X-Git-Url: https://git.openstreetmap.org./rails.git/blobdiff_plain/727ee97a3f40f6b6d40546d1417f3a936692b755..6cde8c9b0c4220db3b5598a268c197e77258a8cc:/app/controllers/application_controller.rb diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb index db4ae9ad3..1df6dd7d1 100644 --- a/app/controllers/application_controller.rb +++ b/app/controllers/application_controller.rb @@ -3,6 +3,8 @@ class ApplicationController < ActionController::Base protect_from_forgery :with => :exception + rescue_from CanCan::AccessDenied, :with => :deny_access + before_action :fetch_body around_action :better_errors_allow_inline, :if => proc { Rails.env.development? } @@ -17,16 +19,16 @@ class ApplicationController < ActionController::Base session.delete(:user) session_expires_automatically - redirect_to :controller => "user", :action => "suspended" + redirect_to :controller => "users", :action => "suspended" # don't allow access to any auth-requiring part of the site unless # the new CTs have been seen (and accept/decline chosen). elsif !current_user.terms_seen && flash[:skip_terms].nil? - flash[:notice] = t "user.terms.you need to accept or decline" + flash[:notice] = t "users.terms.you need to accept or decline" if params[:referer] - redirect_to :controller => "user", :action => "terms", :referer => params[:referer] + redirect_to :controller => "users", :action => "terms", :referer => params[:referer] else - redirect_to :controller => "user", :action => "terms", :referer => request.fullpath + redirect_to :controller => "users", :action => "terms", :referer => request.fullpath end end elsif session[:token] @@ -41,7 +43,7 @@ class ApplicationController < ActionController::Base def require_user unless current_user if request.get? - redirect_to :controller => "user", :action => "login", :referer => request.fullpath + redirect_to :controller => "users", :action => "login", :referer => request.fullpath else head :forbidden end @@ -283,8 +285,7 @@ class ApplicationController < ActionController::Base # TODO: some sort of escaping of problem characters in the message response.headers["Error"] = message - if request.headers["X-Error-Format"] && - request.headers["X-Error-Format"].casecmp("xml").zero? + if request.headers["X-Error-Format"]&.casecmp("xml")&.zero? result = OSM::API.new.get_xml_doc result.root.name = "osmError" result.root << (XML::Node.new("status") << "#{Rack::Utils.status_code(status)} #{Rack::Utils::HTTP_STATUS_CODES[status]}") @@ -310,7 +311,7 @@ class ApplicationController < ActionController::Base helper_method :preferred_languages def set_locale(reset = false) - if current_user && current_user.languages.empty? && !http_accept_language.user_preferred_languages.empty? + if current_user&.languages&.empty? && !http_accept_language.user_preferred_languages.empty? current_user.languages = http_accept_language.user_preferred_languages current_user.save end @@ -387,11 +388,11 @@ class ApplicationController < ActionController::Base ## # render a "no such user" page def render_unknown_user(name) - @title = t "user.no_such_user.title" + @title = t "users.no_such_user.title" @not_found_user = name respond_to do |format| - format.html { render :template => "user/no_such_user", :status => :not_found } + format.html { render :template => "users/no_such_user", :status => :not_found } format.all { head :not_found } end end @@ -435,7 +436,7 @@ class ApplicationController < ActionController::Base def preferred_editor editor = if params[:editor] params[:editor] - elsif current_user && current_user.preferred_editor + elsif current_user&.preferred_editor current_user.preferred_editor else DEFAULT_EDITOR @@ -467,6 +468,29 @@ class ApplicationController < ActionController::Base raise end + def current_ability + # Add in capabilities from the oauth token if it exists and is a valid access token + if Authenticator.new(self, [:token]).allow? + Ability.new(current_user).merge(Capability.new(current_token)) + else + Ability.new(current_user) + end + end + + def deny_access(_exception) + if current_token + set_locale + report_error t("oauth.permissions.missing"), :forbidden + elsif current_user + set_locale + report_error t("application.permission_denied"), :forbidden + elsif request.get? + redirect_to :controller => "users", :action => "login", :referer => request.fullpath + else + head :forbidden + end + end + private # extract authorisation credentials from headers, returns user = nil if none