# Offense count: 56
# Configuration parameters: AllowedMethods, AllowedPatterns.
Metrics/PerceivedComplexity:
- Max: 27
+ Max: 29
# Offense count: 2394
# This cop supports safe autocorrection (--autocorrect).
--- /dev/null
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!-- Created with Inkscape (http://www.inkscape.org/) -->
+
+<svg
+ xmlns:dc="http://purl.org/dc/elements/1.1/"
+ xmlns:cc="http://creativecommons.org/ns#"
+ xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"
+ xmlns:svg="http://www.w3.org/2000/svg"
+ xmlns="http://www.w3.org/2000/svg"
+ xmlns:sodipodi="http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd"
+ xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape"
+ id="svg6042"
+ version="1.1"
+ inkscape:version="0.48.2 r9819"
+ width="20"
+ height="20"
+ sodipodi:docname="blank_moderator.svg"
+ inkscape:export-filename="/Users/saman/work_repos/openstreetmap-website/app/assets/images/roles/blank_moderator.png"
+ inkscape:export-xdpi="90"
+ inkscape:export-ydpi="90">
+ <metadata
+ id="metadata6048">
+ <rdf:RDF>
+ <cc:Work
+ rdf:about="">
+ <dc:format>image/svg+xml</dc:format>
+ <dc:type
+ rdf:resource="http://purl.org/dc/dcmitype/StillImage" />
+ <dc:title></dc:title>
+ </cc:Work>
+ </rdf:RDF>
+ </metadata>
+ <defs
+ id="defs6046" />
+ <sodipodi:namedview
+ pagecolor="#ffffff"
+ bordercolor="#666666"
+ borderopacity="1"
+ objecttolerance="10"
+ gridtolerance="10"
+ guidetolerance="10"
+ inkscape:pageopacity="0"
+ inkscape:pageshadow="2"
+ inkscape:window-width="1264"
+ inkscape:window-height="776"
+ id="namedview6044"
+ showgrid="false"
+ inkscape:zoom="1"
+ inkscape:cx="10"
+ inkscape:cy="10"
+ inkscape:window-x="0"
+ inkscape:window-y="0"
+ inkscape:window-maximized="0"
+ inkscape:current-layer="svg6042" />
+ <path
+ inkscape:connector-curvature="0"
+ style="color:#000000;fill:#38e13a;fill-opacity:1;fill-rule:nonzero;stroke:#38e13a;stroke-width:2;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:4;stroke-opacity:1;stroke-dasharray:none;marker:none;visibility:visible;display:inline;overflow:visible;enable-background:accumulate"
+ d="M 10,2 8.125,8 2,8 6.96875,11.71875 5,18 10,14 15,18 13.03125,11.71875 18,8 11.875,8 10,2 z"
+ id="path4709" />
+ <path
+ inkscape:connector-curvature="0"
+ style="color:#000000;fill:#ffffff;fill-opacity:1;fill-rule:nonzero;stroke:none;stroke-width:2;marker:none;visibility:visible;display:inline;overflow:visible;enable-background:accumulate"
+ d="M 10,2 8.125,8 2,8 6.96875,11.71875 5,18 10,14 15,18 13.03125,11.71875 18,8 11.875,8 10,2 z"
+ id="path5684" />
+</svg>
--- /dev/null
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!-- Created with Inkscape (http://www.inkscape.org/) -->
+
+<svg
+ xmlns:dc="http://purl.org/dc/elements/1.1/"
+ xmlns:cc="http://creativecommons.org/ns#"
+ xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"
+ xmlns:svg="http://www.w3.org/2000/svg"
+ xmlns="http://www.w3.org/2000/svg"
+ xmlns:sodipodi="http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd"
+ xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape"
+ id="svg4678"
+ version="1.1"
+ inkscape:version="0.48.2 r9819"
+ width="20"
+ height="20"
+ sodipodi:docname="moderator.svg"
+ inkscape:export-filename="/Users/saman/work_repos/openstreetmap-website/app/assets/images/roles/moderator.png"
+ inkscape:export-xdpi="90"
+ inkscape:export-ydpi="90">
+ <metadata
+ id="metadata4684">
+ <rdf:RDF>
+ <cc:Work
+ rdf:about="">
+ <dc:format>image/svg+xml</dc:format>
+ <dc:type
+ rdf:resource="http://purl.org/dc/dcmitype/StillImage" />
+ <dc:title></dc:title>
+ </cc:Work>
+ </rdf:RDF>
+ </metadata>
+ <defs
+ id="defs4682" />
+ <sodipodi:namedview
+ pagecolor="#ffffff"
+ bordercolor="#666666"
+ borderopacity="1"
+ objecttolerance="10"
+ gridtolerance="10"
+ guidetolerance="10"
+ inkscape:pageopacity="0"
+ inkscape:pageshadow="2"
+ inkscape:window-width="1574"
+ inkscape:window-height="831"
+ id="namedview4680"
+ showgrid="false"
+ inkscape:zoom="1"
+ inkscape:cx="9.1260993"
+ inkscape:cy="11.531765"
+ inkscape:window-x="0"
+ inkscape:window-y="0"
+ inkscape:window-maximized="0"
+ inkscape:current-layer="svg4678">
+ <inkscape:grid
+ type="xygrid"
+ id="grid4707" />
+ </sodipodi:namedview>
+ <path
+ style="color:#000000;fill:#38e13a;fill-opacity:1;fill-rule:nonzero;stroke:#38e13a;stroke-width:2;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:4;stroke-opacity:1;stroke-dasharray:none;marker:none;visibility:visible;display:inline;overflow:visible;enable-background:accumulate"
+ d="m 10,2 5,16 -5,-4 -5,4 z"
