From: Andy Allan Date: Wed, 19 Jun 2024 09:32:49 +0000 (+0100) Subject: Merge pull request #4906 from matkoniecz/sotmeu-banner X-Git-Tag: live~939 X-Git-Url: https://git.openstreetmap.org/rails.git/commitdiff_plain/a89e86285f8aa6defe48de5235ae1224d1d40079?hp=d7dfb2aff358a2ae49e91a8ad0adfa0da01402c6 Merge pull request #4906 from matkoniecz/sotmeu-banner SOTMEU 2024 banner --- diff --git a/Gemfile b/Gemfile index 77a9f1c97..5a21c7f7a 100644 --- a/Gemfile +++ b/Gemfile @@ -72,6 +72,7 @@ gem "validates_email_format_of", ">= 1.5.1" gem "quad_tile", "~> 1.0.1" # Sanitise URIs +gem "addressable", "~> 2.8" gem "rack-uri_sanitizer" # Omniauth for authentication diff --git a/Gemfile.lock b/Gemfile.lock index 246a37407..28acf9135 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -95,16 +95,16 @@ GEM autoprefixer-rails (10.4.16.0) execjs (~> 2) aws-eventstream (1.3.0) - aws-partitions (1.942.0) + aws-partitions (1.944.0) aws-sdk-core (3.197.0) aws-eventstream (~> 1, >= 1.3.0) aws-partitions (~> 1, >= 1.651.0) aws-sigv4 (~> 1.8) jmespath (~> 1, >= 1.6.1) - aws-sdk-kms (1.83.0) + aws-sdk-kms (1.85.0) aws-sdk-core (~> 3, >= 3.197.0) aws-sigv4 (~> 1.1) - aws-sdk-s3 (1.152.1) + aws-sdk-s3 (1.152.3) aws-sdk-core (~> 3, >= 3.197.0) aws-sdk-kms (~> 1) aws-sigv4 (~> 1.8) @@ -226,7 +226,7 @@ GEM rainbow rubocop smart_properties - erubi (1.12.0) + erubi (1.13.0) execjs (2.9.1) exifr (1.4.0) factory_bot (6.4.6) @@ -234,7 +234,7 @@ GEM factory_bot_rails (6.4.3) factory_bot (~> 6.4) railties (>= 5.0.0) - faraday (2.9.1) + faraday (2.9.2) faraday-net_http (>= 2.0, < 3.2) faraday-net_http (3.1.0) net-http @@ -288,7 +288,7 @@ GEM image_size (3.4.0) in_threads (1.6.0) io-console (0.7.2) - irb (1.13.1) + irb (1.13.2) rdoc (>= 4.0.0) reline (>= 0.4.2) jbuilder (2.12.0) @@ -300,7 +300,7 @@ GEM railties (>= 4.2.0) thor (>= 0.14, < 2.0) json (2.7.2) - jwt (2.8.1) + jwt (2.8.2) base64 kgio (2.11.4) kramdown (2.4.0) @@ -325,7 +325,7 @@ GEM marcel (1.0.4) matrix (0.4.2) maxminddb (0.1.22) - mini_magick (4.12.0) + mini_magick (4.13.1) mini_mime (1.1.5) mini_portile2 (2.8.7) mini_racer (0.9.0) @@ -339,7 +339,7 @@ GEM mutex_m (0.2.0) net-http (0.4.1) uri - net-imap (0.4.12) + net-imap (0.4.13) date net-protocol net-pop (0.1.2) @@ -349,7 +349,7 @@ GEM net-smtp (0.5.0) net-protocol nio4r (2.7.3) - nokogiri (1.16.5) + nokogiri (1.16.6) mini_portile2 (~> 2.8.2) racc (~> 1.4) oauth (0.4.7) @@ -401,7 +401,7 @@ GEM omniauth (~> 2.0) openstreetmap-deadlock_retry (1.3.1) parallel (1.25.1) - parser (3.3.2.0) + parser (3.3.3.0) ast (~> 2.4.1) racc pg (1.5.6) @@ -409,7 +409,7 @@ GEM progress (3.6.0) psych (5.1.2) stringio - public_suffix (5.0.5) + public_suffix (5.1.1) puma (5.6.8) nio4r (~> 2.0) quad_tile (1.0.1) @@ -478,7 +478,7 @@ GEM rdoc (6.7.0) psych (>= 4.0.0) regexp_parser (2.9.2) - reline (0.5.8) + reline (0.5.9) io-console (~> 0.5) request_store (1.7.0) rack (>= 1.4) @@ -486,7 +486,7 @@ GEM strscan rinku (2.0.6) rotp (6.3.0) - rouge (4.2.1) + rouge (4.3.0) rtlcss (0.2.1) mini_racer (>= 0.6.3) rubocop (1.64.1) @@ -509,7 +509,7 @@ GEM rubocop-minitest (0.35.0) rubocop (>= 1.61, < 2.0) rubocop-ast (>= 1.31.1, < 2.0) - rubocop-performance (1.21.0) + rubocop-performance (1.21.1) rubocop (>= 1.48.1, < 2.0) rubocop-ast (>= 1.31.1, < 2.0) rubocop-rails (2.25.0) @@ -524,7 +524,7 @@ GEM ruby-vips (2.2.1) ffi (~> 1.12) rubyzip (2.3.2) - sanitize (6.1.0) + sanitize (6.1.1) crass (~> 1.0.2) nokogiri (>= 1.12.0) sass-embedded (1.64.2) @@ -557,13 +557,13 @@ GEM actionpack (>= 6.1) activesupport (>= 6.1) sprockets (>= 3.0.0) - stringio (3.1.0) + stringio (3.1.1) strong_migrations (1.8.0) activerecord (>= 5.2) strscan (3.1.0) terminal-table (3.0.2) unicode-display_width (>= 1.1.1, < 3) - terser (1.2.2) + terser (1.2.3) execjs (>= 0.3.0, < 3) thor (1.3.1) tilt (2.3.0) @@ -592,7 +592,7 @@ GEM websocket-extensions (0.1.5) xpath (3.2.0) nokogiri (~> 1.8) - zeitwerk (2.6.15) + zeitwerk (2.6.16) PLATFORMS ruby @@ -602,6 +602,7 @@ DEPENDENCIES actionpack-page_caching (>= 1.2.0) active_record_union activerecord-import + addressable (~> 2.8) annotate argon2 autoprefixer-rails diff --git a/app/abilities/ability.rb b/app/abilities/ability.rb index 8de756ccd..c0b2f3982 100644 --- a/app/abilities/ability.rb +++ b/app/abilities/ability.rb @@ -54,7 +54,7 @@ class Ability can [:index, :create, :destroy], UserMute if user.moderator? - can [:hide, :unhide, :hidecomment, :unhidecomment], DiaryEntry + can [:hide, :unhide], [DiaryEntry, DiaryComment] can [:index, :show, :resolve, :ignore, :reopen], Issue can :create, IssueComment can [:new, :create, :edit, :update, :destroy], Redaction @@ -62,7 +62,7 @@ class Ability end if user.administrator? - can [:hide, :unhide, :hidecomment, :unhidecomment], DiaryEntry + can [:hide, :unhide], [DiaryEntry, DiaryComment] can [:index, :show, :resolve, :ignore, :reopen], Issue can :create, IssueComment can [:set_status, :destroy, :index], User diff --git a/app/controllers/diary_comments_controller.rb b/app/controllers/diary_comments_controller.rb index f1add85f0..8abf2071b 100644 --- a/app/controllers/diary_comments_controller.rb +++ b/app/controllers/diary_comments_controller.rb @@ -11,6 +11,7 @@ class DiaryCommentsController < ApplicationController authorize_resource before_action :lookup_user, :only => :index + before_action :check_database_writable, :only => [:hide, :unhide] allow_thirdparty_images :only => :index @@ -18,10 +19,22 @@ class DiaryCommentsController < ApplicationController @title = t ".title", :user => @user.display_name comments = DiaryComment.where(:user => @user) - comments = comments.visible unless can? :unhidecomment, DiaryEntry + comments = comments.visible unless can? :unhide, DiaryComment @params = params.permit(:display_name, :before, :after) @comments, @newer_comments_id, @older_comments_id = get_page_items(comments, :includes => [:user]) end + + def hide + comment = DiaryComment.find(params[:comment]) + comment.update(:visible => false) + redirect_to diary_entry_path(comment.diary_entry.user, comment.diary_entry) + end + + def unhide + comment = DiaryComment.find(params[:comment]) + comment.update(:visible => true) + redirect_to diary_entry_path(comment.diary_entry.user, comment.diary_entry) + end end diff --git a/app/controllers/diary_entries_controller.rb b/app/controllers/diary_entries_controller.rb index d1b44acd0..bf6e8d0b1 100644 --- a/app/controllers/diary_entries_controller.rb +++ b/app/controllers/diary_entries_controller.rb @@ -11,7 +11,7 @@ class DiaryEntriesController < ApplicationController authorize_resource before_action :lookup_user, :only => :show - before_action :check_database_writable, :only => [:new, :create, :edit, :update, :comment, :hide, :hidecomment, :subscribe, :unsubscribe] + before_action :check_database_writable, :only => [:new, :create, :edit, :update, :comment, :hide, :unhide, :subscribe, :unsubscribe] allow_thirdparty_images :only => [:new, :create, :edit, :update, :index, :show] @@ -69,7 +69,7 @@ class DiaryEntriesController < ApplicationController if @entry @title = t ".title", :user => params[:display_name], :title => @entry.title @og_image = @entry.body.image - @comments = can?(:unhidecomment, DiaryEntry) ? @entry.comments : @entry.visible_comments + @comments = can?(:unhide, DiaryComment) ? @entry.comments : @entry.visible_comments else @title = t "diary_entries.no_such_entry.title", :id => params[:id] render :action => "no_such_entry", :status => :not_found @@ -229,18 +229,6 @@ class DiaryEntriesController < ApplicationController redirect_to :action => "index", :display_name => entry.user.display_name end - def hidecomment - comment = DiaryComment.find(params[:comment]) - comment.update(:visible => false) - redirect_to diary_entry_path(comment.diary_entry.user, comment.diary_entry) - end - - def unhidecomment - comment = DiaryComment.find(params[:comment]) - comment.update(:visible => true) - redirect_to diary_entry_path(comment.diary_entry.user, comment.diary_entry) - end - private ## diff --git a/app/helpers/open_graph_helper.rb b/app/helpers/open_graph_helper.rb index aebb5d856..a41831ca6 100644 --- a/app/helpers/open_graph_helper.rb +++ b/app/helpers/open_graph_helper.rb @@ -1,10 +1,12 @@ module OpenGraphHelper + require "addressable/uri" + def opengraph_tags(title = nil, og_image = nil) tags = { "og:site_name" => t("layouts.project_name.title"), "og:title" => title || t("layouts.project_name.title"), "og:type" => "website", - "og:image" => og_image ? URI.join(root_url, og_image) : image_url("osm_logo_256.png"), + "og:image" => og_image_url(og_image), "og:url" => url_for(:only_path => false), "og:description" => t("layouts.intro_text") } @@ -13,4 +15,15 @@ module OpenGraphHelper tag.meta(:property => property, :content => content) end, "\n") end + + private + + def og_image_url(og_image) + begin + return Addressable::URI.join(root_url, og_image).normalize if og_image + rescue Addressable::URI::InvalidURIError + # return default image + end + image_url("osm_logo_256.png") + end end diff --git a/app/models/changeset.rb b/app/models/changeset.rb index abb494de6..e6bde19a5 100644 --- a/app/models/changeset.rb +++ b/app/models/changeset.rb @@ -130,6 +130,8 @@ class Changeset < ApplicationRecord def update_bbox!(bbox_update) bbox.expand!(bbox_update) + raise OSM::APISizeLimitExceeded if bbox.linear_size > size_limit + # update active record. rails 2.1's dirty handling should take care of # whether this object needs saving or not. self.min_lon, self.min_lat, self.max_lon, self.max_lat = @bbox.to_a.collect(&:round) if bbox.complete? @@ -225,4 +227,10 @@ class Changeset < ApplicationRecord def subscribed?(user) subscribers.exists?(user.id) end + + def size_limit + @size_limit ||= ActiveRecord::Base.connection.select_value( + "SELECT api_size_limit($1)", "api_size_limit", [user_id] + ) + end end diff --git a/app/views/diary_entries/_diary_comment.html.erb b/app/views/diary_entries/_diary_comment.html.erb index c3c68fbc9..dbf8a439e 100644 --- a/app/views/diary_entries/_diary_comment.html.erb +++ b/app/views/diary_entries/_diary_comment.html.erb @@ -10,7 +10,7 @@

<%= diary_comment.body.to_html %>
- <% if can? :hidecomment, DiaryEntry %> + <% if can? :hide, DiaryComment %> <% if diary_comment.visible? %> <%= link_to t(".hide_link"), hide_diary_comment_path(diary_comment.diary_entry.user, diary_comment.diary_entry, diary_comment), :method => :post, :data => { :confirm => t(".confirm") } %> diff --git a/config/routes.rb b/config/routes.rb index a8d2b1d7e..acf2256a3 100644 --- a/config/routes.rb +++ b/config/routes.rb @@ -246,8 +246,8 @@ OpenStreetMap::Application.routes.draw do post "/user/:display_name/diary/:id/newcomment" => "diary_entries#comment", :id => /\d+/, :as => :comment_diary_entry post "/user/:display_name/diary/:id/hide" => "diary_entries#hide", :id => /\d+/, :as => :hide_diary_entry post "/user/:display_name/diary/:id/unhide" => "diary_entries#unhide", :id => /\d+/, :as => :unhide_diary_entry - post "/user/:display_name/diary/:id/hidecomment/:comment" => "diary_entries#hidecomment", :id => /\d+/, :comment => /\d+/, :as => :hide_diary_comment - post "/user/:display_name/diary/:id/unhidecomment/:comment" => "diary_entries#unhidecomment", :id => /\d+/, :comment => /\d+/, :as => :unhide_diary_comment + post "/user/:display_name/diary/:id/hidecomment/:comment" => "diary_comments#hide", :id => /\d+/, :comment => /\d+/, :as => :hide_diary_comment + post "/user/:display_name/diary/:id/unhidecomment/:comment" => "diary_comments#unhide", :id => /\d+/, :comment => /\d+/, :as => :unhide_diary_comment match "/user/:display_name/diary/:id/subscribe" => "diary_entries#subscribe", :via => [:get, :post], :as => :diary_entry_subscribe, :id => /\d+/ match "/user/:display_name/diary/:id/unsubscribe" => "diary_entries#unsubscribe", :via => [:get, :post], :as => :diary_entry_unsubscribe, :id => /\d+/ diff --git a/config/settings.yml b/config/settings.yml index ec868b651..fa7207721 100644 --- a/config/settings.yml +++ b/config/settings.yml @@ -73,6 +73,13 @@ max_changes_per_hour: 100000 days_to_max_changes: 7 importer_changes_per_hour: 1000000 moderator_changes_per_hour: 1000000 +# Size limit for changes +min_size_limit: 10000000 +initial_size_limit: 30000000 +max_size_limit: 5400000000 +days_to_max_size_limit: 28 +importer_size_limit: 5400000000 +moderator_size_limit: 5400000000 # Domain for handling message replies #messages_domain: "messages.openstreetmap.org" # MaxMind GeoIPv2 database diff --git a/db/migrate/20240618193051_api_size_limit.rb b/db/migrate/20240618193051_api_size_limit.rb new file mode 100644 index 000000000..ce97a9f0e --- /dev/null +++ b/db/migrate/20240618193051_api_size_limit.rb @@ -0,0 +1,13 @@ +class ApiSizeLimit < ActiveRecord::Migration[7.1] + def up + safety_assured do + execute DatabaseFunctions::API_SIZE_LIMIT + end + end + + def down + safety_assured do + execute "DROP FUNCTION api_size_limit(bigint)" + end + end +end diff --git a/db/structure.sql b/db/structure.sql index 2e8bdbb61..e9d5efc3f 100644 --- a/db/structure.sql +++ b/db/structure.sql @@ -176,6 +176,63 @@ CREATE FUNCTION public.api_rate_limit(user_id bigint) RETURNS integer $$; +-- +-- Name: api_size_limit(bigint); Type: FUNCTION; Schema: public; Owner: - +-- + +CREATE FUNCTION public.api_size_limit(user_id bigint) RETURNS bigint + LANGUAGE plpgsql STABLE + AS $$ + DECLARE + min_size_limit int8 := 10000000; + initial_size_limit int8 := 30000000; + max_size_limit int8 := 5400000000; + days_to_max_size_limit int4 := 28; + importer_size_limit int8 := 5400000000; + moderator_size_limit int8 := 5400000000; + roles text[]; + last_block timestamp without time zone; + first_change timestamp without time zone; + active_reports int4; + time_since_first_change double precision; + size_limit int8; + BEGIN + SELECT ARRAY_AGG(user_roles.role) INTO STRICT roles FROM user_roles WHERE user_roles.user_id = api_size_limit.user_id; + + IF 'moderator' = ANY(roles) THEN + size_limit := moderator_size_limit; + ELSIF 'importer' = ANY(roles) THEN + size_limit := importer_size_limit; + ELSE + SELECT user_blocks.created_at INTO last_block FROM user_blocks WHERE user_blocks.user_id = api_size_limit.user_id ORDER BY user_blocks.created_at DESC LIMIT 1; + + IF FOUND THEN + SELECT changesets.created_at INTO first_change FROM changesets WHERE changesets.user_id = api_size_limit.user_id AND changesets.created_at > last_block ORDER BY changesets.created_at LIMIT 1; + ELSE + SELECT changesets.created_at INTO first_change FROM changesets WHERE changesets.user_id = api_size_limit.user_id ORDER BY changesets.created_at LIMIT 1; + END IF; + + IF NOT FOUND THEN + first_change := CURRENT_TIMESTAMP AT TIME ZONE 'UTC'; + END IF; + + SELECT COUNT(*) INTO STRICT active_reports + FROM issues INNER JOIN reports ON reports.issue_id = issues.id + WHERE issues.reported_user_id = api_size_limit.user_id AND issues.status = 'open' AND reports.updated_at >= COALESCE(issues.resolved_at, '1970-01-01'); + + time_since_first_change := EXTRACT(EPOCH FROM CURRENT_TIMESTAMP AT TIME ZONE 'UTC' - first_change); + + size_limit := max_size_limit * POWER(time_since_first_change, 2) / POWER(days_to_max_size_limit * 24 * 60 * 60, 2); + size_limit := GREATEST(initial_size_limit, LEAST(max_size_limit, FLOOR(size_limit))); + size_limit := size_limit / POWER(2, active_reports); + size_limit := GREATEST(min_size_limit, LEAST(max_size_limit, size_limit)); + END IF; + + RETURN size_limit; + END; + $$; + + SET default_tablespace = ''; SET default_table_access_method = heap; @@ -3521,6 +3578,7 @@ INSERT INTO "schema_migrations" (version) VALUES ('23'), ('22'), ('21'), +('20240618193051'), ('20240605134916'), ('20240405083825'), ('20240307181018'), diff --git a/lib/bounding_box.rb b/lib/bounding_box.rb index 0cc4c5fd4..462f45a9f 100644 --- a/lib/bounding_box.rb +++ b/lib/bounding_box.rb @@ -88,6 +88,14 @@ class BoundingBox end end + def linear_size + if complete? + (max_lon - min_lon) + (max_lat - min_lat) + else + 0 + end + end + def complete? to_a.exclude?