X-Git-Url: https://git.openstreetmap.org./rails.git/blobdiff_plain/226e2d654af2ddb843d39d80a25c2501ff016de3..6704a6a0dcc3e0da2188003027b2b6e881fb521b:/app/controllers/application_controller.rb diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb index d22a031d4..c6223fb9d 100644 --- a/app/controllers/application_controller.rb +++ b/app/controllers/application_controller.rb @@ -10,19 +10,38 @@ class ApplicationController < ActionController::Base rescue_from CanCan::AccessDenied, :with => :deny_access check_authorization + rescue_from RailsParam::InvalidParameterError, :with => :invalid_parameter + before_action :fetch_body - around_action :better_errors_allow_inline, :if => proc { Rails.env.development? } attr_accessor :current_user, :oauth_token helper_method :current_user helper_method :oauth_token + def self.allow_thirdparty_images(**options) + content_security_policy(options) do |policy| + policy.img_src("*") + end + end + + def self.allow_social_login(**options) + content_security_policy(options) do |policy| + policy.form_action(*policy.form_action, "accounts.google.com", "*.facebook.com", "login.microsoftonline.com", "github.com", "meta.wikimedia.org") + end + end + + def self.allow_all_form_action(**options) + content_security_policy(options) do |policy| + policy.form_action(nil) + end + end + private def authorize_web if session[:user] - self.current_user = User.where(:id => session[:user]).where("status IN ('active', 'confirmed', 'suspended')").first + self.current_user = User.find_by(:id => session[:user], :status => %w[active confirmed suspended]) if session[:fingerprint] && session[:fingerprint] != current_user.fingerprint @@ -44,8 +63,6 @@ class ApplicationController < ActionController::Base redirect_to :controller => "users", :action => "terms", :referer => request.fullpath end end - elsif session[:token] - session[:user] = current_user.id if self.current_user = User.authenticate(:token => session[:token]) end session[:fingerprint] = current_user.fingerprint if current_user && session[:fingerprint].nil? @@ -69,6 +86,10 @@ class ApplicationController < ActionController::Base @oauth_token = current_user.oauth_token(Settings.oauth_application) if current_user && Settings.key?(:oauth_application) end + def require_oauth_10a_support + report_error t("application.oauth_10a_disabled", :link => t("application.auth_disabled_link")), :forbidden unless Settings.oauth_10a_support + end + ## # require the user to have cookies enabled in their browser def require_cookies @@ -160,7 +181,7 @@ class ApplicationController < ActionController::Base # TODO: some sort of escaping of problem characters in the message response.headers["Error"] = message - if request.headers["X-Error-Format"]&.casecmp("xml")&.zero? + if request.headers["X-Error-Format"]&.casecmp?("xml") result = OSM::API.new.xml_doc result.root.name = "osmError" result.root << (XML::Node.new("status") << "#{Rack::Utils.status_code(status)} #{Rack::Utils::HTTP_STATUS_CODES[status]}") @@ -199,7 +220,7 @@ class ApplicationController < ActionController::Base ## # wrap a web page in a timeout def web_timeout(&block) - Timeout.timeout(Settings.web_timeout, Timeout::Error, &block) + Timeout.timeout(Settings.web_timeout, &block) rescue ActionView::Template::Error => e e = e.cause @@ -215,24 +236,6 @@ class ApplicationController < ActionController::Base render :action => "timeout" end - ## - # ensure that there is a "user" instance variable - def lookup_user - render_unknown_user params[:display_name] unless @user = User.active.find_by(:display_name => params[:display_name]) - end - - ## - # render a "no such user" page - def render_unknown_user(name) - @title = t "users.no_such_user.title" - @not_found_user = name - - respond_to do |format| - format.html { render :template => "users/no_such_user", :status => :not_found } - format.all { head :not_found } - end - end - ## # Unfortunately if a PUT or POST request that has a body fails to # read it then Apache will sometimes fail to return the response it @@ -247,13 +250,15 @@ class ApplicationController < ActionController::Base end def map_layout - append_content_security_policy_directives( - :child_src => %w[http://127.0.0.1:8111 https://127.0.0.1:8112], - :frame_src => %w[http://127.0.0.1:8111 https://127.0.0.1:8112], - :connect_src => [Settings.nominatim_url, Settings.overpass_url, Settings.fossgis_osrm_url, Settings.graphhopper_url, Settings.fossgis_valhalla_url], - :form_action => %w[render.openstreetmap.org], - :style_src => %w['unsafe-inline'] - ) + policy = request.content_security_policy.clone + + policy.child_src(*policy.child_src, "http://127.0.0.1:8111", "https://127.0.0.1:8112") + policy.frame_src(*policy.frame_src, "http://127.0.0.1:8111", "https://127.0.0.1:8112") + policy.connect_src(*policy.connect_src, Settings.nominatim_url, Settings.overpass_url, Settings.fossgis_osrm_url, Settings.graphhopper_url, Settings.fossgis_valhalla_url) + policy.form_action(*policy.form_action, "render.openstreetmap.org") + policy.style_src(*policy.style_src, :unsafe_inline) + + request.content_security_policy = policy case Settings.status when "database_offline", "api_offline" @@ -265,10 +270,6 @@ class ApplicationController < ActionController::Base request.xhr? ? "xhr" : "map" end - def allow_thirdparty_images - append_content_security_policy_directives(:img_src => %w[*]) - end - def preferred_editor if params[:editor] params[:editor] @@ -291,17 +292,6 @@ class ApplicationController < ActionController::Base end end - def better_errors_allow_inline - yield - rescue StandardError - append_content_security_policy_directives( - :script_src => %w['unsafe-inline'], - :style_src => %w['unsafe-inline'] - ) - - raise - end - def current_ability Ability.new(current_user) end @@ -326,6 +316,17 @@ class ApplicationController < ActionController::Base end end + def invalid_parameter(_exception) + if request.get? + respond_to do |format| + format.html { redirect_to :controller => "/errors", :action => "bad_request" } + format.any { head :bad_request } + end + else + head :bad_request + end + end + # extract authorisation credentials from headers, returns user = nil if none def auth_data if request.env.key? "X-HTTP_AUTHORIZATION" # where mod_rewrite might have put it