From: Matt Amos <zerebubuth@gmail.com>
Date: Thu, 6 Nov 2008 19:10:19 +0000 (+0000)
Subject: Ooops. Added missing access control to changeset controller.
X-Git-Tag: live~7573^2~218
X-Git-Url: https://git.openstreetmap.org/rails.git/commitdiff_plain/c760891d634eff7b95b98d2bd88fc0d5535220bb?hp=383f204e64df874e288d100e65980db6df4630b6

Ooops. Added missing access control to changeset controller.
---

diff --git a/app/controllers/changeset_controller.rb b/app/controllers/changeset_controller.rb
index c56e15c01..9152df816 100644
--- a/app/controllers/changeset_controller.rb
+++ b/app/controllers/changeset_controller.rb
@@ -41,7 +41,13 @@ class ChangesetController < ApplicationController
         render :nothing => true, :status => :method_not_allowed
         return
       end
+
       changeset = Changeset.find(params[:id])
+
+      unless @user.id == changeset.user_id 
+        raise OSM::APIUserChangesetMismatchError 
+      end
+
       changeset.open = false
       changeset.save!
       render :nothing => true
@@ -61,6 +67,12 @@ class ChangesetController < ApplicationController
     if request.post?
       cs = Changeset.find(params[:id])
 
+      # check user credentials - only the user who opened a changeset
+      # may alter it.
+      unless @user.id == changeset.user_id 
+        raise OSM::APIUserChangesetMismatchError 
+      end
+
       # keep an array of lons and lats
       lon = Array.new
       lat = Array.new
@@ -120,6 +132,12 @@ class ChangesetController < ApplicationController
       return
     end
 
+    # access control - only the user who created a changeset may
+    # upload to it.
+    unless @user.id == changeset.user_id 
+      raise OSM::APIUserChangesetMismatchError 
+    end
+
     changeset = Changeset.find(params[:id])
     
     diff_reader = DiffReader.new(request.raw_post, changeset)