+ id="path4709"
+ inkscape:connector-curvature="0"
+ sodipodi:nodetypes="ccccc" />
+ <path
+ style="color:#000000;fill:#38e13a;fill-opacity:1;fill-rule:nonzero;stroke:#38e13a;stroke-width:2;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:4;stroke-opacity:1;stroke-dasharray:none;marker:none;visibility:visible;display:inline;overflow:visible;enable-background:accumulate"
+ d="m 2,8 16,0 -8,6 z"
+ id="path5479"
+ inkscape:connector-curvature="0"
+ sodipodi:nodetypes="cccc" />
+</svg>
I18n.fallbacks = true;
OSM.preferred_editor = application_data.preferredEditor;
+ OSM.preferred_languages = application_data.preferredLanguages;
if (application_data.user) {
OSM.user = application_data.user;
function featureName(feature) {
var tags = feature.tags,
- locales = I18n.locales.get();
+ locales = OSM.preferred_languages;
for (var i = 0; i < locales.length; i++) {
if (tags["name:" + locales[i]]) {
margin-right: $lineheight * 0.25;
}
-[dir=rtl] { /* no-r2 */ text-align: right; }
-
-[dir=ltr] { /* no-r2 */ text-align: left; }
-
/* Rules for icons */
.icon {
diff_reader = DiffReader.new(request.raw_post, changeset)
Changeset.transaction do
result = diff_reader.commit
+ # the number of changes in this changeset has already been
+ # updated and is visible in this transaction so we don't need
+ # to allow for any more when checking the limit
+ check_rate_limit(0)
render :xml => result.to_s
end
end
around_action :api_call_handle_error, :api_call_timeout
before_action :set_request_formats, :except => [:create, :update, :delete]
+ before_action :check_rate_limit, :only => [:create, :update, :delete]
# Dump the details on many nodes whose ids are given in the "nodes" parameter.
def index
around_action :api_call_handle_error, :api_call_timeout
before_action :set_request_formats, :except => [:create, :update, :delete]
+ before_action :check_rate_limit, :only => [:create, :update, :delete]
def index
raise OSM::APIBadUserInput, "The parameter relations is required, and must be of the form relations=id[,id[,id...]]" unless params["relations"]
around_action :api_call_handle_error, :api_call_timeout
before_action :set_request_formats, :except => [:create, :update, :delete]
+ before_action :check_rate_limit, :only => [:create, :update, :delete]
def index
raise OSM::APIBadUserInput, "The parameter ways is required, and must be of the form ways=id[,id[,id...]]" unless params["ways"]
ActiveRecord::Base.connection.raw_connection.cancel
raise OSM::APITimeoutError
end
+
+ ##
+ # check the api change rate limit
+ def check_rate_limit(new_changes = 1)
+ max_changes = ActiveRecord::Base.connection.select_value(
+ "SELECT api_rate_limit($1)", "api_rate_limit", [current_user.id]
+ )
+
+ raise OSM::APIRateLimitExceeded if new_changes > max_changes
+ end
end
render :action => "new"
elsif current_user.auth_provider.present?
# Verify external authenticator before moving on
- session[:new_user] = current_user
+ session[:new_user] = current_user.attributes.slice("email", "display_name", "pass_crypt")
redirect_to auth_url(current_user.auth_provider, current_user.auth_uid), :status => :temporary_redirect
else
# Save the user record
- session[:new_user] = current_user
+ session[:new_user] = current_user.attributes.slice("email", "display_name", "pass_crypt")
redirect_to :action => :terms
end
end
redirect_to referer || edit_account_path
else
- self.current_user = session.delete(:new_user)
+ new_user = session.delete(:new_user)
+ verified_email = new_user.delete("verified_email")
+
+ self.current_user = User.new(new_user)
if check_signup_allowed(current_user.email)
current_user.data_public = true
if current_user.auth_uid.blank?
current_user.auth_provider = nil
current_user.auth_uid = nil
+ elsif current_user.email == verified_email
+ current_user.activate
end
if current_user.save
redirect_to edit_account_path
elsif session[:new_user]
- session[:new_user].auth_provider = provider
- session[:new_user].auth_uid = uid
-
- session[:new_user].activate if email_verified && email == session[:new_user].email
+ session[:new_user]["auth_provider"] = provider
+ session[:new_user]["auth_uid"] = uid
+ session[:new_user]["verified_email"] = email if email_verified
redirect_to :action => "terms"
else
def application_data
data = {
:locale => I18n.locale,
- :preferred_editor => preferred_editor
+ :preferred_editor => preferred_editor,
+ :preferred_languages => preferred_languages.expand.map(&:to_s)
}
if current_user
role? "administrator"
end
+ ##
+ # returns true if the user has the importer role, false otherwise
+ def importer?
