From: Tom Hughes <tom@compton.nu>
Date: Thu, 23 Nov 2017 22:39:05 +0000 (+0000)
Subject: Allow third party images in user content
X-Git-Tag: live~3271
X-Git-Url: https://git.openstreetmap.org/rails.git/commitdiff_plain/bb116b85df7dac68b83dae135a7ab260f7d7eae1

Allow third party images in user content
---

diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
index 5905b3759..bcbb6706a 100644
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -427,6 +427,10 @@ class ApplicationController < ActionController::Base
     request.xhr? ? "xhr" : "map"
   end
 
+  def allow_thirdparty_images
+    append_content_security_policy_directives(:img_src => %w[*])
+  end
+
   def preferred_editor
     editor = if params[:editor]
                params[:editor]
diff --git a/app/controllers/diary_entry_controller.rb b/app/controllers/diary_entry_controller.rb
index b3518872c..9e0fd4991 100644
--- a/app/controllers/diary_entry_controller.rb
+++ b/app/controllers/diary_entry_controller.rb
@@ -8,6 +8,7 @@ class DiaryEntryController < ApplicationController
   before_action :check_database_readable
   before_action :check_database_writable, :only => [:new, :edit, :comment, :hide, :hidecomment, :subscribe, :unsubscribe]
   before_action :require_administrator, :only => [:hide, :hidecomment]
+  before_action :allow_thirdparty_images, :only => [:new, :edit, :list, :view, :comments]
 
   def new
     @title = t "diary_entry.new.title"
diff --git a/app/controllers/message_controller.rb b/app/controllers/message_controller.rb
index 29b74c848..3952b67ca 100644
--- a/app/controllers/message_controller.rb
+++ b/app/controllers/message_controller.rb
@@ -7,6 +7,7 @@ class MessageController < ApplicationController
   before_action :lookup_this_user, :only => [:new]
   before_action :check_database_readable
   before_action :check_database_writable, :only => [:new, :reply, :mark]
+  before_action :allow_thirdparty_images, :only => [:new, :read]
 
   # Allow the user to write a new message to another user. This action also
   # deals with the sending of that message to the other user when the user
diff --git a/app/controllers/user_controller.rb b/app/controllers/user_controller.rb
index e25d3c8b6..b3a1ddda8 100644
--- a/app/controllers/user_controller.rb
+++ b/app/controllers/user_controller.rb
@@ -18,6 +18,7 @@ class UserController < ApplicationController
   around_action :api_call_handle_error, :only => [:api_read, :api_details, :api_gpx_files]
   before_action :lookup_user_by_id, :only => [:api_read]
   before_action :lookup_user_by_name, :only => [:set_status, :delete]
+  before_action :allow_thirdparty_images, :only => [:view, :account]
 
   def terms
     @legale = params[:legale] || OSM.ip_to_country(request.remote_ip) || DEFAULT_LEGALE