X-Git-Url: https://git.openstreetmap.org./rails.git/blobdiff_plain/8f70fb21146b1e8b90125e02d54e70bceea1d5fd..1e30edba53f179fb06a1233b245252d1d5a8ead1:/app/controllers/application_controller.rb?ds=sidebyside diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb index b9cf449ea..38758e1df 100644 --- a/app/controllers/application_controller.rb +++ b/app/controllers/application_controller.rb @@ -118,24 +118,6 @@ class ApplicationController < ActionController::Base require_capability(:allow_write_gpx) end - def require_allow_write_notes - require_capability(:allow_write_notes) - end - - ## - # require that the user is a moderator, or fill out a helpful error message - # and return them to the index for the controller this is wrapped from. - def require_moderator - unless current_user.moderator? - if request.get? - flash[:error] = t("application.require_moderator.not_a_moderator") - redirect_to :action => "index" - else - head :forbidden - end - end - end - ## # sets up the current_user for use by other methods. this is mostly called # from the authorize method, but can be called elsewhere if authorisation @@ -193,11 +175,6 @@ class ApplicationController < ActionController::Base ## # to be used as a before_filter *after* authorize. this checks that # the user is a moderator and, if not, returns a forbidden error. - # - # NOTE: this isn't a very good way of doing it - it duplicates logic - # from require_moderator - but what we really need to do is a fairly - # drastic refactoring based on :format and respond_to? but not a - # good idea to do that in this branch. def authorize_moderator(errormessage = "Access restricted to moderators") # check user is a moderator unless current_user.moderator? @@ -416,6 +393,7 @@ class ApplicationController < ActionController::Base :frame_src => %w[http://127.0.0.1:8111 https://127.0.0.1:8112], :connect_src => [NOMINATIM_URL, OVERPASS_URL, OSRM_URL, GRAPHHOPPER_URL], :form_action => %w[render.openstreetmap.org], + :style_src => %w['unsafe-inline'], :script_src => [MAPQUEST_DIRECTIONS_URL], :img_src => %w[developer.mapquest.com] ) @@ -469,9 +447,9 @@ class ApplicationController < ActionController::Base end def current_ability - # Add in capabilities from the oauth token if it exists and is a valid access token + # Use capabilities from the oauth token if it exists and is a valid access token if Authenticator.new(self, [:token]).allow? - Ability.new(current_user).merge(Capability.new(current_token)) + Ability.new(nil).merge(Capability.new(current_token)) else Ability.new(current_user) end