+ role? "importer"
+ end
+
##
# returns true if the user has the requested role
def role?(role)
belongs_to :user
belongs_to :granter, :class_name => "User"
- ALL_ROLES = %w[administrator moderator].freeze
+ ALL_ROLES = %w[administrator moderator importer].freeze
validates :role, :inclusion => ALL_ROLES, :uniqueness => { :scope => :user_id }
end
<tr>
- <th class='py-1 border-grey table-light fw-normal'><%= format_key(tag[0]) %></th>
- <td class='py-1 border-grey border-start'><%= format_value(tag[0], tag[1]) %></td>
+ <th class='py-1 border-grey table-light fw-normal' dir='auto'><%= format_key(tag[0]) %></th>
+ <td class='py-1 border-grey border-start' dir='auto'><%= format_value(tag[0], tag[1]) %></td>
</tr>
module OpenStreetMap
class Application < Rails::Application
# Initialize configuration defaults for originally generated Rails version.
- config.load_defaults 7.0
+ config.load_defaults 7.1
# Please, add to the `ignore` list any other `lib` subdirectories that do
# not contain `.rb` files, or that should not be reloaded or eager loaded.
# like if you have constraints or database-specific column types
config.active_record.schema_format = :sql unless Settings.status == "database_offline"
- # Use rails 7.1 cache format
- config.active_support.cache_format_version = 7.1
-
# Use memcached for caching if required
config.cache_store = :mem_cache_store, Settings.memcache_servers, { :namespace => "rails:cache" } if Settings.key?(:memcache_servers)
execute "ALTER TABLE #{table_name} ADD PRIMARY KEY USING INDEX #{constraint_name}"
end
-
- def create_enumeration(enumeration_name, values)
- execute "CREATE TYPE #{enumeration_name} AS ENUM ('#{values.join '\',\''}')"
- end
-
- def drop_enumeration(enumeration_name)
- execute "DROP TYPE #{enumeration_name}"
- end
-
- def rename_enumeration(old_name, new_name)
- old_name = quote_table_name(old_name)
- new_name = quote_table_name(new_name)
-
- execute "ALTER TYPE #{old_name} RENAME TO #{new_name}"
- end
end
end
end
+++ /dev/null
-# Be sure to restart your server when you modify this file.
-#
-# This file eases your Rails 7.1 framework defaults upgrade.
-#
-# Uncomment each configuration one by one to switch to the new default.
-# Once your application is ready to run with all new defaults, you can remove
-# this file and set the `config.load_defaults` to `7.1`.
-#
-# Read the Guide for Upgrading Ruby on Rails for more info on each option.
-# https://guides.rubyonrails.org/upgrading_ruby_on_rails.html
-
-# No longer add autoloaded paths into `$LOAD_PATH`. This means that you won't be able
-# to manually require files that are managed by the autoloader, which you shouldn't do anyway.
-# This will reduce the size of the load path, making `require` faster if you don't use bootsnap, or reduce the size
-# of the bootsnap cache if you use it.
-# Rails.application.config.add_autoload_paths_to_load_path = false
-
-# Remove the default X-Download-Options headers since it is used only by Internet Explorer.
-# If you need to support Internet Explorer, add back `"X-Download-Options" => "noopen"`.
-# Rails.application.config.action_dispatch.default_headers = {
-# "X-Frame-Options" => "SAMEORIGIN",
-# "X-XSS-Protection" => "0",
-# "X-Content-Type-Options" => "nosniff",
-# "X-Permitted-Cross-Domain-Policies" => "none",
-# "Referrer-Policy" => "strict-origin-when-cross-origin"
-# }
-
-# Do not treat an `ActionController::Parameters` instance
-# as equal to an equivalent `Hash` by default.
-# Rails.application.config.action_controller.allow_deprecated_parameters_hash_equality = false
-
-# Active Record Encryption now uses SHA-256 as its hash digest algorithm. Important: If you have
-# data encrypted with previous Rails versions, there are two scenarios to consider:
-#
-# 1. If you have +config.active_support.key_generator_hash_digest_class+ configured as SHA1 (the default
-# before Rails 7.0), you need to configure SHA-1 for Active Record Encryption too:
-# Rails.application.config.active_record.encryption.hash_digest_class = OpenSSL::Digest::SHA1
-# 2. If you have +config.active_support.key_generator_hash_digest_class+ configured as SHA256 (the new default
-# in 7.0), then you need to configure SHA-256 for Active Record Encryption:
-# Rails.application.config.active_record.encryption.hash_digest_class = OpenSSL::Digest::SHA256
-#
-# If you don't currently have data encrypted with Active Record encryption, you can disable this setting to
-# configure the default behavior starting 7.1+:
-Rails.application.config.active_record.encryption.support_sha1_for_non_deterministic_encryption = false
-
-# No longer run after_commit callbacks on the first of multiple Active Record
-# instances to save changes to the same database row within a transaction.
