From: Andy Allan Date: Wed, 10 Oct 2018 09:26:30 +0000 (+0200) Subject: Merge branch 'authz' of https://github.com/rubyforgood/openstreetmap-website into... X-Git-Tag: live~2824^2~15 X-Git-Url: https://git.openstreetmap.org/rails.git/commitdiff_plain/420a7289a0b08eee091f6650c2e83166df3fbe69 Merge branch 'authz' of https://github.com/rubyforgood/openstreetmap-website into rubyforgood-authz --- 420a7289a0b08eee091f6650c2e83166df3fbe69 diff --cc Gemfile index 9ba270313,a385851ff..b559027c2 --- a/Gemfile +++ b/Gemfile @@@ -45,7 -42,8 +45,8 @@@ gem "image_optim_rails # Load rails plugins gem "actionpack-page_caching" + gem "cancancan" -gem "composite_primary_keys", "~> 10.0.0" +gem "composite_primary_keys", "~> 11.0.0" gem "dynamic_form" gem "http_accept_language", "~> 2.0.0" gem "i18n-js", ">= 3.0.0" diff --cc Gemfile.lock index 76a31e169,06ddc0fe2..cd94df5e1 --- a/Gemfile.lock +++ b/Gemfile.lock @@@ -63,10 -58,9 +63,11 @@@ GE bigdecimal (1.1.0) binding_of_caller (0.8.0) debug_inspector (>= 0.0.1) + bootsnap (1.3.2) + msgpack (~> 1.0) builder (3.2.3) + cancancan (2.1.3) - canonical-rails (0.2.3) + canonical-rails (0.2.4) rails (>= 4.1, < 5.3) capybara (2.18.0) addressable @@@ -386,7 -370,7 +387,8 @@@ DEPENDENCIE better_errors bigdecimal (~> 1.1.0) binding_of_caller + bootsnap (>= 1.1.0) + cancancan canonical-rails capybara (~> 2.13) coffee-rails (~> 4.2) diff --cc app/controllers/diary_entry_controller.rb index 723fff17e,6e9268008..d3d7f6a7c --- a/app/controllers/diary_entry_controller.rb +++ b/app/controllers/diary_entry_controller.rb @@@ -3,12 -3,13 +3,13 @@@ class DiaryEntryController < Applicatio before_action :authorize_web before_action :set_locale - before_action :require_user, :only => [:new, :edit, :comment, :hide, :hidecomment, :subscribe, :unsubscribe] + + authorize_resource + - before_action :lookup_user, :only => [:view, :comments] + before_action :lookup_user, :only => [:show, :comments] before_action :check_database_readable before_action :check_database_writable, :only => [:new, :edit, :comment, :hide, :hidecomment, :subscribe, :unsubscribe] - before_action :require_administrator, :only => [:hide, :hidecomment] - before_action :allow_thirdparty_images, :only => [:new, :edit, :list, :view, :comments] + before_action :allow_thirdparty_images, :only => [:new, :edit, :index, :show, :comments] def new @title = t "diary_entry.new.title" diff --cc app/controllers/users_controller.rb index d18cf188c,d853d4822..09bdd6d3e --- a/app/controllers/users_controller.rb +++ b/app/controllers/users_controller.rb @@@ -1,16 -1,18 +1,18 @@@ -class UserController < ApplicationController +class UsersController < ApplicationController layout "site", :except => [:api_details] + skip_authorization_check :only => [:login, :logout] + - skip_before_action :verify_authenticity_token, :only => [:api_read, :api_details, :api_gpx_files, :auth_success] + skip_before_action :verify_authenticity_token, :only => [:api_read, :api_users, :api_details, :api_gpx_files, :auth_success] before_action :disable_terms_redirect, :only => [:terms, :save, :logout, :api_details] before_action :authorize, :only => [:api_details, :api_gpx_files] - before_action :authorize_web, :except => [:api_read, :api_details, :api_gpx_files] - before_action :set_locale, :except => [:api_read, :api_details, :api_gpx_files] + before_action :authorize_web, :except => [:api_read, :api_users, :api_details, :api_gpx_files] + before_action :set_locale, :except => [:api_read, :api_users, :api_details, :api_gpx_files] before_action :require_user, :only => [:account, :go_public, :make_friend, :remove_friend] before_action :require_self, :only => [:account] - before_action :check_database_readable, :except => [:login, :api_read, :api_details, :api_gpx_files] + before_action :check_database_readable, :except => [:login, :api_read, :api_users, :api_details, :api_gpx_files] before_action :check_database_writable, :only => [:new, :account, :confirm, :confirm_email, :lost_password, :reset_password, :go_public, :make_friend, :remove_friend] - before_action :check_api_readable, :only => [:api_read, :api_details, :api_gpx_files] + before_action :check_api_readable, :only => [:api_read, :api_users, :api_details, :api_gpx_files] before_action :require_allow_read_prefs, :only => [:api_details] before_action :require_allow_read_gpx, :only => [:api_gpx_files] before_action :require_cookies, :only => [:new, :login, :confirm]