X-Git-Url: https://git.openstreetmap.org./rails.git/blobdiff_plain/e68d4efc3cdf02f35144e3967be998aaa633a3de..12ac6f8f27dfe63d9674fba54862db13a9e6d89a:/app/controllers/application_controller.rb?ds=inline diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb index a30816a8e..f5accc3c4 100644 --- a/app/controllers/application_controller.rb +++ b/app/controllers/application_controller.rb @@ -10,6 +10,8 @@ class ApplicationController < ActionController::Base rescue_from CanCan::AccessDenied, :with => :deny_access check_authorization + rescue_from RailsParam::InvalidParameterError, :with => :invalid_parameter + before_action :fetch_body around_action :better_errors_allow_inline, :if => proc { Rails.env.development? } @@ -22,7 +24,7 @@ class ApplicationController < ActionController::Base def authorize_web if session[:user] - self.current_user = User.where(:id => session[:user], :status => %w[active confirmed suspended]).first + self.current_user = User.find_by(:id => session[:user], :status => %w[active confirmed suspended]) if session[:fingerprint] && session[:fingerprint] != current_user.fingerprint @@ -44,8 +46,6 @@ class ApplicationController < ActionController::Base redirect_to :controller => "users", :action => "terms", :referer => request.fullpath end end - elsif session[:token] - session[:user] = current_user.id if self.current_user = User.authenticate(:token => session[:token]) end session[:fingerprint] = current_user.fingerprint if current_user && session[:fingerprint].nil? @@ -69,6 +69,10 @@ class ApplicationController < ActionController::Base @oauth_token = current_user.oauth_token(Settings.oauth_application) if current_user && Settings.key?(:oauth_application) end + def require_oauth_10a_support + report_error t("application.oauth_10a_disabled", :link => t("application.auth_disabled_link")), :forbidden unless Settings.oauth_10a_support + end + ## # require the user to have cookies enabled in their browser def require_cookies @@ -199,7 +203,7 @@ class ApplicationController < ActionController::Base ## # wrap a web page in a timeout def web_timeout(&block) - Timeout.timeout(Settings.web_timeout, Timeout::Error, &block) + Timeout.timeout(Settings.web_timeout, &block) rescue ActionView::Template::Error => e e = e.cause @@ -308,6 +312,17 @@ class ApplicationController < ActionController::Base end end + def invalid_parameter(_exception) + if request.get? + respond_to do |format| + format.html { redirect_to :controller => "/errors", :action => "bad_request" } + format.any { head :bad_request } + end + else + head :bad_request + end + end + # extract authorisation credentials from headers, returns user = nil if none def auth_data if request.env.key? "X-HTTP_AUTHORIZATION" # where mod_rewrite might have put it