-# Instead, run these callbacks on the instance most likely to have internal
-# state which matches what was committed to the database, typically the last
-# instance to save.
-Rails.application.config.active_record.run_commit_callbacks_on_first_saved_instances_in_transaction = false
-
-# Configures SQLite with a strict strings mode, which disables double-quoted string literals.
-#
-# SQLite has some quirks around double-quoted string literals.
-# It first tries to consider double-quoted strings as identifier names, but if they don't exist
-# it then considers them as string literals. Because of this, typos can silently go unnoticed.
-# For example, it is possible to create an index for a non existing column.
-# See https://www.sqlite.org/quirks.html#double_quoted_string_literals_are_accepted for more details.
-Rails.application.config.active_record.sqlite3_adapter_strict_strings_by_default = true
-
-# Disable deprecated singular associations names
-Rails.application.config.active_record.allow_deprecated_singular_associations_name = false
-
-# Enable the Active Job `BigDecimal` argument serializer, which guarantees
-# roundtripping. Without this serializer, some queue adapters may serialize
-# `BigDecimal` arguments as simple (non-roundtrippable) strings.
-#
-# When deploying an application with multiple replicas, old (pre-Rails 7.1)
-# replicas will not be able to deserialize `BigDecimal` arguments from this
-# serializer. Therefore, this setting should only be enabled after all replicas
-# have been successfully upgraded to Rails 7.1.
-Rails.application.config.active_job.use_big_decimal_serializer = true
-
-# Specify if an `ArgumentError` should be raised if `Rails.cache` `fetch` or
-# `write` are given an invalid `expires_at` or `expires_in` time.
-# Options are `true`, and `false`. If `false`, the exception will be reported
-# as `handled` and logged instead.
-Rails.application.config.active_support.raise_on_invalid_cache_expiration_time = true
-
-# Specify whether Query Logs will format tags using the SQLCommenter format
-# (https://open-telemetry.github.io/opentelemetry-sqlcommenter/), or using the legacy format.
-# Options are `:legacy` and `:sqlcommenter`.
-Rails.application.config.active_record.query_log_tags_format = :sqlcommenter
-
-# Specify the default serializer used by `MessageEncryptor` and `MessageVerifier`
-# instances.
-#
-# The legacy default is `:marshal`, which is a potential vector for
-# deserialization attacks in cases where a message signing secret has been
-# leaked.
-#
-# In Rails 7.1, the new default is `:json_allow_marshal` which serializes and
-# deserializes with `ActiveSupport::JSON`, but can fall back to deserializing
-# with `Marshal` so that legacy messages can still be read.
-#
-# In Rails 7.2, the default will become `:json` which serializes and
-# deserializes with `ActiveSupport::JSON` only.
-#
-# Alternatively, you can choose `:message_pack` or `:message_pack_allow_marshal`,
-# which serialize with `ActiveSupport::MessagePack`. `ActiveSupport::MessagePack`
-# can roundtrip some Ruby types that are not supported by JSON, and may provide
-# improved performance, but it requires the `msgpack` gem.
-#
-# For more information, see
-# https://guides.rubyonrails.org/v7.1/configuring.html#config-active-support-message-serializer
-#
-# If you are performing a rolling deploy of a Rails 7.1 upgrade, wherein servers
-# that have not yet been upgraded must be able to read messages from upgraded
-# servers, first deploy without changing the serializer, then set the serializer
-# in a subsequent deploy.
-Rails.application.config.active_support.message_serializer = :json_allow_marshal
-
-# Enable a performance optimization that serializes message data and metadata
-# together. This changes the message format, so messages serialized this way
-# cannot be read by older versions of Rails. However, messages that use the old
-# format can still be read, regardless of whether this optimization is enabled.
-#
-# To perform a rolling deploy of a Rails 7.1 upgrade, wherein servers that have
-# not yet been upgraded must be able to read messages from upgraded servers,
-# leave this optimization off on the first deploy, then enable it on a
-# subsequent deploy.
-Rails.application.config.active_support.use_message_serializer_for_metadata = true
-
-# Set the maximum size for Rails log files.
-#
-# `config.load_defaults 7.1` does not set this value for environments other than
-# development and test.
-#
-# if Rails.env.local?
-# Rails.application.config.log_file_size = 100 * 1024 * 1024
-# end
-
-# Enable raising on assignment to attr_readonly attributes. The previous
-# behavior would allow assignment but silently not persist changes to the
-# database.
-Rails.application.config.active_record.raise_on_assign_to_attr_readonly = true
-
-# Enable validating only parent-related columns for presence when the parent is mandatory.
-# The previous behavior was to validate the presence of the parent record, which performed an extra query
-# to get the parent every time the child record was updated, even when parent has not changed.
-# Rails.application.config.active_record.belongs_to_required_validates_foreign_key = false
-
-# Enable precompilation of `config.filter_parameters`. Precompilation can
-# improve filtering performance, depending on the quantity and types of filters.
