From: Tom Hughes Date: Wed, 9 Jan 2019 17:20:08 +0000 (+0000) Subject: Merge remote-tracking branch 'upstream/pull/2107' X-Git-Tag: live~2770 X-Git-Url: https://git.openstreetmap.org/rails.git/commitdiff_plain/74e1d7336ef926d4c3ef986abd8b899a7c4b6704?hp=09b6560e81f56712c6241c7f525df45daf7580c5 Merge remote-tracking branch 'upstream/pull/2107' --- diff --git a/app/abilities/ability.rb b/app/abilities/ability.rb index 9981f62eb..dcaa7e347 100644 --- a/app/abilities/ability.rb +++ b/app/abilities/ability.rb @@ -4,14 +4,19 @@ class Ability include CanCan::Ability def initialize(user) + can [:relation, :relation_history, :way, :way_history, :node, :node_history, :changeset, :note], :browse can [:index, :feed, :read, :download, :query], Changeset can :index, ChangesetComment + can :search, :direction can [:index, :permalink, :edit, :help, :fixthemap, :offline, :export, :about, :preview, :copyright, :key, :id], :site can [:index, :rss, :show, :comments], DiaryEntry + can [:finish, :embed], :export can [:search, :search_latlon, :search_ca_postcode, :search_osm_nominatim, :search_geonames, :search_osm_nominatim_reverse, :search_geonames_reverse], :geocoder can [:index, :create, :comment, :feed, :show, :search, :mine], Note can [:index, :show], Redaction + can [:search_all, :search_nodes, :search_ways, :search_relations], :search + can [:trackpoints], :swf can [:index, :show, :data, :georss, :picture, :icon], Trace can [:terms, :api_users, :login, :logout, :new, :create, :save, :confirm, :confirm_resend, :confirm_email, :lost_password, :reset_password, :show, :api_read, :auth_success, :auth_failure], User can [:index, :show, :blocks_on, :blocks_by], UserBlock diff --git a/app/controllers/amf_controller.rb b/app/controllers/amf_controller.rb index 4f6adae5d..fdad432a8 100644 --- a/app/controllers/amf_controller.rb +++ b/app/controllers/amf_controller.rb @@ -41,6 +41,11 @@ class AmfController < ApplicationController skip_before_action :verify_authenticity_token before_action :check_api_writable + # AMF Controller implements its own authentication and authorization checks + # completely independently of the rest of the codebase, so best just to let + # it keep doing its own thing. + skip_authorization_check + # Main AMF handlers: process the raw AMF string (using AMF library) and # calls each action (private method) accordingly. diff --git a/app/controllers/browse_controller.rb b/app/controllers/browse_controller.rb index 6eb967568..0fccbb506 100644 --- a/app/controllers/browse_controller.rb +++ b/app/controllers/browse_controller.rb @@ -6,6 +6,7 @@ class BrowseController < ApplicationController before_action(:except => [:query]) { |c| c.check_database_readable(true) } before_action :require_oauth around_action :web_timeout + authorize_resource :class => false def relation @type = "relation" diff --git a/app/controllers/directions_controller.rb b/app/controllers/directions_controller.rb index b04db6b6f..ec2327400 100644 --- a/app/controllers/directions_controller.rb +++ b/app/controllers/directions_controller.rb @@ -2,6 +2,7 @@ class DirectionsController < ApplicationController before_action :authorize_web before_action :set_locale before_action :require_oauth, :only => [:search] + authorize_resource :class => false def search render :layout => map_layout diff --git a/app/controllers/export_controller.rb b/app/controllers/export_controller.rb index afdf4d8d7..18ac15c10 100644 --- a/app/controllers/export_controller.rb +++ b/app/controllers/export_controller.rb @@ -2,6 +2,7 @@ class ExportController < ApplicationController before_action :authorize_web before_action :set_locale before_action :update_totp, :only => [:finish] + authorize_resource :class => false caches_page :embed diff --git a/app/controllers/geocoder_controller.rb b/app/controllers/geocoder_controller.rb index da5245687..b9cf8d096 100644 --- a/app/controllers/geocoder_controller.rb +++ b/app/controllers/geocoder_controller.rb @@ -6,6 +6,7 @@ class GeocoderController < ApplicationController before_action :authorize_web before_action :set_locale before_action :require_oauth, :only => [:search] + authorize_resource :class => false def search @params = normalize_params diff --git a/app/controllers/search_controller.rb b/app/controllers/search_controller.rb index 0d40b6691..3a2e4040f 100644 --- a/app/controllers/search_controller.rb +++ b/app/controllers/search_controller.rb @@ -3,6 +3,7 @@ class SearchController < ApplicationController # Can search by tag k, v, or both (type->k,value->v) # Can search by name (k=name,v=....) skip_before_action :verify_authenticity_token + authorize_resource :class => false def search_all do_search(true, true, true) diff --git a/app/controllers/swf_controller.rb b/app/controllers/swf_controller.rb index 96237f029..1a424c387 100644 --- a/app/controllers/swf_controller.rb +++ b/app/controllers/swf_controller.rb @@ -1,6 +1,7 @@ class SwfController < ApplicationController skip_before_action :verify_authenticity_token before_action :check_api_readable + authorize_resource :class => false # to log: # RAILS_DEFAULT_LOGGER.error("Args: #{args[0]}, #{args[1]}, #{args[2]}, #{args[3]}")