From: Tom Hughes <tom@compton.nu>
Date: Sun, 5 Jan 2025 16:23:49 +0000 (+0000)
Subject: Merge remote-tracking branch 'upstream/pull/5471'
X-Git-Tag: live~655
X-Git-Url: https://git.openstreetmap.org/rails.git/commitdiff_plain/6e444155d650e8f164585fe052853d7fadcc743a?hp=c887f1d7b29ff6a125ebe70ff15609a005f99fba

Merge remote-tracking branch 'upstream/pull/5471'
---

diff --git a/app/assets/javascripts/index/history.js b/app/assets/javascripts/index/history.js
index c6ba0c2ed..ae8f027ed 100644
--- a/app/assets/javascripts/index/history.js
+++ b/app/assets/javascripts/index/history.js
@@ -164,6 +164,7 @@ OSM.History = function (map) {
   page.unload = function () {
     map.removeLayer(group);
     map.off("moveend", update);
+    map.off("zoomend", updateBounds);
   };
 
   return page;
diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
index 32b53bad7..1ef49bf46 100644
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -20,7 +20,7 @@ class ApplicationController < ActionController::Base
   helper_method :oauth_token
 
   def self.allow_thirdparty_images(**options)
-    content_security_policy(options) do |policy|
+    content_security_policy(**options) do |policy|
       policy.img_src("*", :data)
     end
   end
diff --git a/app/controllers/diary_comments_controller.rb b/app/controllers/diary_comments_controller.rb
index f6597cf4c..676bc22a6 100644
--- a/app/controllers/diary_comments_controller.rb
+++ b/app/controllers/diary_comments_controller.rb
@@ -13,7 +13,7 @@ class DiaryCommentsController < ApplicationController
   before_action :lookup_user, :only => :index
   before_action :check_database_writable, :only => [:create, :hide, :unhide]
 
-  allow_thirdparty_images :only => :index
+  allow_thirdparty_images :only => [:index, :create]
 
   def index
     @title = t ".title", :user => @user.display_name
diff --git a/app/controllers/messages_controller.rb b/app/controllers/messages_controller.rb
index 26e8a5e09..cc5f6c56d 100644
--- a/app/controllers/messages_controller.rb
+++ b/app/controllers/messages_controller.rb
@@ -49,7 +49,7 @@ class MessagesController < ApplicationController
     elsif @message.save
       flash[:notice] = t ".message_sent"
       UserMailer.message_notification(@message).deliver_later if @message.notify_recipient?
-      redirect_to messages_inbox_path
+      redirect_to messages_outbox_path
     else
       @title = t "messages.new.title"
       render :action => "new"
diff --git a/test/controllers/diary_comments_controller_test.rb b/test/controllers/diary_comments_controller_test.rb
index 65a71a9b5..3ea9bc094 100644
--- a/test/controllers/diary_comments_controller_test.rb
+++ b/test/controllers/diary_comments_controller_test.rb
@@ -104,6 +104,7 @@ class DiaryCommentsControllerTest < ActionDispatch::IntegrationTest
     end
     assert_response :success
     assert_template :new
+    assert_match(/img-src \* data:;/, @response.headers["Content-Security-Policy-Report-Only"])
 
     # Now try again with the right id
     assert_difference "ActionMailer::Base.deliveries.size", entry.subscribers.count do
diff --git a/test/controllers/messages_controller_test.rb b/test/controllers/messages_controller_test.rb
index 924990892..b2bb71b1c 100644
--- a/test/controllers/messages_controller_test.rb
+++ b/test/controllers/messages_controller_test.rb
@@ -163,7 +163,7 @@ class MessagesControllerTest < ActionDispatch::IntegrationTest
         end
       end
     end
-    assert_redirected_to messages_inbox_path
+    assert_redirected_to messages_outbox_path
     assert_equal "Message sent", flash[:notice]
     e = ActionMailer::Base.deliveries.first
     assert_equal [recipient_user.email], e.to
diff --git a/test/controllers/users_controller_test.rb b/test/controllers/users_controller_test.rb
index ba1af9509..7b554711f 100644
--- a/test/controllers/users_controller_test.rb
+++ b/test/controllers/users_controller_test.rb
@@ -57,6 +57,8 @@ class UsersControllerTest < ActionDispatch::IntegrationTest
     get user_new_path, :params => { :cookie_test => "true" }
     assert_response :success
 
+    assert_no_match(/img-src \* data:;/, @response.headers["Content-Security-Policy-Report-Only"])
+
     assert_select "html", :count => 1 do
       assert_select "head", :count => 1 do
         assert_select "title", :text => /Sign Up/, :count => 1
@@ -297,6 +299,7 @@ class UsersControllerTest < ActionDispatch::IntegrationTest
 
     get user_path(user)
     assert_response :success
+    assert_match(/img-src \* data:;/, @response.headers["Content-Security-Policy-Report-Only"])
     assert_select "div.content-heading" do
       assert_select "a[href^='/user/#{ERB::Util.u(user.display_name)}/history']", 1
       assert_select "a[href='/user/#{ERB::Util.u(user.display_name)}/traces']", 1