-Rails.application.config.precompile_filter_parameters = true
-
-# Enable before_committed! callbacks on all enrolled records in a transaction.
-# The previous behavior was to only run the callbacks on the first copy of a record
-# if there were multiple copies of the same record enrolled in the transaction.
-Rails.application.config.active_record.before_committed_on_all_records = true
-
-# Disable automatic column serialization into YAML.
-# To keep the historic behavior, you can set it to `YAML`, however it is
-# recommended to explicitly define the serialization method for each column
-# rather than to rely on a global default.
-Rails.application.config.active_record.default_column_serializer = nil
-
-# Enable a performance optimization that serializes Active Record models
-# in a faster and more compact way.
-#
-# To perform a rolling deploy of a Rails 7.1 upgrade, wherein servers that have
-# not yet been upgraded must be able to read caches from upgraded servers,
-# leave this optimization off on the first deploy, then enable it on a
-# subsequent deploy.
-Rails.application.config.active_record.marshalling_format_version = 7.1
-
-# Run `after_commit` and `after_*_commit` callbacks in the order they are defined in a model.
-# This matches the behaviour of all other callbacks.
-# In previous versions of Rails, they ran in the inverse order.
-Rails.application.config.active_record.run_after_transaction_callbacks_in_order_defined = true
-
-# Whether a `transaction` block is committed or rolled back when exited via `return`, `break` or `throw`.
-#
-# Rails.application.config.active_record.commit_transaction_on_non_local_return = true
-
-# Controls when to generate a value for <tt>has_secure_token</tt> declarations.
-#
-Rails.application.config.active_record.generate_secure_token_on = :initialize
-
-# ** Please read carefully, this must be configured in config/application.rb **
-# Change the format of the cache entry.
-# Changing this default means that all new cache entries added to the cache
-# will have a different format that is not supported by Rails 7.0
-# applications.
-# Only change this value after your application is fully deployed to Rails 7.1
-# and you have no plans to rollback.
-# When you're ready to change format, add this to `config/application.rb` (NOT
-# this file):
-# config.active_support.cache_format_version = 7.1
-
-# Configure Action View to use HTML5 standards-compliant sanitizers when they are supported on your
-# platform.
-#
-# `Rails::HTML::Sanitizer.best_supported_vendor` will cause Action View to use HTML5-compliant
-# sanitizers if they are supported, else fall back to HTML4 sanitizers.
-#
-# In previous versions of Rails, Action View always used `Rails::HTML4::Sanitizer` as its vendor.
-#
-# Rails.application.config.action_view.sanitizer_vendor = Rails::HTML::Sanitizer.best_supported_vendor
-
-# Configure Action Text to use an HTML5 standards-compliant sanitizer when it is supported on your
-# platform.
-#
-# `Rails::HTML::Sanitizer.best_supported_vendor` will cause Action Text to use HTML5-compliant
-# sanitizers if they are supported, else fall back to HTML4 sanitizers.
-#
-# In previous versions of Rails, Action Text always used `Rails::HTML4::Sanitizer` as its vendor.
-#
-# Rails.application.config.action_text.sanitizer_vendor = Rails::HTML::Sanitizer.best_supported_vendor
-
-# Configure the log level used by the DebugExceptions middleware when logging
-# uncaught exceptions during requests
-# Rails.application.config.action_dispatch.debug_exception_log_level = :error
-
-# Configure the test helpers in Action View, Action Dispatch, and rails-dom-testing to use HTML5
-# parsers.
-#
-# Nokogiri::HTML5 isn't supported on JRuby, so JRuby applications must set this to :html4.
-#
-# In previous versions of Rails, these test helpers always used an HTML4 parser.
-#
-# Rails.application.config.dom_testing_default_html_version = :html5
role:
administrator: "This user is an administrator"
moderator: "This user is a moderator"
+ importer: "This user is a importer"
grant:
administrator: "Grant administrator access"
moderator: "Grant moderator access"
+ importer: "Grant importer access"
revoke:
administrator: "Revoke administrator access"
moderator: "Revoke moderator access"
+ importer: "Revoke importer access"
block_history: "Active Blocks"
moderator_history: "Blocks Given"
comments: "Comments"
initial_changeset_comments_per_hour: 6
max_changeset_comments_per_hour: 60
moderator_changeset_comments_per_hour: 36000
+# Rate limit for changes
+min_changes_per_hour: 100
+initial_changes_per_hour: 1000
+max_changes_per_hour: 100000
+days_to_max_changes: 7
+importer_changes_per_hour: 1000000
+moderator_changes_per_hour: 1000000
# Domain for handling message replies
#messages_domain: "messages.openstreetmap.org"
# MaxMind GeoIPv2 database
class AddRelations < ActiveRecord::Migration[4.2]
def self.up
# enums work like strings but are more efficient
- create_enumeration :nwr_enum, %w[Node Way Relation]
+ create_enum :nwr_enum, %w[Node Way Relation]
