X-Git-Url: https://git.openstreetmap.org./rails.git/blobdiff_plain/47362f432a9bd10196b27aa1667e6166b76f4b66..12ac6f8f27dfe63d9674fba54862db13a9e6d89a:/app/controllers/application_controller.rb?ds=inline diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb index d22a031d4..f5accc3c4 100644 --- a/app/controllers/application_controller.rb +++ b/app/controllers/application_controller.rb @@ -10,6 +10,8 @@ class ApplicationController < ActionController::Base rescue_from CanCan::AccessDenied, :with => :deny_access check_authorization + rescue_from RailsParam::InvalidParameterError, :with => :invalid_parameter + before_action :fetch_body around_action :better_errors_allow_inline, :if => proc { Rails.env.development? } @@ -22,7 +24,7 @@ class ApplicationController < ActionController::Base def authorize_web if session[:user] - self.current_user = User.where(:id => session[:user]).where("status IN ('active', 'confirmed', 'suspended')").first + self.current_user = User.find_by(:id => session[:user], :status => %w[active confirmed suspended]) if session[:fingerprint] && session[:fingerprint] != current_user.fingerprint @@ -44,8 +46,6 @@ class ApplicationController < ActionController::Base redirect_to :controller => "users", :action => "terms", :referer => request.fullpath end end - elsif session[:token] - session[:user] = current_user.id if self.current_user = User.authenticate(:token => session[:token]) end session[:fingerprint] = current_user.fingerprint if current_user && session[:fingerprint].nil? @@ -69,6 +69,10 @@ class ApplicationController < ActionController::Base @oauth_token = current_user.oauth_token(Settings.oauth_application) if current_user && Settings.key?(:oauth_application) end + def require_oauth_10a_support + report_error t("application.oauth_10a_disabled", :link => t("application.auth_disabled_link")), :forbidden unless Settings.oauth_10a_support + end + ## # require the user to have cookies enabled in their browser def require_cookies @@ -199,7 +203,7 @@ class ApplicationController < ActionController::Base ## # wrap a web page in a timeout def web_timeout(&block) - Timeout.timeout(Settings.web_timeout, Timeout::Error, &block) + Timeout.timeout(Settings.web_timeout, &block) rescue ActionView::Template::Error => e e = e.cause @@ -215,24 +219,6 @@ class ApplicationController < ActionController::Base render :action => "timeout" end - ## - # ensure that there is a "user" instance variable - def lookup_user - render_unknown_user params[:display_name] unless @user = User.active.find_by(:display_name => params[:display_name]) - end - - ## - # render a "no such user" page - def render_unknown_user(name) - @title = t "users.no_such_user.title" - @not_found_user = name - - respond_to do |format| - format.html { render :template => "users/no_such_user", :status => :not_found } - format.all { head :not_found } - end - end - ## # Unfortunately if a PUT or POST request that has a body fails to # read it then Apache will sometimes fail to return the response it @@ -326,6 +312,17 @@ class ApplicationController < ActionController::Base end end + def invalid_parameter(_exception) + if request.get? + respond_to do |format| + format.html { redirect_to :controller => "/errors", :action => "bad_request" } + format.any { head :bad_request } + end + else + head :bad_request + end + end + # extract authorisation credentials from headers, returns user = nil if none def auth_data if request.env.key? "X-HTTP_AUTHORIZATION" # where mod_rewrite might have put it