X-Git-Url: https://git.openstreetmap.org./rails.git/blobdiff_plain/f6695c9079f4eeeecaa796c879868f797f97cd55..24b4538f8fef9f97098a1dfd82ff56bd61103c96:/app/controllers/amf_controller.rb?ds=sidebyside diff --git a/app/controllers/amf_controller.rb b/app/controllers/amf_controller.rb index 632974f4f..fdad432a8 100644 --- a/app/controllers/amf_controller.rb +++ b/app/controllers/amf_controller.rb @@ -41,12 +41,17 @@ class AmfController < ApplicationController skip_before_action :verify_authenticity_token before_action :check_api_writable + # AMF Controller implements its own authentication and authorization checks + # completely independently of the rest of the codebase, so best just to let + # it keep doing its own thing. + skip_authorization_check + # Main AMF handlers: process the raw AMF string (using AMF library) and # calls each action (private method) accordingly. def amf_read self.status = :ok - self.content_type = Mime::AMF + self.content_type = Mime[:amf] self.response_body = Dispatcher.new(request.raw_post) do |message, *args| logger.info("Executing AMF #{message}(#{args.join(',')})") @@ -74,7 +79,7 @@ class AmfController < ApplicationController err = false # Abort batch on error self.status = :ok - self.content_type = Mime::AMF + self.content_type = Mime[:amf] self.response_body = Dispatcher.new(request.raw_post) do |message, *args| logger.info("Executing AMF #{message}") @@ -110,17 +115,17 @@ class AmfController < ApplicationController def amf_handle_error(call, rootobj, rootid) yield rescue OSM::APIAlreadyDeletedError => ex - return [-4, ex.object, ex.object_id] + [-4, ex.object, ex.object_id] rescue OSM::APIVersionMismatchError => ex - return [-3, [rootobj, rootid], [ex.type.downcase, ex.id, ex.latest]] + [-3, [rootobj, rootid], [ex.type.downcase, ex.id, ex.latest]] rescue OSM::APIUserChangesetMismatchError => ex - return [-2, ex.to_s] + [-2, ex.to_s] rescue OSM::APIBadBoundingBox => ex - return [-2, "Sorry - I can't get the map for that area. The server said: #{ex}"] + [-2, "Sorry - I can't get the map for that area. The server said: #{ex}"] rescue OSM::APIError => ex - return [-1, ex.to_s] + [-1, ex.to_s] rescue StandardError => ex - return [-2, "An unusual error happened (in #{call}). The server said: #{ex}"] + [-2, "An unusual error happened (in #{call}). The server said: #{ex}"] end def amf_handle_error_with_timeout(call, rootobj, rootid) @@ -143,6 +148,7 @@ class AmfController < ApplicationController if cstags return -1, "One of the tags is invalid. Linux users may need to upgrade to Flash Player 10.1." unless tags_ok(cstags) + cstags = strip_non_xml_chars cstags end @@ -151,7 +157,7 @@ class AmfController < ApplicationController cs = Changeset.find(closeid.to_i) cs.set_closed_time_now if cs.user_id != user.id - raise OSM::APIUserChangesetMismatchError.new + raise OSM::APIUserChangesetMismatchError elsif closecomment.empty? cs.save! else @@ -186,7 +192,7 @@ class AmfController < ApplicationController # Return presets (default tags, localisation etc.): # uses POTLATCH_PRESETS global, set up in OSM::Potlatch. - def getpresets(usertoken, lang) #:doc: + def getpresets(usertoken, _lang) user = getuser(usertoken) langs = if user && !user.languages.empty? @@ -220,16 +226,16 @@ class AmfController < ApplicationController loaded_lang = "en" # Load English defaults - en = YAML.load(File.open("#{Rails.root}/config/potlatch/locales/en.yml"))["en"] + en = YAML.safe_load(File.open(Rails.root.join("config", "potlatch", "locales", "en.yml")))["en"] if lang == "en" return [loaded_lang, en] else # Use English as a fallback begin - other = YAML.load(File.open("#{Rails.root}/config/potlatch/locales/#{lang}.yml"))[lang] + other = YAML.safe_load(File.open(Rails.root.join("config", "potlatch", "locales", "#{lang}.yml")))[lang] loaded_lang = lang - rescue + rescue StandardError other = en end @@ -253,7 +259,7 @@ class AmfController < ApplicationController # nodes in the bbox, nodes are any visible nodes in the bbox but not # used in any way, rel is any relation which refers to either a way # or node that we're returning. - def whichways(xmin, ymin, xmax, ymax) #:doc: + def whichways(xmin, ymin, xmax, ymax) amf_handle_error_with_timeout("'whichways'", nil, nil) do enlarge = [(xmax - xmin) / 8, 0.01].min xmin -= enlarge @@ -297,7 +303,7 @@ class AmfController < ApplicationController # Find deleted ways in current bounding box (similar to whichways, but ways # with a deleted node only - not POIs or relations). - def whichways_deleted(xmin, ymin, xmax, ymax) #:doc: + def whichways_deleted(xmin, ymin, xmax, ymax) amf_handle_error_with_timeout("'whichways_deleted'", nil, nil) do enlarge = [(xmax - xmin) / 8, 0.01].min xmin -= enlarge @@ -321,7 +327,7 @@ class AmfController < ApplicationController # Get a way including nodes and tags. # Returns the way id, a Potlatch-style array of points, a hash of tags, the version number, and the user ID. - def getway(wayid) #:doc: + def getway(wayid) amf_handle_error_with_timeout("'getway' #{wayid}", "way", wayid) do if POTLATCH_USE_SQL points = sql_get_nodes_in_way(wayid) @@ -366,7 +372,7 @@ class AmfController < ApplicationController # 4. version, # 5. is this the current, visible version? (boolean) - def getway_old(id, timestamp) #:doc: + def getway_old(id, timestamp) amf_handle_error_with_timeout("'getway_old' #{id}, #{timestamp}", "way", id) do if timestamp == "" # undelete @@ -375,7 +381,7 @@ class AmfController < ApplicationController else begin # revert - timestamp = DateTime.strptime(timestamp.to_s, "%d %b %Y, %H:%M:%S") + timestamp = Time.zone.strptime(timestamp.to_s, "%d %b %Y, %H:%M:%S") old_way = OldWay.where("way_id = ? AND timestamp <= ?", id, timestamp).unredacted.order("timestamp DESC").first unless old_way.nil? if old_way.visible @@ -411,7 +417,7 @@ class AmfController < ApplicationController # sort and collapse list (to within 2 seconds); trim all dates before the # start date of the way. - def getway_history(wayid) #:doc: + def getway_history(wayid) revdates = [] revusers = {} Way.find(wayid).old_ways.unredacted.collect do |a| @@ -437,20 +443,20 @@ class AmfController < ApplicationController revdates.collect! { |d| [(d + 1).strftime("%d %b %Y, %H:%M:%S")] + revusers[d.to_i] } revdates.uniq! - return ["way", wayid, revdates] + ["way", wayid, revdates] rescue ActiveRecord::RecordNotFound - return ["way", wayid, []] + ["way", wayid, []] end # Find history of a node. Returns 'node', id, and an array of previous versions as above. - def getnode_history(nodeid) #:doc: + def getnode_history(nodeid) history = Node.find(nodeid).old_nodes.unredacted.reverse.collect do |old_node| [(old_node.timestamp + 1).strftime("%d %b %Y, %H:%M:%S")] + change_user(old_node) end - return ["node", nodeid, history] + ["node", nodeid, history] rescue ActiveRecord::RecordNotFound - return ["node", nodeid, []] + ["node", nodeid, []] end def change_user(obj) @@ -471,7 +477,7 @@ class AmfController < ApplicationController return -1, t("application.setup_user_auth.blocked") if user.blocks.active.exists? query = Trace.visible_to(user) - query = if searchterm.to_i > 0 + query = if searchterm.to_i.positive? query.where(:id => searchterm.to_i) else query.where("MATCH(name) AGAINST (?)", searchterm).limit(21) @@ -492,11 +498,12 @@ class AmfController < ApplicationController # 4. list of members, # 5. version. - def getrelation(relid) #:doc: + def getrelation(relid) amf_handle_error("'getrelation' #{relid}", "relation", relid) do