X-Git-Url: https://git.openstreetmap.org./rails.git/blobdiff_plain/dc6a5bc1a60e34e7004174287f79c8a073fa012e..b99b1926974a92935a14ecf046915e83421e3cd1:/app/controllers/application_controller.rb diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb index 7f9ab6ead..6c6a087b7 100644 --- a/app/controllers/application_controller.rb +++ b/app/controllers/application_controller.rb @@ -118,24 +118,6 @@ class ApplicationController < ActionController::Base require_capability(:allow_write_gpx) end - def require_allow_write_notes - require_capability(:allow_write_notes) - end - - ## - # require that the user is a moderator, or fill out a helpful error message - # and return them to the index for the controller this is wrapped from. - def require_moderator - unless current_user.moderator? - if request.get? - flash[:error] = t("application.require_moderator.not_a_moderator") - redirect_to :action => "index" - else - head :forbidden - end - end - end - ## # sets up the current_user for use by other methods. this is mostly called # from the authorize method, but can be called elsewhere if authorisation @@ -193,11 +175,6 @@ class ApplicationController < ActionController::Base ## # to be used as a before_filter *after* authorize. this checks that # the user is a moderator and, if not, returns a forbidden error. - # - # NOTE: this isn't a very good way of doing it - it duplicates logic - # from require_moderator - but what we really need to do is a fairly - # drastic refactoring based on :format and respond_to? but not a - # good idea to do that in this branch. def authorize_moderator(errormessage = "Access restricted to moderators") # check user is a moderator unless current_user.moderator? @@ -477,7 +454,15 @@ class ApplicationController < ActionController::Base end end - def deny_access(_exception) + def deny_access(exception) + if @api_deny_access_handling + api_deny_access(exception) + else + web_deny_access(exception) + end + end + + def web_deny_access(_exception) if current_token set_locale report_error t("oauth.permissions.missing"), :forbidden @@ -497,6 +482,26 @@ class ApplicationController < ActionController::Base end end + def api_deny_access(_exception) + if current_token + set_locale + report_error t("oauth.permissions.missing"), :forbidden + elsif current_user + head :forbidden + else + realm = "Web Password" + errormessage = "Couldn't authenticate you" + response.headers["WWW-Authenticate"] = "Basic realm=\"#{realm}\"" + render :plain => errormessage, :status => :unauthorized + end + end + + attr_accessor :api_access_handling + + def api_deny_access_handler + @api_deny_access_handling = true + end + private # extract authorisation credentials from headers, returns user = nil if none