώστε την ακριβή διεύθυνση URL του αιτήματός σας. + bad_request: + title: Κακό αίτημα forbidden: title: Απαγορευμένο description: Η λειτουργία που ζητήσατε στο διακομιστή OpenStreetMap είναι διαθέσιμη @@ -1233,7 +1235,7 @@ el: peninsula: Χερσόνησος point: Σημείο reef: Ύφαλος - ridge: Σκόπελος + ridge: Κορυφογραμμή rock: Βράχος saddle: Σέλα sand: Άμμος @@ -1998,7 +2000,8 @@ el: lost password link: Ξεχάσατε το συνθηματικό σας; login_button: Σύνδεση register now: Εγγραφείτε τώρα - with external: 'Εναλλακτικά, χρησιμοποιήστε τρίτη υπηρεσία για σύνδεση:' + with external: ή συνδεθείτε μέσω τρίτης υπηρεσίας + or: ή auth failure: Λυπούμαστε, δεν μπορείτε να συνδεθείτε με αυτές τις λεπτομέρειες. destroy: title: Αποσύνδεση @@ -2615,6 +2618,7 @@ el: other: αρχείο GPX με %{count} σημεία από %{user} description_without_count: Αρχείο GPX από τον χρήστη %{user} application: + auth_disabled_link: https://wiki.openstreetmap.org/wiki/2024_authentication_update permission_denied: Δεν έχετε τα απαραίτητα δικαιώματα για πρόσβαση σε αυτήν την ενέργεια require_cookies: @@ -2639,6 +2643,7 @@ el: muted_users: Χρήστες σε Σίγαση auth_providers: openid_logo_alt: Σύνδεση με ένα OpenID + openid_login_button: Συνέχεια openid: title: Σύνδεση με OpenID alt: Σύνδεση με ένα OpenID URL @@ -2800,6 +2805,8 @@ el: users: new: title: Εγγραφή + tab_title: Εγγραφή + signup_to_authorize_html: Εγγραφείτε με το OpenStreetMap για πρόσβαση στο %{client_app_name}. no_auto_account_create: Δυστυχώς δεν μπορούμε να δημιουργήσουμε αυτόματα έναν λογαριασμό για εσάς. please_contact_support_html: Παρακαλώ επικοινωνήστε με %{support_link} για να @@ -2807,14 +2814,15 @@ el: το αίτημα το συντομότερο δυνατό. support: υποστήριξη about: - header: Ελεύθερος και επεξεργάσιμος + header: Ελεύθερος και επεξεργάσιμος. paragraph_1: Σε αντίθεση με άλλους χάρτες, το OpenStreetMap δημιουργείται εξ ολοκλήρου από ανθρώπους σαν εσάς και είναι δωρεάν για οποιονδήποτε να το διορθώσει, να ενημερώσει, να το κατεβάσει και να το χρησιμοποιήσει. - paragraph_2: Εγγραφείτε για να ξεκινήσετε να συνεισφέρετε. Θα σας στείλουμε - ένα email για να επιβεβαιώσουμε τον λογαριασμό σας. + paragraph_2: Εγγραφείτε για να ξεκινήσετε να συνεισφέρετε. + welcome: Καλώς ήλθατε στο OpenStreetMap display name description: Το δημόσια εμφανιζόμενο όνομα χρήστη. Μπορείτε να το αλλάξετε αργότερα από τις προτιμήσεις. + tou: όροι χρήσης external auth: 'Έλεγχος ταυτότητας από τρίτο μέρος:' continue: Εγγραφή terms accepted: Ευχαριστούμε για την αποδοχή των νέων όρων συνεισφοράς! @@ -2823,7 +2831,8 @@ el: privacy_policy: πολιτική απορρήτου privacy_policy_title: Πολιτική απορρήτου OSMF, συμπεριλαμβανομένης της ενότητας για τις διευθύνσεις ηλεκτρονικού ταχυδρομείου - use external auth: Εναλλακτικά, χρησιμοποιήστε τρίτη υπηρεσία για σύνδεση + or: ή + use external auth: ή συνδεθείτε μέσω τρίτης υπηρεσίας terms: title: Όροι heading: Όροι diff --git a/config/locales/en.yml b/config/locales/en.yml index 774be22d4..647cf66f2 100644 --- a/config/locales/en.yml +++ b/config/locales/en.yml @@ -633,6 +633,9 @@ en: contact_url_title: Various contact channels explained contact: contact contact_the_community_html: Feel free to %{contact_link} the OpenStreetMap community if you have found a broken link / bug. Make a note of the exact URL of your request. + bad_request: + title: Bad request + description: The operation you requested on the OpenStreetMap server is not valid (HTTP 