From: Tom Hughes Date: Sun, 5 Jan 2025 16:17:20 +0000 (+0000) Subject: Merge remote-tracking branch 'upstream/pull/5470' X-Git-Tag: live~656 X-Git-Url: https://git.openstreetmap.org/rails.git/commitdiff_plain/cdcf15e7b1a37bda5aef6266e2c0825a81783a38?hp=7a99295884aa2fb4d4e380b1751ebcba40f66cbb Merge remote-tracking branch 'upstream/pull/5470' --- diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb index 32b53bad7..1ef49bf46 100644 --- a/app/controllers/application_controller.rb +++ b/app/controllers/application_controller.rb @@ -20,7 +20,7 @@ class ApplicationController < ActionController::Base helper_method :oauth_token def self.allow_thirdparty_images(**options) - content_security_policy(options) do |policy| + content_security_policy(**options) do |policy| policy.img_src("*", :data) end end diff --git a/app/controllers/diary_comments_controller.rb b/app/controllers/diary_comments_controller.rb index f6597cf4c..676bc22a6 100644 --- a/app/controllers/diary_comments_controller.rb +++ b/app/controllers/diary_comments_controller.rb @@ -13,7 +13,7 @@ class DiaryCommentsController < ApplicationController before_action :lookup_user, :only => :index before_action :check_database_writable, :only => [:create, :hide, :unhide] - allow_thirdparty_images :only => :index + allow_thirdparty_images :only => [:index, :create] def index @title = t ".title", :user => @user.display_name diff --git a/app/controllers/messages_controller.rb b/app/controllers/messages_controller.rb index 26e8a5e09..cc5f6c56d 100644 --- a/app/controllers/messages_controller.rb +++ b/app/controllers/messages_controller.rb @@ -49,7 +49,7 @@ class MessagesController < ApplicationController elsif @message.save flash[:notice] = t ".message_sent" UserMailer.message_notification(@message).deliver_later if @message.notify_recipient? - redirect_to messages_inbox_path + redirect_to messages_outbox_path else @title = t "messages.new.title" render :action => "new" diff --git a/test/controllers/diary_comments_controller_test.rb b/test/controllers/diary_comments_controller_test.rb index 65a71a9b5..3ea9bc094 100644 --- a/test/controllers/diary_comments_controller_test.rb +++ b/test/controllers/diary_comments_controller_test.rb @@ -104,6 +104,7 @@ class DiaryCommentsControllerTest < ActionDispatch::IntegrationTest end assert_response :success assert_template :new + assert_match(/img-src \* data:;/, @response.headers["Content-Security-Policy-Report-Only"]) # Now try again with the right id assert_difference "ActionMailer::Base.deliveries.size", entry.subscribers.count do diff --git a/test/controllers/messages_controller_test.rb b/test/controllers/messages_controller_test.rb index 924990892..b2bb71b1c 100644 --- a/test/controllers/messages_controller_test.rb +++ b/test/controllers/messages_controller_test.rb @@ -163,7 +163,7 @@ class MessagesControllerTest < ActionDispatch::IntegrationTest end end end - assert_redirected_to messages_inbox_path + assert_redirected_to messages_outbox_path assert_equal "Message sent", flash[:notice] e = ActionMailer::Base.deliveries.first assert_equal [recipient_user.email], e.to diff --git a/test/controllers/users_controller_test.rb b/test/controllers/users_controller_test.rb index ba1af9509..7b554711f 100644 --- a/test/controllers/users_controller_test.rb +++ b/test/controllers/users_controller_test.rb @@ -57,6 +57,8 @@ class UsersControllerTest < ActionDispatch::IntegrationTest get user_new_path, :params => { :cookie_test => "true" } assert_response :success + assert_no_match(/img-src \* data:;/, @response.headers["Content-Security-Policy-Report-Only"]) + assert_select "html", :count => 1 do assert_select "head", :count => 1 do assert_select "title", :text => /Sign Up/, :count => 1 @@ -297,6 +299,7 @@ class UsersControllerTest < ActionDispatch::IntegrationTest get user_path(user) assert_response :success + assert_match(/img-src \* data:;/, @response.headers["Content-Security-Policy-Report-Only"]) assert_select "div.content-heading" do assert_select "a[href^='/user/#{ERB::Util.u(user.display_name)}/history']", 1 assert_select "a[href='/user/#{ERB::Util.u(user.display_name)}/traces']", 1