skip_before_filter :verify_authenticity_token, :only => [:api_read, :api_details, :api_gpx_files]
before_filter :disable_terms_redirect, :only => [:terms, :save, :logout, :api_details]
skip_before_filter :verify_authenticity_token, :only => [:api_read, :api_details, :api_gpx_files]
before_filter :disable_terms_redirect, :only => [:terms, :save, :logout, :api_details]
before_filter :authorize_web, :except => [:api_read, :api_details, :api_gpx_files]
before_filter :set_locale, :except => [:api_read, :api_details, :api_gpx_files]
before_filter :require_user, :only => [:account, :go_public, :make_friend, :remove_friend]
before_filter :authorize_web, :except => [:api_read, :api_details, :api_gpx_files]
before_filter :set_locale, :except => [:api_read, :api_details, :api_gpx_files]
before_filter :require_user, :only => [:account, :go_public, :make_friend, :remove_friend]
before_filter :check_database_readable, :except => [:login, :api_read, :api_details, :api_gpx_files]
before_filter :check_database_writable, :only => [:new, :account, :confirm, :confirm_email, :lost_password, :reset_password, :go_public, :make_friend, :remove_friend]
before_filter :check_api_readable, :only => [:api_read, :api_details, :api_gpx_files]
before_filter :check_database_readable, :except => [:login, :api_read, :api_details, :api_gpx_files]
before_filter :check_database_writable, :only => [:new, :account, :confirm, :confirm_email, :lost_password, :reset_password, :go_public, :make_friend, :remove_friend]
before_filter :check_api_readable, :only => [:api_read, :api_details, :api_gpx_files]
# Already agreed to terms, so just show settings
redirect_to :action => :account, :display_name => @user.display_name
# Already agreed to terms, so just show settings
redirect_to :action => :account, :display_name => @user.display_name
- editor = Rack::Utils.parse_query(uri.query).slice('editor')
- referer = welcome_path({'zoom' => m[1],
- 'lat' => m[2],
- 'lon' => m[3]}.merge(editor))
+ editor = Rack::Utils.parse_query(uri.query).slice("editor")
+ referer = welcome_path({ "zoom" => m[1],
+ "lat" => m[2],
+ "lon" => m[3] }.merge(editor))
- Notifier.signup_confirm(@user, @user.tokens.create(:referer => referer)).deliver
- redirect_to :action => 'confirm', :display_name => @user.display_name
+ Notifier.signup_confirm(@user, @user.tokens.create(:referer => referer)).deliver_now
+ redirect_to :action => "confirm", :display_name => @user.display_name
- if params[:user] and params[:user][:display_name] and params[:user][:description]
- if params[:user][:openid_url] and
- params[:user][:openid_url].length > 0 and
+ if params[:user] && params[:user][:display_name] && params[:user][:description]
+ if params[:user][:openid_url] &&
+ params[:user][:openid_url].length > 0 &&
params[:user][:openid_url] != @user.openid_url
# If the OpenID has changed, we want to check that it is a
# valid OpenID and one the user has control over before saving
params[:user][:openid_url] != @user.openid_url
# If the OpenID has changed, we want to check that it is a
# valid OpenID and one the user has control over before saving
- flash[:notice] = t 'user.go_public.flash success'
- redirect_to :controller => 'user', :action => 'account', :display_name => @user.display_name
+ flash[:notice] = t "user.go_public.flash success"
+ redirect_to :controller => "user", :action => "account", :display_name => @user.display_name
user = User.visible.find_by_email(params[:user][:email])
if user.nil?
users = User.visible.where("LOWER(email) = LOWER(?)", params[:user][:email])
user = User.visible.find_by_email(params[:user][:email])
if user.nil?