rel = Relation.where(:id => relid).first return [-4, "relation", relid] if rel.nil? || !rel.visible + [0, "", relid, rel.tags, rel.members, rel.version] end end @@ -506,16 +513,12 @@ class AmfController < ApplicationController def findrelations(searchterm) rels = [] - if searchterm.to_i > 0 + if searchterm.to_i.positive? rel = Relation.where(:id => searchterm.to_i).first - if rel && rel.visible - rels.push([rel.id, rel.tags, rel.members, rel.version]) - end + rels.push([rel.id, rel.tags, rel.members, rel.version]) if rel&.visible else RelationTag.where("v like ?", "%#{searchterm}%").limit(11).each do |t| - if t.relation.visible - rels.push([t.relation.id, t.relation.tags, t.relation.members, t.relation.version]) - end + rels.push([t.relation.id, t.relation.tags, t.relation.members, t.relation.version]) if t.relation.visible end end rels @@ -528,7 +531,7 @@ class AmfController < ApplicationController # 2. new relation id, # 3. version. - def putrelation(renumberednodes, renumberedways, usertoken, changeset_id, version, relid, tags, members, visible) #:doc: + def putrelation(renumberednodes, renumberedways, usertoken, changeset_id, version, relid, tags, members, visible) amf_handle_error("'putrelation' #{relid}", "relation", relid) do user = getuser(usertoken) @@ -537,6 +540,7 @@ class AmfController < ApplicationController return -1, "You must accept the contributor terms before you can edit." if REQUIRE_TERMS_AGREED && user.terms_agreed.nil? return -1, "One of the tags is invalid. Linux users may need to upgrade to Flash Player 10.1." unless tags_ok(tags) + tags = strip_non_xml_chars tags relid = relid.to_i @@ -546,7 +550,7 @@ class AmfController < ApplicationController relation = nil Relation.transaction do # create a new relation, or find the existing one - relation = Relation.find(relid) if relid > 0 + relation = Relation.find(relid) if relid.positive? # We always need a new node, based on the data that has been sent to us new_relation = Relation.new @@ -554,13 +558,11 @@ class AmfController < ApplicationController typedmembers = [] members.each do |m| mid = m[1].to_i - if mid < 0 + if mid.negative? mid = renumberednodes[mid] if m[0] == "Node" mid = renumberedways[mid] if m[0] == "Way" end - if mid - typedmembers << [m[0], mid, m[2].delete("\000-\037\ufffe\uffff", "^\011\012\015")] - end + typedmembers << [m[0], mid, m[2].delete("\000-\037\ufffe\uffff", "^\011\012\015")] if mid end # assign new contents @@ -582,7 +584,7 @@ class AmfController < ApplicationController new_relation.id = relid relation.delete_with_history!(new_relation, user) end - end # transaction + end if relid <= 0 return [0, "", relid, new_relation.id, new_relation.version] @@ -616,7 +618,7 @@ class AmfController < ApplicationController # 6. hash of changed node versions (node=>version) # 7. hash of deleted node versions (node=>version) - def putway(renumberednodes, usertoken, changeset_id, wayversion, originalway, pointlist, attributes, nodes, deletednodes) #:doc: + def putway(renumberednodes, usertoken, changeset_id, wayversion, originalway, pointlist, attributes, nodes, deletednodes) amf_handle_error("'putway' #{originalway}", "way", originalway) do # -- Initialise @@ -628,6 +630,7 @@ class AmfController < ApplicationController return -2, "Server error - way is only #{pointlist.length} points long." if pointlist.length < 2 return -1, "One of the tags is invalid. Linux users may need to upgrade to Flash Player 10.1." unless tags_ok(attributes) + attributes = strip_non_xml_chars attributes originalway = originalway.to_i @@ -657,6 +660,7 @@ class AmfController < ApplicationController # fixup node tags in a way as well return -1, "One of the tags is invalid. Linux