+ ##
+ # wrap an api call in a timeout
+ def api_call_timeout(&block)
+ Timeout.timeout(Settings.api_timeout, Timeout::Error, &block)
+ rescue Timeout::Error
+ raise OSM::APITimeoutError
+ end
+
+ ##
+ # wrap a web page in a timeout
+ def web_timeout(&block)
+ Timeout.timeout(Settings.web_timeout, Timeout::Error, &block)
+ rescue ActionView::Template::Error => e
+ e = e.cause
+
+ if e.is_a?(Timeout::Error) ||
+ (e.is_a?(ActiveRecord::StatementInvalid) && e.message.include?("execution expired"))
+ render :action => "timeout"
+ else
+ raise
+ end
+ rescue Timeout::Error
+ render :action => "timeout"
+ end
+
+ ##
+ # ensure that there is a "user" instance variable
+ def lookup_user
+ render_unknown_user params[:display_name] unless @user = User.active.find_by(:display_name => params[:display_name])
+ end
+
+ ##
+ # render a "no such user" page
+ def render_unknown_user(name)
+ @title = t "users.no_such_user.title"
+ @not_found_user = name
+
+ respond_to do |format|
+ format.html { render :template => "users/no_such_user", :status => :not_found }
+ format.all { head :not_found }
+ end
+ end
+
+ ##
+ # Unfortunately if a PUT or POST request that has a body fails to
+ # read it then Apache will sometimes fail to return the response it
+ # is given to the client properly, instead erroring:
+ #
+ # https://issues.apache.org/bugzilla/show_bug.cgi?id=44782
+ #
+ # To work round this we call rewind on the body here, which is added
+ # as a filter, to force it to be fetched from Apache into a file.
+ def fetch_body
+ request.body.rewind
+ end
+
+ def map_layout
+ append_content_security_policy_directives(
+ :child_src => %w[http://127.0.0.1:8111 https://127.0.0.1:8112],
+ :frame_src => %w[http://127.0.0.1:8111 https://127.0.0.1:8112],
+ :connect_src => [Settings.nominatim_url, Settings.overpass_url, Settings.fossgis_osrm_url, Settings.graphhopper_url],
+ :form_action => %w[render.openstreetmap.org],
+ :style_src => %w['unsafe-inline']
+ )
+
+ case Settings.status
+ when "database_offline", "api_offline"
+ flash.now[:warning] = t("layouts.osm_offline")
+ when "database_readonly", "api_readonly"
+ flash.now[:warning] = t("layouts.osm_read_only")
+ end
+
+ request.xhr? ? "xhr" : "map"
+ end
+
+ def allow_thirdparty_images
+ append_content_security_policy_directives(:img_src => %w[*])
+ end
+
+ def preferred_editor
+ if params[:editor]
+ params[:editor]
+ elsif current_user&.preferred_editor
+ current_user.preferred_editor
+ else
+ Settings.default_editor
+ end
+ end
+
+ helper_method :preferred_editor
+
+ def update_totp
+ if Settings.key?(:totp_key)
+ cookies["_osm_totp_token"] = {
+ :value => ROTP::TOTP.new(Settings.totp_key, :interval => 3600).now,
+ :domain => "openstreetmap.org",
+ :expires => 1.hour.from_now
+ }
+ end
+ end
+
+ def better_errors_allow_inline
+ yield
+ rescue StandardError
+ append_content_security_policy_directives(
+ :script_src => %w['unsafe-inline'],
+ :style_src => %w['unsafe-inline']
+ )
+
+ raise
+ end
+
+ def current_ability
+ Ability.new(current_user)
+ end
+
+ def deny_access(_exception)
+ if current_token
+ set_locale
+ report_error t("oauth.permissions.missing"), :forbidden
+ elsif current_user
+ set_locale
+ respond_to do |format|
+ format.html { redirect_to :controller => "errors", :action => "forbidden" }
+ format.any { report_error t("application.permission_denied"), :forbidden }
+ end
+ elsif request.get?
+ respond_to do |format|
+ format.html { redirect_to login_path(:referer => request.fullpath) }
+ format.any { head :forbidden }
+ end
+ else
+ head :forbidden