(nil) end diff --git a/lib/database_functions.rb b/lib/database_functions.rb index f9e09ac70..d58736fdf 100644 --- a/lib/database_functions.rb +++ b/lib/database_functions.rb @@ -55,4 +55,58 @@ module DatabaseFunctions END; $$ LANGUAGE plpgsql STABLE; ).freeze + + API_SIZE_LIMIT = %( + CREATE OR REPLACE FUNCTION api_size_limit(user_id int8) + RETURNS int8 + AS $$ + DECLARE + min_size_limit int8 := #{Settings.min_size_limit}; + initial_size_limit int8 := #{Settings.initial_size_limit}; + max_size_limit int8 := #{Settings.max_size_limit}; + days_to_max_size_limit int4 := #{Settings.days_to_max_size_limit}; + importer_size_limit int8 := #{Settings.importer_size_limit}; + moderator_size_limit int8 := #{Settings.moderator_size_limit}; + roles text[]; + last_block timestamp without time zone; + first_change timestamp without time zone; + active_reports int4; + time_since_first_change double precision; + size_limit int8; + BEGIN + SELECT ARRAY_AGG(user_roles.role) INTO STRICT roles FROM user_roles WHERE user_roles.user_id = api_size_limit.user_id; + + IF 'moderator' = ANY(roles) THEN + size_limit := moderator_size_limit; + ELSIF 'importer' = ANY(roles) THEN + size_limit := importer_size_limit; + ELSE + SELECT user_blocks.created_at INTO last_block FROM user_blocks WHERE user_blocks.user_id = api_size_limit.user_id ORDER BY user_blocks.created_at DESC LIMIT 1; + + IF FOUND THEN + SELECT changesets.created_at INTO first_change FROM changesets WHERE changesets.user_id = api_size_limit.user_id AND changesets.created_at > last_block ORDER BY changesets.created_at LIMIT 1; + ELSE + SELECT changesets.created_at INTO first_change FROM changesets WHERE changesets.user_id = api_size_limit.user_id ORDER BY changesets.created_at LIMIT 1; + END IF; + + IF NOT FOUND THEN + first_change := CURRENT_TIMESTAMP AT TIME ZONE 'UTC'; + END IF; + + SELECT COUNT(*) INTO STRICT active_reports + FROM issues INNER JOIN reports ON reports.issue_id = issues.id + WHERE issues.reported_user_id = api_size_limit.user_id AND issues.status = 'open' AND reports.updated_at >= COALESCE(issues.resolved_at, '1970-01-01'); + + time_since_first_change := EXTRACT(EPOCH FROM CURRENT_TIMESTAMP AT TIME ZONE 'UTC' - first_change); + + size_limit := max_size_limit * POWER(time_since_first_change, 2) / POWER(days_to_max_size_limit * 24 * 60 * 60, 2); + size_limit := GREATEST(initial_size_limit, LEAST(max_size_limit, FLOOR(size_limit))); + size_limit := size_limit / POWER(2, active_reports); + size_limit := GREATEST(min_size_limit, LEAST(max_size_limit, size_limit)); + END IF; + + RETURN size_limit; + END; + $$ LANGUAGE plpgsql STABLE; + ).freeze end diff --git a/lib/osm.rb b/lib/osm.rb index a0fcef8b9..dd273418e 100644 --- a/lib/osm.rb +++ b/lib/osm.rb @@ -364,6 +364,17 @@ module OSM end end + # Raised when a size limit is exceeded + class APISizeLimitExceeded < APIError + def initialize + super("Size limit exceeded") + end + + def status + :payload_too_large + end + end + # Helper methods for going to/from mercator and lat/lng. class Mercator include Math diff --git a/lib/tasks/update_functions.rake b/lib/tasks/update_functions.rake index 605d3c9ad..f10257215 100644 --- a/lib/tasks/update_functions.rake +++ b/lib/tasks/update_functions.rake @@ -2,5 +2,6 @@ namespace :db do desc "Update database function definitions" task :update_functions => :environment do ActiveRecord::Base.connection.execute DatabaseFunctions::API_RATE_LIMIT + ActiveRecord::Base.connection.execute DatabaseFunctions::API_SIZE_LIMIT end end diff --git a/test/abilities/abilities_test.rb b/test/abilities/abilities_test.rb index 4947351b6..58ef2b514 100644 --- a/test/abilities/abilities_test.rb +++ b/test/abilities/abilities_test.rb @@ -25,9 +25,13 @@ class GuestAbilityTest < AbilityTest assert ability.can?(action, DiaryComment), "should be able to #{action} DiaryComments" end - [:create, :edit, :comment, :subscribe, :unsubscribe, :hide, :hidecomment].each do |action| + [:create, :edit, :comment, :subscribe, :unsubscribe, :hide, :unhide].each do |action| assert ability.cannot?(action, DiaryEntry), "should not be able to #{action} DiaryEntries" end + + [:hide, :unhide].each do |action| + assert ability.cannot?(action, DiaryComment), "should not be able to #{action} DiaryComments" + end end test "note permissions for a guest" do @@ -59,8 +63,9 @@ class UserAbilityTest < AbilityTest assert ability.can?(action, DiaryComment), "should be able to #{action} DiaryComments" end - [:hide, :hidecomment].each do |action| + [:hide, :unhide].each do |action| assert ability.cannot?(action, DiaryEntry), "should not be able to #{action} DiaryEntries" + assert ability.cannot?(action, DiaryComment), "should not be able to #{action} DiaryComment" end [:index, :show, :resolve, :ignore, :reopen].each do |action| @@ -85,8 +90,9 @@ class ModeratorAbilityTest < AbilityTest assert ability.cannot?(action, UserRole), "should not be able to #{action} UserRoles" end - [:hide, :hidecomment].each do |action| + [:hide, :unhide].each do |action| assert ability.can?(action, DiaryEntry), "should be able to #{action} DiaryEntries" + assert ability.can?(action, DiaryComment), "should be able to #{action} DiaryComment" end end end @@ -94,11 +100,11 @@ end class AdministratorAbilityTest < AbilityTest test "Diary for an administrator" do ability = Ability.new create(:administrator_user) - [:index, :rss, :show, :create, :edit, :comment, :subscribe, :unsubscribe, :hide, :hidecomment].each do |action| + [:index, :rss, :show, :create, :edit, :comment, :subscribe, :unsubscribe, :hide, :unhide].each do |action| assert ability.can?(action, DiaryEntry), "should be able to #{action} DiaryEntries" end - [:index].each do |action| + [:index, :hide, :unhide].each do |action| assert ability.can?