users may need to upgrade to Flash Player 10.1." unless tags_ok(node.tags) + node.tags = strip_non_xml_chars node.tags node.tags.delete("created_by") @@ -678,8 +682,8 @@ class AmfController < ApplicationController # -- Save revised way pointlist.collect! do |a| - renumberednodes[a] ? renumberednodes[a] : a - end # renumber nodes + renumberednodes[a] || a + end new_way = Way.new new_way.tags = attributes new_way.nds = pointlist @@ -711,7 +715,7 @@ class AmfController < ApplicationController # and we don't want to delete it end end - end # transaction + end [0, "", originalway, way.id, renumberednodes, way.version, nodeversions, deletednodes] end @@ -726,7 +730,7 @@ class AmfController < ApplicationController # 3. new node id, # 4. version. - def putpoi(usertoken, changeset_id, version, id, lon, lat, tags, visible) #:doc: + def putpoi(usertoken, changeset_id, version, id, lon, lat, tags, visible) amf_handle_error("'putpoi' #{id}", "node", id) do user = getuser(usertoken) return -1, "You are not logged in, so the point could not be saved." unless user @@ -734,6 +738,7 @@ class AmfController < ApplicationController return -1, "You must accept the contributor terms before you can edit." if REQUIRE_TERMS_AGREED && user.terms_agreed.nil? return -1, "One of the tags is invalid. Linux users may need to upgrade to Flash Player 10.1." unless tags_ok(tags) + tags = strip_non_xml_chars tags id = id.to_i @@ -741,16 +746,14 @@ class AmfController < ApplicationController node = nil new_node = nil Node.transaction do - if id > 0 + if id.positive? begin node = Node.find(id) rescue ActiveRecord::RecordNotFound return [-4, "node", id] end - unless visible || node.ways.empty? - return -1, "Point #{id} has since become part of a way, so you cannot save it as a POI.", id, id, version - end + return -1, "Point #{id} has since become part of a way, so you cannot save it as a POI.", id, id, version unless visible || node.ways.empty? end # We always need a new node, based on the data that has been sent to us new_node = Node.new @@ -772,7 +775,7 @@ class AmfController < ApplicationController new_node.id = id node.delete_with_history!(new_node, user) end - end # transaction + end if id <= 0 return [0, "", id, new_node.id, new_node.version] @@ -787,15 +790,13 @@ class AmfController < ApplicationController # # Returns array of id, long, lat, hash of tags, (current) version. - def getpoi(id, timestamp) #:doc: + def getpoi(id, timestamp) amf_handle_error("'getpoi' #{id}", "node", id) do id = id.to_i n = Node.where(:id => id).first if n v = n.version - unless timestamp == "" - n = OldNode.where("node_id = ? AND timestamp <= ?", id, timestamp).unredacted.order("timestamp DESC").first - end + n = OldNode.where("node_id = ? AND timestamp <= ?", id, timestamp).unredacted.order("timestamp DESC").first unless timestamp == "" end if n @@ -816,7 +817,7 @@ class AmfController < ApplicationController # of the nodes have been changed by someone else then, there is a problem! # Returns 0 (success), unchanged way id, new way version, new node versions. - def deleteway(usertoken, changeset_id, way_id, way_version, deletednodes) #:doc: + def deleteway(usertoken, changeset_id, way_id, way_version, deletednodes) amf_handle_error("'deleteway' #{way_id}", "way", way_id) do user = getuser(usertoken) return -1, "You are not logged in, so the way could not be deleted." unless user @@ -853,7 +854,7 @@ class AmfController < ApplicationController # elsewhere and we don't want to delete it end end - end # transaction + end [0, "", way_id, old_way.version, nodeversions] end end @@ -866,7 +867,7 @@ class AmfController < ApplicationController # When we are writing to the api, we need the actual user model, # not just the id, hence this abstraction - def getuser(token) #:doc: + def getuser(token) if token =~ /^(.