X-Git-Url: https://git.openstreetmap.org./rails.git/blobdiff_plain/daa2496024cf0bdc65e58eb6e2802784f411f68b..ca06b3c7b1a742307e1f6d6b8f809bab2dd0d484:/app/controllers/user_roles_controller.rb?ds=sidebyside diff --git a/app/controllers/user_roles_controller.rb b/app/controllers/user_roles_controller.rb index b1f24c275..9064b811d 100644 --- a/app/controllers/user_roles_controller.rb +++ b/app/controllers/user_roles_controller.rb @@ -6,23 +6,35 @@ class UserRolesController < ApplicationController before_filter :require_administrator def grant - this_user = User.find_by_display_name(params[:display_name], :conditions => {:visible => true}) - if this_user and UserRole::ALL_ROLES.include? params[:role] - this_user.roles.create(:role => params[:role]) + # added a random nonce here which isn't predictable, making an CSRF procedure much, much more difficult. + if params[:nonce] and params[:nonce] == session[:nonce] + this_user = User.find_by_display_name(params[:display_name], :conditions => {:visible => true}) + if this_user and UserRole::ALL_ROLES.include? params[:role] + this_user.roles.create(:role => params[:role], :granter_id => @user.id) + redirect_to :controller => 'user', :action => 'view', :display_name => params[:display_name] + else + flash[:notice] = t('user_role.grant.fail', :role => params[:role], :name => params[:display_name]) + end else - flash[:notice] = t('user_role.grant.fail', :role => params[:role], :name => params[:display_name]) + @nonce = OAuth::Helper.generate_nonce + session[:nonce] = @nonce end - redirect_to :controller => 'user', :action => 'view', :display_name => params[:display_name] end def revoke - this_user = User.find_by_display_name(params[:display_name], :conditions => {:visible => true}) - if this_user and UserRole::ALL_ROLES.include? params[:role] - UserRole.delete_all({:user_id => this_user.id, :role => params[:role]}) + # added a random nonce here which isn't predictable, making an CSRF procedure much, much more difficult. + if params[:nonce] and params[:nonce] == session[:nonce] + this_user = User.find_by_display_name(params[:display_name], :conditions => {:visible => true}) + if this_user and UserRole::ALL_ROLES.include? params[:role] + UserRole.delete_all({:user_id => this_user.id, :role => params[:role]}) + redirect_to :controller => 'user', :action => 'view', :display_name => params[:display_name] + else + flash[:notice] = t('user_role.revoke.fail', :role => params[:role], :name => params[:display_name]) + end else - flash[:notice] = t('user_role.revoke.fail', :role => params[:role], :name => params[:display_name]) + @nonce = OAuth::Helper.generate_nonce + session[:nonce] = @nonce end - redirect_to :controller => 'user', :action => 'view', :display_name => params[:display_name] end private