X-Git-Url: https://git.openstreetmap.org./rails.git/blobdiff_plain/9e50c3851ce56514004fc12bcf2c71817fc44b0b..6da3ece68354f77f626de8963770c0217048e19d:/app/controllers/application_controller.rb diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb index b8a50eb78..84adc1a32 100644 --- a/app/controllers/application_controller.rb +++ b/app/controllers/application_controller.rb @@ -1,9 +1,11 @@ class ApplicationController < ActionController::Base include SessionPersistence + # check_authorization protect_from_forgery :with => :exception before_action :fetch_body + around_action :better_errors_allow_inline, :if => proc { Rails.env.development? } attr_accessor :current_user helper_method :current_user @@ -295,7 +297,8 @@ class ApplicationController < ActionController::Base end end - def preferred_languages + def preferred_languages(reset = false) + @preferred_languages = nil if reset @preferred_languages ||= if params[:locale] Locale.list(params[:locale]) elsif current_user @@ -307,13 +310,13 @@ class ApplicationController < ActionController::Base helper_method :preferred_languages - def set_locale + def set_locale(reset = false) if current_user && current_user.languages.empty? && !http_accept_language.user_preferred_languages.empty? current_user.languages = http_accept_language.user_preferred_languages current_user.save end - I18n.locale = Locale.available.preferred(preferred_languages) + I18n.locale = Locale.available.preferred(preferred_languages(reset)) response.headers["Vary"] = "Accept-Language" response.headers["Content-Language"] = I18n.locale.to_s @@ -411,9 +414,9 @@ class ApplicationController < ActionController::Base append_content_security_policy_directives( :child_src => %w[http://127.0.0.1:8111 https://127.0.0.1:8112], :frame_src => %w[http://127.0.0.1:8111 https://127.0.0.1:8112], - :connect_src => %w[nominatim.openstreetmap.org overpass-api.de router.project-osrm.org], + :connect_src => %w[nominatim.openstreetmap.org overpass-api.de router.project-osrm.org graphhopper.com], :form_action => %w[render.openstreetmap.org], - :script_src => %w[graphhopper.com open.mapquestapi.com], + :script_src => %w[open.mapquestapi.com], :img_src => %w[developer.mapquest.com] ) @@ -454,6 +457,26 @@ class ApplicationController < ActionController::Base end end + def better_errors_allow_inline + yield + rescue StandardError + append_content_security_policy_directives( + :script_src => %w['unsafe-inline'], + :style_src => %w['unsafe-inline'] + ) + + raise + end + + rescue_from CanCan::AccessDenied do |exception| + raise "Access denied on #{exception.action} #{exception.subject.inspect}" + # ... + end + + def current_ability + @current_ability ||= Ability.new(current_user, current_token) + end + private # extract authorisation credentials from headers, returns user = nil if none