def self.allow_thirdparty_images(**options)
content_security_policy(options) do |policy|
- policy.img_src("*")
+ policy.img_src("*", :data)
end
end
@oauth_token = current_user.oauth_token(Settings.oauth_application) if current_user && Settings.key?(:oauth_application)
end
- def require_oauth_10a_support
- report_error t("application.oauth_10a_disabled", :link => t("application.auth_disabled_link")), :forbidden unless Settings.oauth_10a_support
- end
-
##
# require the user to have cookies enabled in their browser
def require_cookies
# TODO: some sort of escaping of problem characters in the message
response.headers["Error"] = message
- if request.headers["X-Error-Format"]&.casecmp("xml")&.zero?
+ if request.headers["X-Error-Format"]&.casecmp?("xml")
result = OSM::API.new.xml_doc
result.root.name = "osmError"
result.root << (XML::Node.new("status") << "#{Rack::Utils.status_code(status)} #{Rack::Utils::HTTP_STATUS_CODES[status]}")
##
# wrap a web page in a timeout
- def web_timeout(&block)
- Timeout.timeout(Settings.web_timeout, &block)
+ def web_timeout(&)
+ raise Timeout::Error if Settings.web_timeout.negative?
+
+ Timeout.timeout(Settings.web_timeout, &)
rescue ActionView::Template::Error => e
e = e.cause
if e.is_a?(Timeout::Error) ||
(e.is_a?(ActiveRecord::StatementInvalid) && e.message.include?("execution expired"))
- ActiveRecord::Base.connection.raw_connection.cancel
- render :action => "timeout"
+ respond_to_timeout
else
raise
end
rescue Timeout::Error
+ respond_to_timeout
+ end
+
+ def respond_to_timeout
ActiveRecord::Base.connection.raw_connection.cancel
- render :action => "timeout"
+ render :action => "timeout", :status => :gateway_timeout
end
##
def map_layout
policy = request.content_security_policy.clone
- policy.child_src(*policy.child_src, "http://127.0.0.1:8111", "https://127.0.0.1:8112")
- policy.frame_src(*policy.frame_src, "http://127.0.0.1:8111", "https://127.0.0.1:8112")
- policy.connect_src(*policy.connect_src, Settings.nominatim_url, Settings.overpass_url, Settings.fossgis_osrm_url, Settings.graphhopper_url, Settings.fossgis_valhalla_url)
+ policy.connect_src(*policy.connect_src, "http://127.0.0.1:8111", Settings.nominatim_url, Settings.overpass_url, Settings.fossgis_osrm_url, Settings.graphhopper_url, Settings.fossgis_valhalla_url)
policy.form_action(*policy.form_action, "render.openstreetmap.org")
policy.style_src(*policy.style_src, :unsafe_inline)
end
end
- helper_method :preferred_editor
+ def preferred_color_scheme(subject)
+ if current_user
+ current_user.preferences.find_by(:k => "#{subject}.color_scheme")&.v || "auto"
+ else
+ "auto"
+ end
+ end
+
+ helper_method :preferred_editor, :preferred_color_scheme
def update_totp
if Settings.key?(:totp_key)
end
def deny_access(_exception)
- if doorkeeper_token || current_token
+ if doorkeeper_token
set_locale
report_error t("oauth.permissions.missing"), :forbidden
elsif current_user
end
end
- # extract authorisation credentials from headers, returns user = nil if none
- def auth_data
- if request.env.key? "X-HTTP_AUTHORIZATION" # where mod_rewrite might have put it
- authdata = request.env["X-HTTP_AUTHORIZATION"].to_s.split
- elsif request.env.key? "REDIRECT_X_HTTP_AUTHORIZATION" # mod_fcgi
- authdata = request.env["REDIRECT_X_HTTP_AUTHORIZATION"].to_s.split
- elsif request.env.key? "HTTP_AUTHORIZATION" # regular location
- authdata = request.env["HTTP_AUTHORIZATION"].to_s.split
- end
- # only basic authentication supported
- user, pass = Base64.decode64(authdata[1]).split(":", 2) if authdata && authdata[0] == "Basic"
- [user, pass]
- end
-
- # override to stop oauth plugin sending errors
- def invalid_oauth_response; end
-
# clean any referer parameter
def safe_referer(referer)
begin
end
def scope_enabled?(scope)
- doorkeeper_token&.includes_scope?(scope) || current_token&.includes_scope?(scope)
+ doorkeeper_token&.includes_scope?(scope)
end
helper_method :scope_enabled?