400) forbidden: title: Forbidden description: The operation you requested on the OpenStreetMap server is only available to administrators (HTTP 403) @@ -2557,6 +2560,9 @@ en: other: "GPX file with %{count} points from %{user}" description_without_count: "GPX file from %{user}" application: + basic_auth_disabled: "HTTP Basic Authentication is disabled: %{link}" + oauth_10a_disabled: "OAuth 1.0 and 1.0a are disabled: %{link}" + auth_disabled_link: "https://wiki.openstreetmap.org/wiki/2024_authentication_update" permission_denied: You do not have permission to access that action require_cookies: cookies_needed: "You appear to have cookies disabled - please enable cookies in your browser before continuing." diff --git a/config/locales/eo.yml b/config/locales/eo.yml index cb500f71f..87a5466e6 100644 --- a/config/locales/eo.yml +++ b/config/locales/eo.yml @@ -675,6 +675,10 @@ eo: contact_the_community_html: '%{contact_link} kun la OpenStreetMap-komunumo, se vi trovis misligilon aŭ alian eraron. Skribu la detalan retadreson de via peto.' + bad_request: + title: Malĝusta peto + description: La ago – pri kiu vi petis la servilon OpenStreetMap – ne estas + valida (HTTP 400) forbidden: title: Malpermesata description: La ago, pri kiu vi petis la OpenStreetMap-servilon estas disponebla @@ -2566,6 +2570,8 @@ eo: other: GPX-dosiero kun %{count} punktoj de %{user} description_without_count: GPX-dosiero de %{user} application: + basic_auth_disabled: 'Baza alira aŭtentigo estas malaktiva: %{link}' + oauth_10a_disabled: 'OAuth 1.0 kaj 1.0a estas malaktivaj: %{link}' permission_denied: Vi ne rajtas fari tiun ĉi agon require_cookies: cookies_needed: Ŝajnas, ke vi malaktivigis 'kuketojn' - bonvolu aktivigi 'kuketojn' @@ -3120,6 +3126,10 @@ eo: intro: Ĉu vi rimarkis eraron aŭ io mankas? Sciigu aliajn mapigistojn, por ili povos ripari tion. Movu la markon al la respektivan pozicion kaj enmetu la rimarkon priskribantan la problemon. + anonymous_warning_html: Vi ne estas ensalutinta. %{log_in} aŭ %{sign_up} por + ricevi sciigojn pri via rimarko. + anonymous_warning_log_in: Ensalutu + anonymous_warning_sign_up: registriĝu advice: Via rimarko estas publika kaj povas esti uzita por ĝisdatigi la mapon, do ne enmetu privatajn informojn kaj informojn el kopirajtaj mapoj aŭ aliaj datumbazoj. diff --git a/config/locales/gl.yml b/config/locales/gl.yml index 761edf335..b757d74ff 100644 --- a/config/locales/gl.yml +++ b/config/locales/gl.yml @@ -3194,6 +3194,10 @@ gl: intro: Atopou un erro ou descubriu que falla algún dato? Informe ós outros cartógrafos para que poidamos solucionalo. Mova o marcador á posición correcta e escriba unha nota expoñendo o problema. + anonymous_warning_html: Non iniciaches sesión. Por favor, %{log_in} ou %{sign_up} + se queres recibir actualizacións da túa nota. + anonymous_warning_log_in: accede ao sistema + anonymous_warning_sign_up: rexístrate advice: A túa nota será pública e poderá empregarse para actualizar o mapa; por conseguinte, non insiras información persoal, nin datos de mapas protexidos por dereitos de autoría ou listaxes de directorios. diff --git a/config/locales/it.yml b/config/locales/it.yml index 2c633afd9..5db27d3b8 100644 --- a/config/locales/it.yml +++ b/config/locales/it.yml @@ -3214,6 +3214,8 @@ it: intro: Ti sei accorto di un errore o di qualcosa che manca? Fallo sapere agli altri mappatori così possono correggerlo. Sposta il puntatore