# a relation can have members much like a way can have nodes.
# differences:
end
def self.up
- create_enumeration :gpx_visibility_enum, %w[private public trackable identifiable]
+ create_enum :gpx_visibility_enum, %w[private public trackable identifiable]
add_column :gpx_files, :visibility, :gpx_visibility_enum, :default => "public", :null => false
Trace.where(:public => false).update_all(:visibility => "private")
add_index :gpx_files, [:visible, :visibility], :name => "gpx_files_visible_visibility_idx"
end
def self.up
- create_enumeration :user_role_enum, %w[administrator moderator]
+ create_enum :user_role_enum, %w[administrator moderator]
create_table :user_roles do |t|
t.column :user_id, :bigint, :null => false
end
def self.up
- create_enumeration :user_status_enum, %w[pending active confirmed suspended deleted]
+ create_enum :user_status_enum, %w[pending active confirmed suspended deleted]
add_column :users, :status, :user_status_enum, :null => false, :default => "pending"
class AddMapBugTables < ActiveRecord::Migration[4.2]
def self.up
- create_enumeration :map_bug_status_enum, %w[open closed hidden]
+ create_enum :map_bug_status_enum, %w[open closed hidden]
create_table :map_bugs do |t|
t.integer :latitude, :null => false
class AddMapBugCommentEvent < ActiveRecord::Migration[4.2]
def self.up
- create_enumeration :map_bug_event_enum, %w[opened closed reopened commented hidden]
+ create_enum :map_bug_event_enum, %w[opened closed reopened commented hidden]
add_column :map_bug_comment, :event, :map_bug_event_enum
end
class RenameBugsToNotes < ActiveRecord::Migration[4.2]
def self.up
- rename_enumeration "map_bug_status_enum", "note_status_enum"
- rename_enumeration "map_bug_event_enum", "note_event_enum"
+ rename_enum "map_bug_status_enum", :to => "note_status_enum"
+ rename_enum "map_bug_event_enum", :to => "note_event_enum"
rename_table :map_bugs, :notes
rename_index :notes, "map_bugs_changed_idx", "notes_updated_at_idx"
rename_index :notes, "notes_updated_at_idx", "map_bugs_changed_idx"
rename_table :notes, :map_bugs
- rename_enumeration "note_event_enum", "map_bug_event_enum"
- rename_enumeration "note_status_enum", "map_bug_status_enum"
+ rename_enum "note_event_enum", :to => "map_bug_event_enum"
+ rename_enum "note_status_enum", :to => "map_bug_status_enum"
end
end
class AddTextFormat < ActiveRecord::Migration[4.2]
def up
- create_enumeration :format_enum, %w[html markdown text]
+ create_enum :format_enum, %w[html markdown text]
add_column :users, :description_format, :format_enum, :null => false, :default => "html"
add_column :user_blocks, :reason_format, :format_enum, :null => false, :default => "html"
add_column :diary_entries, :body_format, :format_enum, :null => false, :default => "html"
class CreateIssuesAndReports < ActiveRecord::Migration[5.0]
def up
- create_enumeration :issue_status_enum, %w[open ignored resolved]
+ create_enum :issue_status_enum, %w[open ignored resolved]
create_table :issues do |t|
t.string :reportable_type, :null => false
--- /dev/null
+class AddImporterRole < ActiveRecord::Migration[7.1]
+ def change
+ add_enum_value :user_role_enum, "importer"
+ end
+end
--- /dev/null
+class ApiRateLimit < ActiveRecord::Migration[7.1]
+ def up
+ safety_assured do
+ execute DatabaseFunctions::API_RATE_LIMIT
+ end
+ end
+
+ def down
+ safety_assured do
+ execute "DROP FUNCTION api_rate_limit(bigint)"
+ end
+ end
+end
CREATE TYPE public.user_role_enum AS ENUM (
'administrator',
- 'moderator'
+ 'moderator',
+ 'importer'
);
'deleted'
);
+
+--
+-- Name: api_rate_limit(bigint); Type: FUNCTION; Schema: public; Owner: -
+--
+
+CREATE FUNCTION public.api_rate_limit(user_id bigint) RETURNS integer
+ LANGUAGE plpgsql STABLE
+ AS $$
+ DECLARE
+ min_changes_per_hour int4 := 100;
+ initial_changes_per_hour int4 := 1000;
+ max_changes_per_hour int4 := 100000;
+ days_to_max_changes int4 := 7;
+ importer_changes_per_hour int4 := 1000000;
+ moderator_changes_per_hour int4 := 1000000;
+ roles text[];
+ last_block timestamp without time zone;
+ first_change timestamp without time zone;
+ active_reports int4;
+ time_since_first_change double precision;
+ max_changes double precision;
+ recent_changes int4;
+ BEGIN
+ SELECT ARRAY_AGG(user_roles.role) INTO STRICT roles FROM user_roles WHERE user_roles.user_id = api_rate_limit.user_id;
+
+ IF 'moderator' = ANY(roles) THEN