users = User.visible.where("LOWER(email) = LOWER(?)", params[:user][:email])
- Notifier.lost_password(user, token).deliver
- flash[:notice] = t 'user.lost_password.notice email on way'
- redirect_to :action => 'login'
+ Notifier.lost_password(user, token).deliver_now
+ flash[:notice] = t "user.lost_password.notice email on way"
+ redirect_to :action => "login"
end
elsif params.key?(:openid)
@user = User.new(:email => params[:email],
end
elsif params.key?(:openid)
@user = User.new(:email => params[:email],
:display_name => params[:nickname],
:openid_url => params[:openid])
:display_name => params[:nickname],
:openid_url => params[:openid])
- Notifier.signup_confirm(user, user.tokens.create).deliver
- flash[:notice] = t 'user.confirm_resend.success', :email => user.email
+ Notifier.signup_confirm(user, user.tokens.create).deliver_now
+ flash[:notice] = t "user.confirm_resend.success", :email => user.email
- flash[:error] = t 'user.confirm_email.failure'
- redirect_to :action => 'account', :display_name => @user.display_name
+ flash[:error] = t "user.confirm_email.failure"
+ redirect_to :action => "account", :display_name => @user.display_name
- flash[:notice] = t 'user.make_friend.success', :name => @new_friend.display_name
- Notifier.friend_notification(friend).deliver
+ flash[:notice] = t "user.make_friend.success", :name => @new_friend.display_name
+ Notifier.friend_notification(friend).deliver_now
if request.post?
if @user.is_friends_with?(@friend)
Friend.delete_all "user_id = #{@user.id} AND friend_user_id = #{@friend.id}"
if request.post?
if @user.is_friends_with?(@friend)
Friend.delete_all "user_id = #{@user.id} AND friend_user_id = #{@friend.id}"
User.update_all("status = 'confirmed'", :id => ids) if params[:confirm]
User.update_all("status = 'deleted'", :id => ids) if params[:hide]
redirect_to url_for(:status => params[:status], :ip => params[:ip], :page => params[:page])
else
User.update_all("status = 'confirmed'", :id => ids) if params[:confirm]
User.update_all("status = 'deleted'", :id => ids) if params[:hide]
redirect_to url_for(:status => params[:status], :ip => params[:ip], :page => params[:page])
else
conditions[:status] = params[:status] if params[:status]
conditions[:creation_ip] = params[:ip] if params[:ip]
conditions[:status] = params[:status] if params[:status]
conditions[:creation_ip] = params[:ip] if params[:ip]
elsif user = User.authenticate(:username => username, :password => password, :pending => true)
unconfirmed_login(user)
elsif User.authenticate(:username => username, :password => password, :suspended => true)
elsif user = User.authenticate(:username => username, :password => password, :pending => true)
unconfirmed_login(user)
elsif User.authenticate(:username => username, :password => password, :suspended => true)
def openid_authentication(openid_url)
# If we don't appear to have a user for this URL then ask the
# provider for some extra information to help with signup
def openid_authentication(openid_url)
# If we don't appear to have a user for this URL then ask the
# provider for some extra information to help with signup
required = nil
else
required = [:nickname, :email, "http://axschema.org/namePerson/friendly", "http://axschema.org/contact/email"]
required = nil
else
required = [:nickname, :email, "http://axschema.org/namePerson/friendly", "http://axschema.org/contact/email"]
# provider do we know the unique address for the user.
if user = User.find_by_openid_url(identity_url)
case user.status
# provider do we know the unique address for the user.
if user = User.find_by_openid_url(identity_url)
case user.status
- when "pending" then
- unconfirmed_login(user)
- when "active", "confirmed" then
- successful_login(user)
- when "suspended" then
- failed_login t('user.login.account is suspended', :webmaster => "mailto:webmaster@openstreetmap.org")
- else
- failed_login t('user.login.auth failure')
+ when "pending" then
+ unconfirmed_login(user)
+ when "active", "confirmed" then
+ successful_login(user)
+ when "suspended" then
+ failed_login t("user.login.account is suspended", :webmaster => "mailto:webmaster@openstreetmap.org")
+ else
+ failed_login t("user.login.auth failure")
# We don't have a user registered to this OpenID, so redirect
# to the create account page with username and email filled
# We don't have a user registered to this OpenID, so redirect
# to the create account page with username and email filled
nickname = sreg["nickname"] || ax["http://axschema.org/namePerson/friendly"].first
email = sreg["email"] || ax["http://axschema.org/contact/email"].first
nickname = sreg["nickname"] || ax["http://axschema.org/namePerson/friendly"].first
email = sreg["email"] || ax["http://axschema.org/contact/email"].first
- redirect_to :controller => 'user', :action => 'new', :nickname => nickname, :email => email, :openid => identity_url
+ redirect_to :controller => "user", :action => "new", :nickname => nickname, :email => email, :openid => identity_url
# Do we trust the emails this provider returns?
if openid_email_verified(identity_url)
# Guard against not getting any extension data
# Do we trust the emails this provider returns?
if openid_email_verified(identity_url)
# Guard against not getting any extension data
user.openid_url = identity_url
yield user, verified_email
elsif result.missing?
user.openid_url = identity_url
yield user, verified_email
elsif result.missing?