nella posizione esatta e inserisci una nota per spiegare il problema. + anonymous_warning_log_in: entra + anonymous_warning_sign_up: registrati advice: La tua nota è pubblica e potrebbe essere utilizzata per aggiornare la mappa, pertanto non inserire informazioni personali e neppure dati provenienti da mappe protette da copyright oppure elenchi. diff --git a/config/locales/lb.yml b/config/locales/lb.yml index cce5d43a2..3616a2344 100644 --- a/config/locales/lb.yml +++ b/config/locales/lb.yml @@ -2114,6 +2114,8 @@ lb: description: description_without_count: GPX-Fichier vum %{user} application: + oauth_10a_disabled: 'OAuth 1.0 an 1.0a sinn desaktivéiert: %{link}' + auth_disabled_link: https://wiki.openstreetmap.org/wiki/2024_authentication_update settings_menu: account_settings: Astellunge vum Benotzerkont oauth1_settings: OAuth 1-Astellungen diff --git a/config/locales/mk.yml b/config/locales/mk.yml index 2cc837316..f39d10c1f 100644 --- a/config/locales/mk.yml +++ b/config/locales/mk.yml @@ -658,6 +658,10 @@ mk: contact_the_community_html: Слободно стапете во %{contact_link} со заедницата OpenStreetMap ако имате најдено расипана врска или грешка. Забележете ја точната URL на вашето барање. + bad_request: + title: Неисправно барање + description: Операцијат што ја побаравте од опслужувачот на OpenStreetMap server + не е важечка (HTTP 400) forbidden: title: Забрането description: Постапката која ја побаравте на опслужувачот на OpenStreetMap е @@ -2581,6 +2585,9 @@ mk: other: GPX-податотеки со %{count} точки од %{user} description_without_count: GPX-податотека од %{user} application: + basic_auth_disabled: 'Оневозможена е основната заверка со HTTP: %{link}' + oauth_10a_disabled: 'OAuth 1.0 и 1.0a се оневозможени: %{link}' + auth_disabled_link: https://wiki.openstreetmap.org/wiki/2024_authentication_update permission_denied: Немате дозвола за ова дејство require_cookies: cookies_needed: Изгледа сте оневозможиле колачиња - дозволете колачиња во прелистувачот @@ -3141,6 +3148,10 @@ mk: intro: Забележавте некоја грешка или нешто недостасува? Дајте им на знаење на другите картографи за да ја средиме работата. Поместете го бележникот на исправното место и внесете порака, објаснувајќи го проблемот. + anonymous_warning_html: Не сте најавени. %{log_in} или %{sign_up} ако сакате + да ве известуваме за вашата белешка. + anonymous_warning_log_in: Најавете се + anonymous_warning_sign_up: зачленете се advice: Вашата белешка е јавна и може да се употреби за поднова на картата. Затоа, не внесувајте лични податоци, или пак податоци од карти или именици заштитени со авторски права. diff --git a/config/locales/pt.yml b/config/locales/pt.yml index 28447097c..b2e05b488 100644 --- a/config/locales/pt.yml +++ b/config/locales/pt.yml @@ -381,7 +381,7 @@ pt: success: Conta eliminada. browse: deleted_ago_by_html: Excluído há %{time_ago} por %{user} - edited_ago_by_html: Editado há %{time_ago} por %{user} + edited_ago_by_html: Editado %{time_ago} por %{user} version: Versão redacted_version: Versão reduzida in_changeset: Conjunto de alterações diff --git a/config/locales/skr-arab.yml b/config/locales/skr-arab.yml index f4c574c4f..d220aae7f 100644 --- a/config/locales/skr-arab.yml +++ b/config/locales/skr-arab.yml @@ -1348,6 +1348,8 @@ skr-arab: comment: تبصرہ new: title: نواں نوٹ + anonymous_warning_log_in: لاگ ان + anonymous_warning_sign_up: سائن اپ add: نوٹ شامل کرو javascripts: close: بند کرو diff --git a/config/locales/tr.yml b/config/locales/tr.yml index f53352382..2b7c2c0fe 100644 --- a/config/locales/tr.yml +++ b/config/locales/tr.yml @@ -3210,6 +3210,10 @@ tr: intro: Bir hata mı buldunuz ya da eksik bir şey mi var? Bu sorunun düzeltilebilmesi için diğer haritacılara bildirin. İmleci doğru konuma taşıyın ve sorunu açıklayan bir not yazın. + anonymous_warning_html: Giriş yapmadınız. Notunuzla ilgili güncellemeleri almak + istiyorsanız lütfen %{log_in} veya %{sign_up}. + anonymous_warning_log_in: oturum aç + anonymous_warning_sign_up: kaydol advice: Notunuz herkese açıktır ve haritayı güncellemek için kullanılabilir, bu nedenle kişisel bilgilerinizi veya telif hakkıyla korunan haritalar veya dizin listelerinden bilgi girmeyin. diff --git a/config/locales/zh-TW.yml b/config/locales/zh-TW.yml index be1fa17cc..eb8fabd0b 100644 --- a/config/locales/zh-TW.yml +++ b/config/locales/zh-TW.yml @@ -666,6 +666,9 @@ zh-TW: contact: 聯絡 contact_the_community_html: 如果您發現有損壞的連結/錯誤,請隨時%{contact_link}OpenStreetMap 社群。並請記下您的請求的確切 URL 位址。 + bad_request: + title: 錯誤請求 + description: 您在 OpenStreetMap 伺服器上請求的操作無效(HTTP 400) forbidden: title: Forbidden description: 您在 OpenStreetMap 伺服器上請求的運作僅限管理員使用(HTTP 403) @@ -2417,6 +2420,9 @@ zh-TW: other: 由 %{user} 上傳的 GPX 檔案,含有 %{count} 點 description_without_count: 由 %{user} 上傳的 GPX 檔案 application: + basic_auth_disabled: HTTP 基本認證已停用:%{link} + oauth_10a_disabled: OAuth 1.0 與 1.0a 已停用:%{link} + auth_disabled_link: https://wiki.openstreetmap.org/wiki/2024_authentication_update permission_denied: 您沒有權限來存取該操作。 require_cookies: cookies_needed: 您似乎已停用 cookies - 請在瀏覽器中開啟 cookies,然後繼續。 @@ -2496,6 +2502,8 @@ zh-TW: write_redactions: 編寫地圖資料 read_email: 讀取使用者電子郵件位址 skip_authorization: 自動核准申請 + for_roles: + moderator: 此權限用於僅可由仲裁員執行的操作 oauth_clients: new: title: 註冊新的應用程式 @@ -2925,6 +2933,9 @@ zh-TW: new: title: 新增註記 intro: 發現錯誤或缺少些什麼東西嗎?請告訴其他地圖製作者以便於我們處理。將標記移動到正確的位置並輸入註記,以解釋問題。 + anonymous_warning_html: 您尚未登入。若您想收到您的註記更新內容,請%{log_in}或%{sign_up}。 + anonymous_warning_log_in: 登入 + anonymous_warning_sign_up: 註冊 advice: 您的註記已公開並可用於更新地圖,因此請不要輸入個人訊息,或是來自於具版權保護地圖的訊息以及目錄清單。 add: 送出註記 javascripts: diff --git a/config/routes.rb b/config/routes.rb index 8271e7e4d..c44064ba3 100644 --- a/config/routes.rb +++ b/config/routes.rb @@ -347,6 +347,7 @@ OpenStreetMap::Application.routes.draw do resources :redactions # errors + match "/400", :to => "errors#bad_request", :via => :all match "/403", :to => "errors#forbidden", :via => :all match "/404", :to => "errors#not_found", :via => :all match "/500", :to => "errors#internal_server_error", :via => :all diff --git a/config/settings.yml b/config/settings.yml index c057be978..ec868b651 100644 --- a/config/settings.yml +++ b/config/settings.yml @@ -97,9 +97,12 @@ attachments_dir: ":rails_root/public/attachments" #memcache_servers: [] # Enable HTTP basic authentication support basic_auth_support: true +# Enable OAuth 1.0/1.0a registration +oauth_10_registration: true # Enable legacy OAuth 1.0 support oauth_10_support: true -oauth_10_registration: true +# Enable OAuth 1.0a support +oauth_10a_support: true # URL of Nominatim instance to use for geocoding nominatim_url: "https://nominatim.openstreetmap.org/" # Default editor diff --git a/test/controllers/changesets_controller_test.rb b/test/controllers/changesets_controller_test.rb index 3d264181c..a486e4b5e 100644 --- a/test/controllers/changesets_controller_test.rb +++ b/test/controllers/changesets_controller_test.rb @@ -92,6 +92,15 @@ class ChangesetsControllerTest < ActionDispatch::IntegrationTest check_index_result(changesets.last(20)) end + ## + # This should report an error + def test_index_invalid_xhr + %w[-1 0 fred].each do |id| + get history_path(:format => "html", :list => "1", :max_id => id) + assert_redirected_to :controller => :errors, :action => :bad_request + end + end + ## # This should display the last 20 changesets closed in a specific area def test_index_bbox diff --git a/test/controllers/diary_entries_controller_test.rb b/test/controllers/diary_entries_controller_test.rb index 2b10402fa..d13a50163 100644 --- a/test/controllers/diary_entries_controller_test.rb +++ b/test/controllers/diary_entries_controller_test.rb @@ -590,6 +590,17 @@ class DiaryEntriesControllerTest < ActionDispatch::IntegrationTest assert_select "li.page-item.disabled span.page-link", :text => "Newer Entries", :count => 1 end + def test_index_invalid_paged + # Try some invalid paged accesses + %w[-1 0 fred].each do |id| + get diary_entries_path(:before => id) + assert_redirected_to :controller => :errors, :action => :bad_request + + get diary_entries_path(:after => id) + assert_redirected_to :controller => :errors, :action => :bad_request + end + end + def test_rss create(:language, :code => "de") create(:diary_entry, :language_code => "en") @@ -899,6 +910,18 @@ class DiaryEntriesControllerTest < ActionDispatch::IntegrationTest assert_response :not_found end + def test_comments_invalid_paged + user = create(:user) + + %w[-1 0 fred].each do |id| + get diary_comments_path(:display_name => user.display_name, :before => id) + assert_redirected_to :controller => :errors, :action => :bad_request + + get diary_comments_path(:display_name => user.display_name, :after => id) + assert_redirected_to :controller => :errors, :action => :bad_request + end + end + def test_subscribe_page user = create(:user) other_user = create(:user) diff --git a/test/controllers/errors_controller_test.rb b/test/controllers/errors_controller_test.rb index 9f8ccee56..253cbbdc0 100644 --- a/test/controllers/errors_controller_test.rb +++ b/test/controllers/errors_controller_test.rb @@ -2,6 +2,10 @@ require "test_helper" class ErrorsControllerTest < ActionDispatch::IntegrationTest def test_routes + assert_routing( + { :path => "/400", :method => :get }, + { :controller => "errors", :action => "bad_request" } + ) assert_routing( { :path => "/403", :method => :get }, { :controller => "errors", :action => "forbidden" } @@ -16,6 +20,11 @@ class ErrorsControllerTest < ActionDispatch::IntegrationTest ) end + def test_bad_request + get "/400" + assert_response :bad_request + end + def test_forbidden get "/403" assert_response :forbidden diff --git a/test/controllers/notes_controller_test.rb b/test/controllers/notes_controller_test.rb index a54334269..4092ad732 100644 --- a/test/controllers/notes_controller_test.rb +++ b/test/controllers/notes_controller_test.rb @@ -83,6 +83,15 @@ class NotesControllerTest < ActionDispatch::IntegrationTest assert_select "table.note_list tbody tr", :count => 10 end + def test_index_invalid_paged + user = create(:user) + + %w[-1 0 fred].each do |page| + get user_notes_path(user, :page => page) + assert_redirected_to :controller => :errors, :action => :bad_request + end + end + def test_empty_page user = create(:user) get