+ max_changes := moderator_changes_per_hour;
+ ELSIF 'importer' = ANY(roles) THEN
+ max_changes := importer_changes_per_hour;
+ ELSE
+ SELECT user_blocks.created_at INTO last_block FROM user_blocks WHERE user_blocks.user_id = api_rate_limit.user_id ORDER BY user_blocks.created_at DESC LIMIT 1;
+
+ IF FOUND THEN
+ SELECT changesets.created_at INTO first_change FROM changesets WHERE changesets.user_id = api_rate_limit.user_id AND changesets.created_at > last_block ORDER BY changesets.created_at LIMIT 1;
+ ELSE
+ SELECT changesets.created_at INTO first_change FROM changesets WHERE changesets.user_id = api_rate_limit.user_id ORDER BY changesets.created_at LIMIT 1;
+ END IF;
+
+ IF NOT FOUND THEN
+ first_change := CURRENT_TIMESTAMP AT TIME ZONE 'UTC';
+ END IF;
+
+ SELECT COUNT(*) INTO STRICT active_reports
+ FROM issues INNER JOIN reports ON reports.issue_id = issues.id
+ WHERE issues.reported_user_id = api_rate_limit.user_id AND issues.status = 'open' AND reports.updated_at >= COALESCE(issues.resolved_at, '1970-01-01');
+
+ time_since_first_change := EXTRACT(EPOCH FROM CURRENT_TIMESTAMP AT TIME ZONE 'UTC' - first_change);
+
+ max_changes := max_changes_per_hour * POWER(time_since_first_change, 2) / POWER(days_to_max_changes * 24 * 60 * 60, 2);
+ max_changes := GREATEST(initial_changes_per_hour, LEAST(max_changes_per_hour, FLOOR(max_changes)));
+ max_changes := max_changes / POWER(2, active_reports);
+ max_changes := GREATEST(min_changes_per_hour, LEAST(max_changes_per_hour, max_changes));
+ END IF;
+
+ SELECT COALESCE(SUM(changesets.num_changes), 0) INTO STRICT recent_changes FROM changesets WHERE changesets.user_id = api_rate_limit.user_id AND changesets.created_at >= CURRENT_TIMESTAMP AT TIME ZONE 'UTC' - '1 hour'::interval;
+
+ RETURN max_changes - recent_changes;
+ END;
+ $$;
+
+
SET default_tablespace = '';
SET default_table_access_method = heap;
('23'),
('22'),
('21'),
+('20231101222146'),
+('20231029151516'),
('20231010194809'),
('20231007141103'),
('20230830115220'),
-FROM postgres:11
+FROM postgres:14
# Add db init script to install OSM-specific Postgres user.
ADD docker/postgres/openstreetmap-postgres-init.sh /docker-entrypoint-initdb.d/
--- /dev/null
+module DatabaseFunctions
+ API_RATE_LIMIT = %(
+ CREATE OR REPLACE FUNCTION api_rate_limit(user_id int8)
+ RETURNS int4
+ AS $$
+ DECLARE
+ min_changes_per_hour int4 := #{Settings.min_changes_per_hour};
+ initial_changes_per_hour int4 := #{Settings.initial_changes_per_hour};
+ max_changes_per_hour int4 := #{Settings.max_changes_per_hour};
+ days_to_max_changes int4 := #{Settings.days_to_max_changes};
+ importer_changes_per_hour int4 := #{Settings.importer_changes_per_hour};
+ moderator_changes_per_hour int4 := #{Settings.moderator_changes_per_hour};
+ roles text[];
+ last_block timestamp without time zone;
+ first_change timestamp without time zone;
+ active_reports int4;
+ time_since_first_change double precision;
+ max_changes double precision;
+ recent_changes int4;
+ BEGIN
+ SELECT ARRAY_AGG(user_roles.role) INTO STRICT roles FROM user_roles WHERE user_roles.user_id = api_rate_limit.user_id;
+
+ IF 'moderator' = ANY(roles) THEN
+ max_changes := moderator_changes_per_hour;
+ ELSIF 'importer' = ANY(roles) THEN
+ max_changes := importer_changes_per_hour;
+ ELSE
+ SELECT user_blocks.created_at INTO last_block FROM user_blocks WHERE user_blocks.user_id = api_rate_limit.user_id ORDER BY user_blocks.created_at DESC LIMIT 1;
+
+ IF FOUND THEN
+ SELECT changesets.created_at INTO first_change FROM changesets WHERE changesets.user_id = api_rate_limit.user_id AND changesets.created_at > last_block ORDER BY changesets.created_at LIMIT 1;
+ ELSE
+ SELECT changesets.created_at INTO first_change FROM changesets WHERE changesets.user_id = api_rate_limit.user_id ORDER BY changesets.created_at LIMIT 1;
+ END IF;
+
+ IF NOT FOUND THEN
+ first_change := CURRENT_TIMESTAMP AT TIME ZONE 'UTC';
+ END IF;
+
+ SELECT COUNT(*) INTO STRICT active_reports
+ FROM issues INNER JOIN reports ON reports.issue_id = issues.id
+ WHERE issues.reported_user_id = api_rate_limit.user_id AND issues.status = 'open' AND reports.updated_at >= COALESCE(issues.resolved_at, '1970-01-01');
+
+ time_since_first_change := EXTRACT(EPOCH FROM CURRENT_TIMESTAMP AT TIME ZONE 'UTC' - first_change);
+
+ max_changes := max_changes_per_hour * POWER(time_since_first_change, 2) / POWER(days_to_max_changes * 24 * 60 * 60, 2);
