gem "omniauth-windowslive"
# Markdown formatting support
-gem "redcarpet"
+gem "kramdown"
# For status transitions of Issues
gem "aasm"
jsonify (< 0.4.0)
jwt (2.1.0)
kgio (2.11.2)
+ kramdown (1.17.0)
libv8 (3.16.14.19)
libxml-ruby (3.1.0)
listen (3.1.5)
ffi (~> 1.0)
record_tag_helper (1.0.0)
actionview (~> 5.x)
- redcarpet (3.4.0)
ref (2.0.0)
request_store (1.4.1)
rack (>= 1.4)
json
jsonify-rails
kgio
+ kramdown
libxml-ruby (>= 2.0.5)
listen
logstasher
rails-controller-testing
rails-i18n (~> 4.0.0)
record_tag_helper
- redcarpet
rinku (>= 1.2.2)
rotp
rubocop
include CanCan::Ability
def initialize(user)
+ can [:trackpoints, :map, :changes, :capabilities, :permissions], :api
can [:relation, :relation_history, :way, :way_history, :node, :node_history,
:changeset, :note, :new_note, :query], :browse
can [:index, :feed, :read, :download, :query], Changeset
can [:index, :show, :data, :georss, :picture, :icon], Trace
can [:terms, :api_users, :login, :logout, :new, :create, :save, :confirm, :confirm_resend, :confirm_email, :lost_password, :reset_password, :show, :api_read, :auth_success, :auth_failure], User
can [:index, :show, :blocks_on, :blocks_by], UserBlock
+ can [:read, :nodes], Node
+ can [:read, :full, :ways, :ways_for_node], Way
+ can [:read, :full, :relations, :relations_for_node, :relations_for_way, :relations_for_relation], Relation
+ can [:history, :version], OldNode
+ can [:history, :version], OldWay
+ can [:history, :version], OldRelation
if user
can :welcome, :site
if user.terms_agreed? || !REQUIRE_TERMS_AGREED
can [:create, :update, :upload, :close, :subscribe, :unsubscribe, :expand_bbox], Changeset
can :create, ChangesetComment
+ can [:create, :update, :delete], Node
+ can [:create, :update, :delete], Way
+ can [:create, :update, :delete], Relation
end
if user.moderator?
can :destroy, Note
can [:new, :create, :edit, :update, :destroy], Redaction
can [:new, :edit, :create, :update, :revoke], UserBlock
+ if user.terms_agreed? || !REQUIRE_TERMS_AGREED
+ can :redact, OldNode
+ can :redact, OldWay
+ can :redact, OldRelation
+ end
end
if user.administrator?
if token&.user&.terms_agreed? || !REQUIRE_TERMS_AGREED
can [:create, :update, :upload, :close, :subscribe, :unsubscribe, :expand_bbox], Changeset if capability?(token, :allow_write_api)
can :create, ChangesetComment if capability?(token, :allow_write_api)
+ can [:create, :update, :delete], Node if capability?(token, :allow_write_api)
+ can [:create, :update, :delete], Way if capability?(token, :allow_write_api)
+ can [:create, :update, :delete], Relation if capability?(token, :allow_write_api)
end
if token&.user&.moderator?
can [:destroy, :restore], ChangesetComment if capability?(token, :allow_write_api)
can :destroy, Note if capability?(token, :allow_write_notes)
+ if token&.user&.terms_agreed? || !REQUIRE_TERMS_AGREED
+ can :redact, OldNode if capability?(token, :allow_write_api)
+ can :redact, OldWay if capability?(token, :allow_write_api)
+ can :redact, OldRelation if capability?(token, :allow_write_api)
+ end
end
end
margin-left: $lineheight;
}
- ul li {
+ ul > li {
list-style: disc;
}
- ol li {
+ ol > li {
list-style: decimal;
}
}
class ApiController < ApplicationController
skip_before_action :verify_authenticity_token
+ before_action :api_deny_access_handler
+
+ authorize_resource :class => false
+
before_action :check_api_readable, :except => [:capabilities]
before_action :setup_user_auth, :only => [:permissions]
around_action :api_call_handle_error, :api_call_timeout
skip_before_action :verify_authenticity_token
before_action :authorize, :only => [:create, :update, :delete]
- before_action :require_allow_write_api, :only => [:create, :update, :delete]
+ before_action :api_deny_access_handler
+
+ authorize_resource
+
before_action :require_public_data, :only => [:create, :update, :delete]
before_action :check_api_writable, :only => [:create, :update, :delete]
before_action :check_api_readable, :except => [:create, :update, :delete]
skip_before_action :verify_authenticity_token
before_action :setup_user_auth, :only => [:history, :version]
+ before_action :api_deny_access_handler
before_action :authorize, :only => [:redact]
- before_action :authorize_moderator, :only => [:redact]
- before_action :require_allow_write_api, :only => [:redact]
+
+ authorize_resource
+
before_action :check_api_readable
before_action :check_api_writable, :only => [:redact]
around_action :api_call_handle_error, :api_call_timeout
skip_before_action :verify_authenticity_token
before_action :authorize, :only => [:create, :update, :delete]
- before_action :require_allow_write_api, :only => [:create, :update, :delete]
+ before_action :api_deny_access_handler
+
+ authorize_resource
+
before_action :require_public_data, :only => [:create, :update, :delete]