(action, DiaryComment), "should be able to #{action} DiaryComments" end end diff --git a/test/controllers/api/changesets_controller_test.rb b/test/controllers/api/changesets_controller_test.rb index be1033ea6..17a9ad9d3 100644 --- a/test/controllers/api/changesets_controller_test.rb +++ b/test/controllers/api/changesets_controller_test.rb @@ -749,7 +749,11 @@ module Api end def test_upload_large_changeset - auth_header = basic_authorization_header create(:user).email, "test" + user = create(:user) + auth_header = basic_authorization_header user.email, "test" + + # create an old changeset to ensure we have the maximum rate limit + create(:changeset, :user => user, :created_at => Time.now.utc - 28.days) # create a changeset put changeset_create_path, :params => "", :headers => auth_header @@ -1048,14 +1052,14 @@ module Api diff = <<~CHANGESET - - - - - - - - + + + + + + + + CHANGESET @@ -1329,9 +1333,9 @@ module Api diff = <<~CHANGESET - - - + + + @@ -1352,9 +1356,9 @@ module Api diff = <<~CHANGESET - - - + + + @@ -1384,9 +1388,9 @@ module Api diff = <<~CHANGESET - - - + + + @@ -1407,9 +1411,9 @@ module Api diff = <<~CHANGESET - - - + + + @@ -1478,14 +1482,14 @@ module Api changeset_id = @response.body.to_i old_way = create(:way) - create(:way_node, :way => old_way, :node => create(:node, :lat => 1, :lon => 1)) + create(:way_node, :way => old_way, :node => create(:node, :lat => 0.1, :lon => 0.1)) diff = XML::Document.new diff.root = XML::Node.new "osmChange" modify = XML::Node.new "modify" xml_old_way = xml_node_for_way(old_way) nd_ref = XML::Node.new "nd" - nd_ref["ref"] = create(:node, :lat => 3, :lon => 3).id.to_s + nd_ref["ref"] = create(:node, :lat => 0.3, :lon => 0.3).id.to_s xml_old_way << nd_ref xml_old_way["changeset"] = changeset_id.to_s modify << xml_old_way @@ -1498,10 +1502,10 @@ module Api # check the bbox changeset = Changeset.find(changeset_id) - assert_equal 1 * GeoRecord::SCALE, changeset.min_lon, "min_lon should be 1 degree" - assert_equal 3 * GeoRecord::SCALE, changeset.max_lon, "max_lon should be 3 degrees" - assert_equal 1 * GeoRecord::SCALE, changeset.min_lat, "min_lat should be 1 degree" - assert_equal 3 * GeoRecord::SCALE, changeset.max_lat, "max_lat should be 3 degrees" + assert_equal 0.1 * GeoRecord::SCALE, changeset.min_lon, "min_lon should be 0.1 degree" + assert_equal 0.3 * GeoRecord::SCALE, changeset.max_lon, "max_lon should be 0.3 degrees" + assert_equal 0.1 * GeoRecord::SCALE, changeset.min_lat, "min_lat should be 0.1 degree" + assert_equal 0.3 * GeoRecord::SCALE, changeset.max_lat, "max_lat should be 0.3 degrees" end ## @@ -1798,6 +1802,71 @@ module Api assert_response :too_many_requests, "upload did not hit rate limit" end + ## + # test initial size limit + def test_upload_initial_size_limit + # create a user + user = create(:user) + + # create a changeset that puts us near the initial size limit + changeset = create(:changeset, :user => user, + :min_lat => (-0.5 * GeoRecord::SCALE).round, :min_lon => (0.5 * GeoRecord::SCALE).round, + :max_lat => (0.5 * GeoRecord::SCALE).round, :max_lon => (2.5 * GeoRecord::SCALE).round) + + # create authentication header + auth_header = basic_authorization_header user.email, "test" + + # simple diff to create a node + diff = <<~CHANGESET + + + + + + + + + CHANGESET + + # upload it + post changeset_upload_path(changeset), :params => diff, :headers => auth_header + assert_response :payload_too_large, "upload did not hit size limit" + end + + ## + # test size limit after one week + def test_upload_week_size_limit + # create a user + user = create(:user) + + # create a changeset to establish our initial edit time + create(:changeset, :user => user, :created_at => Time.now.utc - 7.days) + + # create a changeset that puts us near the initial size limit + changeset = create(:changeset, :user => user, + :min_lat => (-0.5 * GeoRecord::SCALE).round, :min_lon => (0.5 * GeoRecord::SCALE).round, + :max_lat => (0.5 * GeoRecord::SCALE).round, :max_lon => (2.5 * GeoRecord::SCALE).round) + + # create authentication header + auth_header = basic_authorization_header user.email, "test" + + # simple diff to create a node way and relation using placeholders + diff = <<~CHANGESET + + + + + + + + + CHANGESET + + # upload it + post changeset_upload_path(changeset), :params => diff, :headers => auth_header + assert_response :payload_too_large, "upload did not hit size limit" + end + ## # when we make some simple changes we get the same changes back from the # diff download. @@ -1829,14 +1898,14 @@ module Api diff = <<~CHANGESET - - - - - - - - + + + + + + + + CHANGESET @@ -1935,15 +2004,15 @@ module Api diff = <<~CHANGESET - + - - - + + + - + @@ -2034,7 +2103,7 @@ module Api # FIXME: This should really be moded to a integration test due to the with_controller def test_changeset_bbox way = create(:way) - create(:way_node, :way => way, :node => create(:node, :lat => 3, :lon => 3)) + create(:way_node, :way => way, :node => create(:node, :lat => 0.3, :lon => 0.3)) auth_header = basic_authorization_header create(:user).email, "test" @@ -2046,7 +2115,7 @@ module Api # add a single node to it with_controller(NodesController.new) do - xml = "" + xml = "" put node_create_path, :params => xml, :headers => auth_header assert_response :success, "Couldn't create node." end @@ -2054,14 +2123,14 @@ module Api # get the bounding box back from the changeset get changeset_show_path(:id => changeset_id) assert_response :success, "Couldn't read back changeset." - assert_select "osm>changeset[min_lon='1.0000000']", 1 - assert_select "osm>changeset[max_lon='1.0000000']", 1 - assert_select "osm>changeset[min_lat='2.0000000']", 