From: Andy Allan Date: Wed, 9 Jan 2019 15:58:38 +0000 (+0100) Subject: Use CanCanCan to control access to oauth controller actions X-Git-Tag: live~2734^2 X-Git-Url: https://git.openstreetmap.org/rails.git/commitdiff_plain/3e49e4a62ad9ccce7a193ab0393a7722896455aa?hp=bda8544d94a10b2ae20db86a2140058d8fe86e30 Use CanCanCan to control access to oauth controller actions --- diff --git a/app/abilities/ability.rb b/app/abilities/ability.rb index dca80ebba..a3700b305 100644 --- a/app/abilities/ability.rb +++ b/app/abilities/ability.rb @@ -15,6 +15,7 @@ class Ability can [:search, :search_latlon, :search_ca_postcode, :search_osm_nominatim, :search_geonames, :search_osm_nominatim_reverse, :search_geonames_reverse], :geocoder can [:index, :create, :comment, :feed, :show, :search, :mine], Note + can [:token, :request_token, :access_token, :test_request], :oauth can [:index, :show], Redaction can [:search_all, :search_nodes, :search_ways, :search_relations], :search can [:trackpoints], :swf @@ -28,6 +29,7 @@ class Ability can [:create, :edit, :comment, :subscribe, :unsubscribe], DiaryEntry can [:new, :create, :reply, :show, :inbox, :outbox, :mark, :destroy], Message can [:close, :reopen], Note + can [:revoke, :authorize], :oauth can [:new, :create], Report can [:mine, :new, :create, :edit, :update, :delete, :api_create, :api_read, :api_update, :api_delete, :api_data], Trace can [:account, :go_public, :make_friend, :remove_friend, :api_details, :api_gpx_files], User diff --git a/app/controllers/oauth_controller.rb b/app/controllers/oauth_controller.rb index 38006fd35..0954071a5 100644 --- a/app/controllers/oauth_controller.rb +++ b/app/controllers/oauth_controller.rb @@ -3,6 +3,10 @@ require "oauth/controllers/provider_controller" class OauthController < ApplicationController include OAuth::Controllers::ProviderController + # The ProviderController will call login_required for any action that needs + # a login, but we want to check authorization on every action. + authorize_resource :class => false + layout "site" def revoke @@ -19,7 +23,6 @@ class OauthController < ApplicationController def login_required authorize_web set_locale - require_user end def user_authorizes_token?