before_action :check_api_writable, :only => [:create, :update, :delete]
before_action :check_api_readable, :except => [:create, :update, :delete]
relations_for_object("Relation")
end
+ private
+
def relations_for_object(objtype)
relationids = RelationMember.where(:member_type => objtype, :member_id => params[:id]).collect(&:relation_id).uniq
skip_before_action :verify_authenticity_token
before_action :authorize, :only => [:create, :update, :delete]
- before_action :require_allow_write_api, :only => [:create, :update, :delete]
+ before_action :api_deny_access_handler
+
+ authorize_resource
+
before_action :require_public_data, :only => [:create, :update, :delete]
before_action :check_api_writable, :only => [:create, :update, :delete]
before_action :check_api_readable, :except => [:create, :update, :delete]
Sanitize::Config::OSM = Sanitize::Config::RELAXED.dup
Sanitize::Config::OSM[:elements] -= %w[div style]
-Sanitize::Config::OSM[:add_attributes] = { "a" => { "rel" => "nofollow" } }
+Sanitize::Config::OSM[:add_attributes] = { "a" => { "rel" => "nofollow noopener noreferer" } }
Sanitize::Config::OSM[:remove_contents] = %w[script style]
edit: Edit
preview: Preview
markdown_help:
- title_html: Parsed with <a href="https://daringfireball.net/projects/markdown/">Markdown</a>
+ title_html: Parsed with <a href="https://kramdown.gettalong.org/quickref.html">kramdown</a>
headings: Headings
heading: Heading
subheading: Subheading
SimpleFormat.new.simple_format(text)
end
- def linkify(text)
+ def sanitize(text)
+ Sanitize.clean(text, Sanitize::Config::OSM).html_safe
+ end
+
+ def linkify(text, mode = :urls)
if text.html_safe?
- Rinku.auto_link(text, :urls, tag_builder.tag_options(:rel => "nofollow")).html_safe
+ Rinku.auto_link(text, mode, tag_builder.tag_options(:rel => "nofollow noopener noreferer")).html_safe
else
- Rinku.auto_link(text, :urls, tag_builder.tag_options(:rel => "nofollow"))
+ Rinku.auto_link(text, mode, tag_builder.tag_options(:rel => "nofollow noopener noreferer"))
end
end
end
def to_text
to_s
end
-
- private
-
- def sanitize(text)
- Sanitize.clean(text, Sanitize::Config::OSM).html_safe
- end
end
class Markdown < Base
def to_html
- Markdown.html_parser.render(self).html_safe
+ linkify(sanitize(Kramdown::Document.new(self).to_html), :all)
end
def to_text
to_s
end
-
- def self.html_renderer
- @html_renderer ||= Redcarpet::Render::XHTML.new(:filter_html => true, :safe_links_only => true, :link_attributes => { :rel => "nofollow" })
- end
-
- def self.html_parser
- @html_parser ||= Redcarpet::Markdown.new(html_renderer, :no_intra_emphasis => true, :autolink => true, :space_after_headers => true)
- end
end
class Text < Base
assert_html r do
assert_select "a", 1
assert_select "a[href='http://example.com/']", 1
- assert_select "a[rel='nofollow']", 1
+ assert_select "a[rel='nofollow noopener noreferer']", 1
end
r = RichText.new("html", "foo <a href='http://example.com/'>bar</a> baz")
assert_html r do
assert_select "a", 1
assert_select "a[href='http://example.com/']", 1
- assert_select "a[rel='nofollow']", 1
+ assert_select "a[rel='nofollow noopener noreferer']", 1
end
r = RichText.new("html", "foo example@example.com bar")
assert_html r do
assert_select "a", 1
assert_select "a[href='mailto:example@example.com']", 1
- assert_select "a[rel='nofollow']", 1
+ assert_select "a[rel='nofollow noopener noreferer']", 1
end
r = RichText.new("html", "foo <div>bar</div> baz")
assert_html r do
assert_select "a", 1
assert_select "a[href='http://example.com/']", 1
- assert_select "a[rel='nofollow']", 1
+ assert_select "a[rel='nofollow noopener noreferer']", 1
end
r = RichText.new("markdown", "foo [bar](http://example.com/) baz")
assert_html r do
assert_select "a", 1
assert_select "a[href='http://example.com/']", 1
- assert_select "a[rel='nofollow']", 1
+ assert_select "a[rel='nofollow noopener noreferer']", 1
end
r = RichText.new("markdown", "foo example@example.com bar")
assert_html r do
assert_select "a", 1
assert_select "a[href='mailto:example@example.com']", 1
- assert_select "a[rel='nofollow']", 1
+ assert_select "a[rel='nofollow noopener noreferer']", 1
end
r = RichText.new("markdown", "foo [bar](mailto:example@example.com) bar")
assert_html r do
assert_select "a", 1
assert_select "a[href='mailto:example@example.com']", 1
- assert_select "a[rel='nofollow']", 1
+ assert_select "a[rel='nofollow noopener noreferer']", 1
end
r = RichText.new("markdown", "foo  bar")
assert_html r do
assert_select "a", 1
assert_select "a[href='http://example.com/']", 1
- assert_select "a[rel='nofollow']", 1
+ assert_select "a[rel='nofollow noopener noreferer']", 1
end
r = RichText.new("text", "foo example@example.com bar")
projects / rails.git / commitdiff