1 - assert_select "osm>changeset[max_lat='2.0000000']", 1 + assert_select "osm>changeset[min_lon='0.1000000']", 1 + assert_select "osm>changeset[max_lon='0.1000000']", 1 + assert_select "osm>changeset[min_lat='0.2000000']", 1 + assert_select "osm>changeset[max_lat='0.2000000']", 1 # add another node to it with_controller(NodesController.new) do - xml = "" + xml = "" put node_create_path, :params => xml, :headers => auth_header assert_response :success, "Couldn't create second node." end @@ -2069,10 +2138,10 @@ module Api # get the bounding box back from the changeset get changeset_show_path(:id => changeset_id) assert_response :success, "Couldn't read back changeset for the second time." - assert_select "osm>changeset[min_lon='1.0000000']", 1 - assert_select "osm>changeset[max_lon='2.0000000']", 1 - assert_select "osm>changeset[min_lat='1.0000000']", 1 - assert_select "osm>changeset[max_lat='2.0000000']", 1 + assert_select "osm>changeset[min_lon='0.1000000']", 1 + assert_select "osm>changeset[max_lon='0.2000000']", 1 + assert_select "osm>changeset[min_lat='0.1000000']", 1 + assert_select "osm>changeset[max_lat='0.2000000']", 1 # add (delete) a way to it, which contains a point at (3,3) with_controller(WaysController.new) do @@ -2084,10 +2153,10 @@ module Api # get the bounding box back from the changeset get changeset_show_path(:id => changeset_id) assert_response :success, "Couldn't read back changeset for the third time." - assert_select "osm>changeset[min_lon='1.0000000']", 1 - assert_select "osm>changeset[max_lon='3.0000000']", 1 - assert_select "osm>changeset[min_lat='1.0000000']", 1 - assert_select "osm>changeset[max_lat='3.0000000']", 1 + assert_select "osm>changeset[min_lon='0.1000000']", 1 + assert_select "osm>changeset[max_lon='0.3000000']", 1 + assert_select "osm>changeset[min_lat='0.1000000']", 1 + assert_select "osm>changeset[max_lat='0.3000000']", 1 end ## diff --git a/test/controllers/api/old_nodes_controller_test.rb b/test/controllers/api/old_nodes_controller_test.rb index badc7301b..7855079cc 100644 --- a/test/controllers/api/old_nodes_controller_test.rb +++ b/test/controllers/api/old_nodes_controller_test.rb @@ -40,9 +40,9 @@ module Api # FIXME: Move this test to being an integration test since it spans multiple controllers def test_version private_user = create(:user, :data_public => false) - private_node = create(:node, :with_history, :version => 4, :changeset => create(:changeset, :user => private_user)) + private_node = create(:node, :with_history, :version => 4, :lat => 0, :lon => 0, :changeset => create(:changeset, :user => private_user)) user = create(:user) - node = create(:node, :with_history, :version => 4, :changeset => create(:changeset, :user => user)) + node = create(:node, :with_history, :version => 4, :lat => 0, :lon => 0, :changeset => create(:changeset, :user => user)) create_list(:node_tag, 2, :node => node) # Ensure that the current tags are propagated to the history too propagate_tags(node, node.old_nodes.last) @@ -65,8 +65,8 @@ module Api # randomly move the node about 3.times do # move the node somewhere else - xml_node["lat"] = precision((rand * 180) - 90).to_s - xml_node["lon"] = precision((rand * 360) - 180).to_s + xml_node["lat"] = precision(rand - 0.5).to_s + xml_node["lon"] = precision(rand - 0.5).to_s with_controller(NodesController.new) do put api_node_path(nodeid), :params => xml_doc.to_s, :headers => auth_header assert_response :forbidden, "Should have rejected node update" @@ -113,8 +113,8 @@ module Api # randomly move the node about 3.times do # move the node somewhere else - xml_node["lat"] = precision((rand * 180) - 90).to_s - xml_node["lon"] = precision((rand * 360) - 180).to_s + xml_node["lat"] = precision(rand - 0.5).to_s + xml_node["lon"] = precision(rand - 0.5).to_s with_controller(NodesController.new) do put api_node_path(nodeid), :params => xml_doc.to_s, :headers => auth_header assert_response :success diff --git a/test/controllers/api/relations_controller_test.rb b/test/controllers/api/relations_controller_test.rb index e69dcdfe2..982df1dd7 100644 --- a/test/controllers/api/relations_controller_test.rb +++ b/test/controllers/api/relations_controller_test.rb @@ -641,15 +641,15 @@ module Api # box of all its members into the changeset. def test_tag_modify_bounding_box relation = create(:relation) - node1 = create(:node, :lat => 3, :lon => 3) - node2 = create(:node, :lat => 5, :lon => 5) + node1 = create(:node, :lat => 0.3, :lon => 0.3) + node2 = create(:node, :lat => 0.5, :lon => 0.5) way = create(:way) create(:way_node, :way => way, :node => node1) create(:relation_member, :relation => relation, :member => way) create(:relation_member, :relation => relation, :member => node2) # the relation contains nodes1 and node2 (node1 - # indirectly via the way), so the bbox should be [3,3,5,5]. - check_changeset_modify(BoundingBox.new(3, 3, 5, 5)) do |changeset_id, auth_header| + # indirectly via the way), so the bbox should be [0.3,0.3,0.5,0.5]. + check_changeset_modify(BoundingBox.new(0.3, 0.3, 0.5, 0.5)) do |changeset_id, auth_header| # add a tag to an existing relation relation_xml = xml_for_relation(relation) relation_element = relation_xml.find("//osm/relation").first @@ -879,14 +879,14 @@ module Api # still technically valid. def test_remove_all_members relation = create(:relation) - node1 = create(:node, :lat => 3, :lon => 3) - node2 = create(:node, :lat => 5, :lon => 5) + node1 = create(:node, :lat => 0.3, :lon => 0.3) + node2 = create(:node, :lat => 0.5, :lon => 0.5) way = create(:way) create(:way_node, :way => way, :node => node1) create(:relation_member, :relation => relation, :member => way) create(:relation_member, :relation => relation, :member => node2) - check_changeset_modify(BoundingBox.new(3, 3, 5, 5)) do |changeset_id, auth_header| + check_changeset_modify(BoundingBox.new(0.3, 0.3, 0.5, 0.5)) do |changeset_id, auth_header| relation_xml = xml_for_relation(relation) relation_xml .find("//osm/relation/member") diff --git a/test/controllers/diary_comments_controller_test.rb b/test/controllers/diary_comments_controller_test.rb index adb96dccb..e2ad4c91b 100644 --- a/test/controllers/diary_comments_controller_test.rb +++ b/test/controllers/diary_comments_controller_test.rb @@ -12,6 +12,14 @@ class DiaryCommentsControllerTest < ActionDispatch::IntegrationTest { :path => "/user/username/diary/comments", :method => :get }, { :controller => "diary_comments", :action => "index", :display_name => "username" } ) + assert_routing( + { :path => "/user/username/diary/1/hidecomment/2", :method => :post }, + { :controller => "diary_comments", :action => "hide", :display_name => "username", :id => "1", :comment => "2" } + ) + assert_routing( + { :path => "/user/username/diary/1/unhidecomment/2", :method => :post }, + { :controller => "diary_comments", :action => "unhide", :display_name => "username", :id => "1", :comment => "2" } + ) get "/user/username/diary/comments/1" assert_redirected_to "/user/username/diary/comments" @@ -60,4 +68,68 @@ class DiaryCommentsControllerTest < ActionDispatch::IntegrationTest assert_redirected_to :controller => :errors, :action => :bad_request end end + + def test_hide + user = create(:user) + diary_entry = create(:diary_entry, :user => user) + diary_comment = create(:diary_comment, :diary_entry => diary_entry) + + # Try without logging in + post hide_diary_comment_path(user, diary_entry, diary_comment) + assert_response :forbidden + assert DiaryComment.find(diary_comment.id).visible + + # Now try as a normal user + session_for(user) + post hide_diary_comment_path(user, diary_entry, diary_comment) + assert_redirected_to :controller => :errors, :action => :forbidden + assert DiaryComment.find(diary_comment.id).visible + + # Try as a moderator + session_for(create(:moderator_user)) + post hide_diary_comment_path(user, diary_entry, diary_comment) + assert_redirected_to diary_entry_path(user, diary_entry) + assert_not DiaryComment.find(diary_comment.id).visible + + # Reset + diary_comment.reload.update(:visible => true) + + # Finally try as an administrator + session_for(create(:administrator_user)) + post hide_diary_comment_path(user, diary_entry, diary_comment) + assert_redirected_to diary_entry_path(user, diary_entry) + assert_not DiaryComment.find(diary_comment.id).visible + end + + def test_unhide + user = create(:user) + diary_entry = create(:diary_entry, :user => user) + diary_comment = create(:diary_comment, :diary_entry => diary_entry, :visible => false) + + # Try without logging in + post unhide_diary_comment_path(user, diary_entry, diary_comment) + assert_response :forbidden + assert_not DiaryComment.find(diary_comment.id).visible + + # Now try as a normal user + session_for(user) + post unhide_diary_comment_path(user, diary_entry, diary_comment) + assert_redirected_to :controller => :errors, :action => :forbidden + assert_not DiaryComment.find(diary_comment.id).visible + + # Now try as a moderator + session_for(create(:moderator_user)) + post unhide_diary_comment_path(user, diary_entry, diary_comment) + assert_redirected_to diary_entry_path(user, diary_entry) + assert DiaryComment.find(diary_comment.id).visible + + # Reset + diary_comment.reload.update(:visible => true) + + # Finally try as an administrator + session_for(create(:administrator_user)) + post unhide_diary_comment_path(user, diary_entry, diary_comment) + assert_redirected_to diary_entry_path(user, diary_entry) + assert DiaryComment.find(diary_comment.id).visible + end end diff --git a/test/controllers/diary_entries_controller_test.rb b/test/controllers/diary_entries_controller_test.rb index 1dfd5ec1a..d0453bf08 100644 --- a/test/controllers/diary_entries_controller_test.rb +++ b/test/controllers/diary_entries_controller_test.rb @@ -81,14 +81,6 @@ class DiaryEntriesControllerTest < ActionDispatch::IntegrationTest { :path => "/user/username/diary/1/unhide", :method => :post }, { :controller => "diary_entries", :action => "unhide", :display_name => "username", :id => "1" } ) - assert_routing( - { :path => "/user/username/diary/1/hidecomment/2", :method => :post }, - { :controller => "diary_entries", :action => "hidecomment", :display_name => "username", :id => "1", :comment => "2" } - ) - assert_routing( - { :path => "/user/username/diary/1/unhidecomment/2", :method => :post }, - { :controller => "diary_entries", :action => "unhidecomment", :display_name => "username", :id => "1", :comment => "2" } - ) assert_routing( { :path => "/user/username/diary/1/subscribe", :method => :get }, { :controller => "diary_entries", :action => "subscribe", :display_name => "username", :id => "1" } @@ -744,6 +736,17 @@ class DiaryEntriesControllerTest < ActionDispatch::IntegrationTest end end + def test_show_og_image_with_no_image + user = create(:user) + diary_entry = create(:diary_entry, :user => user, :body => "nothing") + + get diary_entry_path(user, diary_entry) + assert_response :success + assert_dom "head meta[property='og:image']" do + assert_dom "> @content", ActionController::Base.helpers.image_url("osm_logo_256.png", :host => root_url) + end + end + def test_show_og_image user = create(:user) diary_entry = create(:diary_entry, :user => user, :body => "![some picture](https://example.com/picture.jpg)") @@ -766,6 +769,39 @@ class DiaryEntriesControllerTest < ActionDispatch::IntegrationTest end end + def test_show_og_image_with_spaces + user = create(:user) + diary_entry = create(:diary_entry, :user => user, :body => "![some picture](https://example.com/the picture.jpg)") + + get diary_entry_path(user, diary_entry) + assert_response :success + assert_dom "head meta[property='og:image']" do + assert_dom "> @content", "https://example.com/the%20picture.jpg" + end + end + + def test_show_og_image_with_relative_uri_and_spaces + user = create(:user) + diary_entry = create(:diary_entry, :user => user, :body => "![some local picture](/the picture.jpg)") + + get diary_entry_path(user, diary_entry) + assert_response :success + assert_dom "head meta[property='og:image']" do + assert_dom "> @content", "#{root_url}the%20picture.jpg" + end + end + + def test_show_og_image_with_invalid_uri + user = create(:user) + diary_entry = create(:diary_entry, :user => user, :body => "![](:)") + + get diary_entry_path(user, diary_entry) + assert_response :success + assert_dom "head meta[property='og:image']" do + assert_dom "> @content", ActionController::Base.helpers.image_url("osm_logo_256.png", :host => root_url) + end + end + def test_hide user = create(:user) diary_entry = create(:diary_entry, :user => user) @@ -828,70 +864,6 @@ class DiaryEntriesControllerTest < ActionDispatch::IntegrationTest assert DiaryEntry.find(diary_entry.id).visible end - def test_hidecomment - user = create(:user) - diary_entry = create(:diary_entry, :user => user) - diary_comment = create(:diary_comment, :diary_entry => diary_entry) - - # Try without logging in - post hide_diary_comment_path(user, diary_entry, diary_comment) - assert_response :forbidden - assert DiaryComment.find(diary_comment.id).visible - - # Now try as a normal user - session_for(user) - post hide_diary_comment_path(user, diary_entry, diary_comment) - assert_redirected_to :controller => :errors, :action => :forbidden - assert DiaryComment.find(diary_comment.id).visible - - # Try as a moderator - session_for(create(:moderator_user)) - post hide_diary_comment_path(user, diary_entry, diary_comment) - assert_redirected_to :action => :show, :display_name => user.display_name, :id => diary_entry.id - assert_not DiaryComment.find(diary_comment.id).visible - - # Reset - diary_comment.reload.update(:visible => true) - - # Finally try as an administrator - session_for(create(:administrator_user)) - post hide_diary_comment_path(user, diary_entry, diary_comment) - assert_redirected_to :action => :show, :display_name => user.display_name, :id => diary_entry.id - assert_not DiaryComment.find(diary_comment.id).visible - end - - def test_unhidecomment - user = create(:user) - diary_entry = create(:diary_entry, :user => user) - diary_comment = create(:diary_comment, :diary_entry => diary_entry, :visible => false) - - # Try without logging in - post unhide_diary_comment_path(user, diary_entry, diary_comment) - assert_response :forbidden - assert_not DiaryComment.find(diary_comment.id).visible - - # Now try as a normal user - session_for(user) - post unhide_diary_comment_path(user, diary_entry, diary_comment) - assert_redirected_to :controller => :errors, :action => :forbidden - assert_not DiaryComment.find(diary_comment.id).visible - - # Now try as a moderator - session_for(create(:moderator_user)) - post unhide_diary_comment_path(user, diary_entry, diary_comment) - assert_redirected_to :action => :show, :display_name => user.display_name, :id => diary_entry.id - assert DiaryComment.find(diary_comment.id).visible - - # Reset - diary_comment.reload.update(:visible => true) - - # Finally try as an administrator - session_for(create(:administrator_user)) - post unhide_diary_comment_path(user, diary_entry, diary_comment) - assert_redirected_to :action => :show, :display_name => user.display_name, :id => diary_entry.id - assert DiaryComment.find(diary_comment.id).visible - end - def test_subscribe_page user = create(:user) other_user = create(:user) diff --git a/test/factories/node.rb b/test/factories/node.rb index 392d67a84..bfb8b16fe 100644 --- a/test/factories/node.rb +++ b/test/factories/node.rb @@ -16,7 +16,7 @@ FactoryBot.define do trait :with_history do after(:create) do |node, _evaluator| (1..node.version).each do |n| - create(:old_node, :node_id => node.id, :version => n, :changeset => node.changeset) + create(:old_node, :node_id => node.id, :version => n, :latitude => node.latitude, :longitude => node.longitude, :changeset => node.changeset) end # For deleted nodes, make sure the most recent old_node is also deleted. diff --git a/test/models/node_test.rb b/test/models/node_test.rb index 94cb5ec81..9efe9a9c9 100644 --- a/test/models/node_test.rb +++ b/test/models/node_test.rb @@ -98,8 +98,9 @@ class NodeTest < ActiveSupport::TestCase end def test_update - node = create(:node) - create(:old_node, :node_id => node.id, :version => 1) + node = create(:node, :lat => 12.6543, :lon => 65.1234) + create(:old_node, :node_id => node.id, :version => 1, :lat => node.lat, :lon => node.lon) + node_template = Node.find(node.id) assert_not_nil node_template