X-Git-Url: https://git.openstreetmap.org./rails.git/blobdiff_plain/424b6ef1cf760c4a3e27ac1e6f612ae42a9cd493..d5e6acaaceb5e74a76369bdfb9413d26ba99e721:/app/controllers/application_controller.rb?ds=sidebyside diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb index a24df48e0..f35493b26 100644 --- a/app/controllers/application_controller.rb +++ b/app/controllers/application_controller.rb @@ -4,6 +4,7 @@ class ApplicationController < ActionController::Base protect_from_forgery :with => :exception before_action :fetch_body + around_action :better_errors_allow_inline, :if => proc { Rails.env.development? } attr_accessor :current_user helper_method :current_user @@ -175,7 +176,7 @@ class ApplicationController < ActionController::Base end def authorize(realm = "Web Password", errormessage = "Couldn't authenticate you") - # make the @user object from any auth sources we have + # make the current_user object from any auth sources we have setup_user_auth # handle authenticate pass/fail @@ -282,8 +283,7 @@ class ApplicationController < ActionController::Base # TODO: some sort of escaping of problem characters in the message response.headers["Error"] = message - if request.headers["X-Error-Format"] && - request.headers["X-Error-Format"].casecmp("xml").zero? + if request.headers["X-Error-Format"]&.casecmp("xml")&.zero? result = OSM::API.new.get_xml_doc result.root.name = "osmError" result.root << (XML::Node.new("status") << "#{Rack::Utils.status_code(status)} #{Rack::Utils::HTTP_STATUS_CODES[status]}") @@ -295,25 +295,26 @@ class ApplicationController < ActionController::Base end end - def preferred_languages - @languages ||= if params[:locale] - Locale.list(params[:locale]) - elsif current_user - current_user.preferred_languages - else - Locale.list(http_accept_language.user_preferred_languages) - end + def preferred_languages(reset = false) + @preferred_languages = nil if reset + @preferred_languages ||= if params[:locale] + Locale.list(params[:locale]) + elsif current_user + current_user.preferred_languages + else + Locale.list(http_accept_language.user_preferred_languages) + end end helper_method :preferred_languages - def set_locale - if current_user && current_user.languages.empty? && !http_accept_language.user_preferred_languages.empty? + def set_locale(reset = false) + if current_user&.languages&.empty? && !http_accept_language.user_preferred_languages.empty? current_user.languages = http_accept_language.user_preferred_languages current_user.save end - I18n.locale = Locale.available.preferred(preferred_languages) + I18n.locale = Locale.available.preferred(preferred_languages(reset)) response.headers["Vary"] = "Accept-Language" response.headers["Content-Language"] = I18n.locale.to_s @@ -377,9 +378,9 @@ class ApplicationController < ActionController::Base end ## - # ensure that there is a "this_user" instance variable - def lookup_this_user - render_unknown_user params[:display_name] unless @this_user = User.active.find_by(:display_name => params[:display_name]) + # ensure that there is a "user" instance variable + def lookup_user + render_unknown_user params[:display_name] unless @user = User.active.find_by(:display_name => params[:display_name]) end ## @@ -409,10 +410,11 @@ class ApplicationController < ActionController::Base def map_layout append_content_security_policy_directives( - :child_src => %w[127.0.0.1:8111], - :connect_src => %w[nominatim.openstreetmap.org overpass-api.de router.project-osrm.org], + :child_src => %w[http://127.0.0.1:8111 https://127.0.0.1:8112], + :frame_src => %w[http://127.0.0.1:8111 https://127.0.0.1:8112], + :connect_src => %w[nominatim.openstreetmap.org overpass-api.de router.project-osrm.org graphhopper.com], :form_action => %w[render.openstreetmap.org], - :script_src => %w[graphhopper.com open.mapquestapi.com], + :script_src => %w[open.mapquestapi.com], :img_src => %w[developer.mapquest.com] ) @@ -432,7 +434,7 @@ class ApplicationController < ActionController::Base def preferred_editor editor = if params[:editor] params[:editor] - elsif current_user && current_user.preferred_editor + elsif current_user&.preferred_editor current_user.preferred_editor else DEFAULT_EDITOR @@ -453,6 +455,17 @@ class ApplicationController < ActionController::Base end end + def better_errors_allow_inline + yield + rescue StandardError + append_content_security_policy_directives( + :script_src => %w['unsafe-inline'], + :style_src => %w['unsafe-inline'] + ) + + raise + end + private # extract authorisation credentials from headers, returns user = nil if none