# Special case gmail.com as it is potentially a popular OpenID
# provider and, unlike yahoo.com, where it works automatically, Google
# have hidden their OpenID endpoint somewhere obscure this making it
# somewhat less user friendly.
# Special case gmail.com as it is potentially a popular OpenID
# provider and, unlike yahoo.com, where it works automatically, Google
# have hidden their OpenID endpoint somewhere obscure this making it
# somewhat less user friendly.
# check if we trust an OpenID provider to return a verified
# email, so that we can skpi verifying it ourselves
def openid_email_verified(openid_url)
# check if we trust an OpenID provider to return a verified
# email, so that we can skpi verifying it ourselves
def openid_email_verified(openid_url)
- openid_url.match(/https:\/\/www.google.com\/accounts\/o8\/id?(.*)/) or
- openid_url.match(/https:\/\/me.yahoo.com\/(.*)/)
+ openid_url.match(/https:\/\/www.google.com\/accounts\/o8\/id?(.*)/) ||
+ openid_url.match(/https:\/\/me.yahoo.com\/(.*)/)
# - If they have a block on them, show them that.
# - If they were referred to the login, send them back there.
# - Otherwise, send them to the home page.
# - If they have a block on them, show them that.
# - If they were referred to the login, send them back there.
# - Otherwise, send them to the home page.
redirect_to :controller => :user, :action => :terms, :referer => target
elsif user.blocked_on_view
redirect_to user.blocked_on_view, :referer => target
redirect_to :controller => :user, :action => :terms, :referer => target
elsif user.blocked_on_view
redirect_to user.blocked_on_view, :referer => target
user.pass_crypt = params[:user][:pass_crypt]
user.pass_crypt_confirmation = params[:user][:pass_crypt_confirmation]
end
user.pass_crypt = params[:user][:pass_crypt]
user.pass_crypt_confirmation = params[:user][:pass_crypt_confirmation]
end
- cookies.permanent["_osm_username"] = user.display_name
-
- if user.new_email.blank?
- flash.now[:notice] = t 'user.account.flash update success'
+ if user.new_email.blank? || user.new_email == user.email
+ flash.now[:notice] = t "user.account.flash update success"
# require that the user is a administrator, or fill out a helpful error message
# and return them to the user page.
def require_administrator
# require that the user is a administrator, or fill out a helpful error message
# and return them to the user page.
def require_administrator
- elsif not @user
- redirect_to :controller => 'user', :action => 'login', :referer => request.fullpath
+ elsif !@user
+ redirect_to :controller => "user", :action => "login", :referer => request.fullpath
+ end
+ end
+
+ ##
+ # require that the user in the URL is the logged in user
+ def require_self
+ if params[:display_name] != @user.display_name
+ render :text => "", :status => :forbidden
- redirect_to :controller => 'user', :action => 'view', :display_name => params[:display_name] unless @this_user
- end
-
- ##
- # Choose the layout to use. See
- # https://rails.lighthouseapp.com/projects/8994/tickets/5371-layout-with-onlyexcept-options-makes-other-actions-render-without-layouts
- def choose_layout
- oauth_url = url_for(:controller => :oauth, :action => :authorize, :only_path => true)
-
- if [ 'api_details' ].include? action_name
- nil
- elsif params[:referer] and URI.parse(params[:referer]).path == oauth_url
- 'slim'
- else
- 'site'
- end
+ redirect_to :controller => "user", :action => "view", :display_name => params[:display_name] unless @this_user
+
+ ##
+ # return permitted user parameters
+ def user_params
+ params.require(:user).permit(:email, :email_confirmation, :display_name, :openid_url, :pass_crypt, :pass_crypt_confirmation)
+ end
+
+ ##
+ # check signup acls
+ def check_signup_allowed(email = nil)
+ if email.nil?
+ domain = nil
+ else
+ domain = email.split("@").last
+ end
+
+ if blocked = Acl.no_account_creation(request.remote_ip, domain)
+ logger.info "Blocked signup from #{request.remote_ip} for #{email}"
+
+ render :action => "blocked"
+ end
+
+ !blocked
+ end