+)\:(.+)$/ User.authenticate(:username => Regexp.last_match(1), :password => Regexp.last_match(2)) else @@ -875,7 +876,7 @@ class AmfController < ApplicationController end def getlocales - @locales ||= Locale.list(Dir.glob("#{Rails.root}/config/potlatch/locales/*").collect { |f| File.basename(f, ".yml") }) + @getlocales ||= Locale.list(Dir.glob(Rails.root.join("config", "potlatch", "locales", "*")).collect { |f| File.basename(f, ".yml") }) end ## @@ -893,12 +894,10 @@ class AmfController < ApplicationController # in the +tags+ hash. def strip_non_xml_chars(tags) new_tags = {} - unless tags.nil? - tags.each do |k, v| - new_k = k.delete "\000-\037\ufffe\uffff", "^\011\012\015" - new_v = v.delete "\000-\037\ufffe\uffff", "^\011\012\015" - new_tags[new_k] = new_v - end + tags&.each do |k, v| + new_k = k.delete "\000-\037\ufffe\uffff", "^\011\012\015" + new_v = v.delete "\000-\037\ufffe\uffff", "^\011\012\015" + new_tags[new_k] = new_v end new_tags end @@ -907,7 +906,7 @@ class AmfController < ApplicationController # Alternative SQL queries for getway/whichways def sql_find_ways_in_area(bbox) - sql = <<-EOF + sql = <<-SQL SELECT DISTINCT current_ways.id AS wayid,current_ways.version AS version FROM current_way_nodes INNER JOIN current_nodes ON current_nodes.id=current_way_nodes.node_id @@ -915,20 +914,20 @@ class AmfController < ApplicationController WHERE current_nodes.visible=TRUE AND current_ways.visible=TRUE AND #{OSM.sql_for_area(bbox, 'current_nodes.')} - EOF + SQL ActiveRecord::Base.connection.select_all(sql).collect { |a| [a["wayid"].to_i, a["version"].to_i] } end def sql_find_pois_in_area(bbox) pois = [] - sql = <<-EOF + sql = <<-SQL SELECT current_nodes.id,current_nodes.latitude*0.0000001 AS lat,current_nodes.longitude*0.0000001 AS lon,current_nodes.version FROM current_nodes LEFT OUTER JOIN current_way_nodes cwn ON cwn.node_id=current_nodes.id WHERE current_nodes.visible=TRUE AND cwn.id IS NULL AND #{OSM.sql_for_area(bbox, 'current_nodes.')} - EOF + SQL ActiveRecord::Base.connection.select_all(sql).each do |row| poitags = {} ActiveRecord::Base.connection.select_all("SELECT k,v FROM current_node_tags WHERE id=#{row['id']}").each do |n| @@ -942,36 +941,36 @@ class AmfController < ApplicationController def sql_find_relations_in_area_and_ways(bbox, way_ids) # ** It would be more Potlatchy to get relations for nodes within ways # during 'getway', not here - sql = <<-EOF + sql = <<-SQL SELECT DISTINCT cr.id AS relid,cr.version AS version FROM current_relations cr INNER JOIN current_relation_members crm ON crm.id=cr.id INNER JOIN current_nodes cn ON crm.member_id=cn.id AND crm.member_type='Node' WHERE #{OSM.sql_for_area(bbox, 'cn.')} - EOF + SQL unless way_ids.empty? - sql += <<-EOF + sql += <<-SQL UNION SELECT DISTINCT cr.id AS relid,cr.version AS version FROM current_relations cr INNER JOIN current_relation_members crm ON crm.id=cr.id WHERE crm.member_type='Way' AND crm.member_id IN (#{way_ids.join(',')}) - EOF + SQL end ActiveRecord::Base.connection.select_all(sql).collect { |a| [a["relid"].to_i, a["version"].to_i] } end def sql_get_nodes_in_way(wayid) points = [] - sql = <<-EOF + sql = <<-SQL SELECT latitude*0.0000001 AS lat,longitude*0.0000001 AS lon,current_nodes.id,current_nodes.version FROM current_way_nodes,current_nodes WHERE current_way_nodes.id=#{wayid.to_i} AND current_way_nodes.node_id=current_nodes.id AND current_nodes.visible=TRUE ORDER BY sequence_id - EOF + SQL ActiveRecord::Base.connection.select_all(sql).each do |row| nodetags = {} ActiveRecord::Base.connection.select_all("SELECT k,v FROM current_node_tags WHERE id=#{row['id']}").each do |n|