user_notes_path(user) diff --git a/test/controllers/traces_controller_test.rb b/test/controllers/traces_controller_test.rb index 73966641e..972cbb3c3 100644 --- a/test/controllers/traces_controller_test.rb +++ b/test/controllers/traces_controller_test.rb @@ -322,6 +322,17 @@ class TracesControllerTest < ActionDispatch::IntegrationTest assert_select "li.page-item a.page-link", :text => "Older Traces", :count => 2 end + def test_index_invalid_paged + # Try some invalid paged accesses + %w[-1 0 fred].each do |id| + get traces_path(:before => id) + assert_redirected_to :controller => :errors, :action => :bad_request + + get traces_path(:after => id) + assert_redirected_to :controller => :errors, :action => :bad_request + end + end + # Check the RSS feed def test_rss user = create(:user) diff --git a/test/controllers/user_blocks_controller_test.rb b/test/controllers/user_blocks_controller_test.rb index a7ab02c75..97f517133 100644 --- a/test/controllers/user_blocks_controller_test.rb +++ b/test/controllers/user_blocks_controller_test.rb @@ -115,6 +115,18 @@ class UserBlocksControllerTest < ActionDispatch::IntegrationTest check_no_page_link "Older Blocks" end + ## + # test the index action with invalid pages + def test_index_invalid_paged + %w[-1 0 fred].each do |id| + get user_blocks_path(:before => id) + assert_redirected_to :controller => :errors, :action => :bad_request + + get user_blocks_path(:after => id) + assert_redirected_to :controller => :errors, :action => :bad_request + end + end + ## # test the show action def test_show @@ -560,6 +572,20 @@ class UserBlocksControllerTest < ActionDispatch::IntegrationTest check_no_page_link "Older Blocks" end + ## + # test the blocks_on action with invalid pages + def test_blocks_on_invalid_paged + user = create(:user) + + %w[-1 0 fred].each do |id| + get user_blocks_on_path(user, :before => id) + assert_redirected_to :controller => :errors, :action => :bad_request + + get user_blocks_on_path(user, :after => id) + assert_redirected_to :controller => :errors, :action => :bad_request + end + end + ## # test the blocks_by action def test_blocks_by @@ -628,6 +654,20 @@ class UserBlocksControllerTest < ActionDispatch::IntegrationTest check_no_page_link "Older Blocks" end + ## + # test the blocks_by action with invalid pages + def test_blocks_by_invalid_paged + user = create(:moderator_user) + + %w[-1 0 fred].each do |id| + get user_blocks_by_path(user, :before => id) + assert_redirected_to :controller => :errors, :action => :bad_request + + get user_blocks_by_path(user, :after => id) + assert_redirected_to :controller => :errors, :action => :bad_request + end + end + private def check_user_blocks_table(user_blocks) diff --git a/test/controllers/users_controller_test.rb b/test/controllers/users_controller_test.rb index c5566e65d..cff52cff2 100644 --- a/test/controllers/users_controller_test.rb +++ b/test/controllers/users_controller_test.rb @@ -558,6 +558,18 @@ class UsersControllerTest < ActionDispatch::IntegrationTest check_no_page_link "Older Users" end + def test_index_get_invalid_paginated + session_for(create(:administrator_user)) + + %w[-1 0 fred].each do |id| + get users_path(:before => id) + assert_redirected_to :controller => :errors, :action => :bad_request + + get users_path(:after => id) + assert_redirected_to :controller => :errors, :action => :bad_request + end + end + private def check_no_page_link(name)