]> git.openstreetmap.org Git - rails.git/blobdiff - app/controllers/application_controller.rb
Merge remote-tracking branch 'upstream/pull/2073'
[rails.git] / app / controllers / application_controller.rb
index 1df6dd7d14cf41e1fad3ac04eb4512fe231eec13..b9cf449ea2f3ffce06bd9d219b33f8f31b6b11e5 100644 (file)
@@ -414,9 +414,9 @@ class ApplicationController < ActionController::Base
     append_content_security_policy_directives(
       :child_src => %w[http://127.0.0.1:8111 https://127.0.0.1:8112],
       :frame_src => %w[http://127.0.0.1:8111 https://127.0.0.1:8112],
-      :connect_src => %w[nominatim.openstreetmap.org overpass-api.de router.project-osrm.org graphhopper.com],
+      :connect_src => [NOMINATIM_URL, OVERPASS_URL, OSRM_URL, GRAPHHOPPER_URL],
       :form_action => %w[render.openstreetmap.org],
-      :script_src => %w[open.mapquestapi.com],
+      :script_src => [MAPQUEST_DIRECTIONS_URL],
       :img_src => %w[developer.mapquest.com]
     )
 
@@ -477,20 +477,54 @@ class ApplicationController < ActionController::Base
     end
   end
 
-  def deny_access(_exception)
+  def deny_access(exception)
+    if @api_deny_access_handling
+      api_deny_access(exception)
+    else
+      web_deny_access(exception)
+    end
+  end
+
+  def web_deny_access(_exception)
     if current_token
       set_locale
       report_error t("oauth.permissions.missing"), :forbidden
     elsif current_user
       set_locale
-      report_error t("application.permission_denied"), :forbidden
+      respond_to do |format|
+        format.html { redirect_to :controller => "errors", :action => "forbidden" }
+        format.any { report_error t("application.permission_denied"), :forbidden }
+      end
     elsif request.get?
-      redirect_to :controller => "users", :action => "login", :referer => request.fullpath
+      respond_to do |format|
+        format.html { redirect_to :controller => "users", :action => "login", :referer => request.fullpath }
+        format.any { head :forbidden }
+      end
     else
       head :forbidden
     end
   end
 
+  def api_deny_access(_exception)
+    if current_token
+      set_locale
+      report_error t("oauth.permissions.missing"), :forbidden
+    elsif current_user
+      head :forbidden
+    else
+      realm = "Web Password"
+      errormessage = "Couldn't authenticate you"
+      response.headers["WWW-Authenticate"] = "Basic realm=\"#{realm}\""
+      render :plain => errormessage, :status => :unauthorized
+    end
+  end
+
+  attr_accessor :api_access_handling
+
+  def api_deny_access_handler
+    @api_deny_access_handling = true
+  end
+
   private
 
   # extract authorisation credentials from headers, returns user = nil if none