+ max_changes := GREATEST(initial_changes_per_hour, LEAST(max_changes_per_hour, FLOOR(max_changes)));
+ max_changes := max_changes / POWER(2, active_reports);
+ max_changes := GREATEST(min_changes_per_hour, LEAST(max_changes_per_hour, max_changes));
+ END IF;
+
+ SELECT COALESCE(SUM(changesets.num_changes), 0) INTO STRICT recent_changes FROM changesets WHERE changesets.user_id = api_rate_limit.user_id AND changesets.created_at >= CURRENT_TIMESTAMP AT TIME ZONE 'UTC' - '1 hour'::interval;
+
+ RETURN max_changes - recent_changes;
+ END;
+ $$ LANGUAGE plpgsql STABLE;
+ ).freeze
+end
--- /dev/null
+namespace :db do
+ desc "Update database function definitions"
+ task :update_functions => :environment do
+ ActiveRecord::Base.connection.execute DatabaseFunctions::API_RATE_LIMIT
+ end
+end
assert_equal "Precondition failed: Node #{node.id} is still used by ways #{way.id}.", @response.body
end
+ ##
+ # test initial rate limit
+ def test_upload_initial_rate_limit
+ # create a user
+ user = create(:user)
+
+ # create some objects to use
+ node = create(:node)
+ way = create(:way_with_nodes, :nodes_count => 2)
+ relation = create(:relation)
+
+ # create a changeset that puts us near the initial rate limit
+ changeset = create(:changeset, :user => user,
+ :created_at => Time.now.utc - 5.minutes,
+ :num_changes => Settings.initial_changes_per_hour - 2)
+
+ # create authentication header
+ auth_header = basic_authorization_header user.email, "test"
+
+ # simple diff to create a node way and relation using placeholders
+ diff = <<~CHANGESET
+ <osmChange>
+ <create>
+ <node id='-1' lon='0' lat='0' changeset='#{changeset.id}'>
+ <tag k='foo' v='bar'/>
+ <tag k='baz' v='bat'/>
+ </node>
+ <way id='-1' changeset='#{changeset.id}'>
+ <nd ref='#{node.id}'/>
+ </way>
+ </create>
+ <create>
+ <relation id='-1' changeset='#{changeset.id}'>
+ <member type='way' role='some' ref='#{way.id}'/>
+ <member type='node' role='some' ref='#{node.id}'/>
+ <member type='relation' role='some' ref='#{relation.id}'/>
+ </relation>
+ </create>
+ </osmChange>
+ CHANGESET
+
+ # upload it
+ post changeset_upload_path(changeset), :params => diff, :headers => auth_header
+ assert_response :too_many_requests, "upload did not hit rate limit"
+ end
+
+ ##
+ # test maximum rate limit
+ def test_upload_maximum_rate_limit
+ # create a user
+ user = create(:user)
+
+ # create some objects to use
+ node = create(:node)
+ way = create(:way_with_nodes, :nodes_count => 2)
+ relation = create(:relation)
+
+ # create a changeset to establish our initial edit time
+ changeset = create(:changeset, :user => user,
+ :created_at => Time.now.utc - 28.days)
+
+ # create changeset to put us near the maximum rate limit
+ total_changes = Settings.max_changes_per_hour - 2
+ while total_changes.positive?
+ changes = [total_changes, Changeset::MAX_ELEMENTS].min
+ changeset = create(:changeset, :user => user,
+ :created_at => Time.now.utc - 5.minutes,
+ :num_changes => changes)
+ total_changes -= changes
+ end
+
+ # create authentication header
+ auth_header = basic_authorization_header user.email, "test"
+
+ # simple diff to create a node way and relation using placeholders
+ diff = <<~CHANGESET
+ <osmChange>
+ <create>
+ <node id='-1' lon='0' lat='0' changeset='#{changeset.id}'>
+ <tag k='foo' v='bar'/>
+ <tag k='baz' v='bat'/>
+ </node>
+ <way id='-1' changeset='#{changeset.id}'>
+ <nd ref='#{node.id}'/>
+ </way>
+ </create>
+ <create>
+ <relation id='-1' changeset='#{changeset.id}'>
+ <member type='way' role='some' ref='#{way.id}'/>
+ <member type='node' role='some' ref='#{node.id}'/>
+ <member type='relation' role='some' ref='#{relation.id}'/>
+ </relation>
+ </create>
+ </osmChange>
+ CHANGESET
+
+ # upload it
+ post changeset_upload_path(changeset), :params => diff, :headers => auth_header
+ assert_response :too_many_requests, "upload did not hit rate limit"
+ end
+
##
# when we make some simple changes we get the same changes back from the
# diff download.
# check that a changeset can contain a certain max number of changes.
## FIXME should be changed to an integration test due to the with_controller
def test_changeset_limits
- auth_header = basic_authorization_header create(:user).email, "test"
+ user = create(:user)
+ auth_header = basic_authorization_header user.email, "test"
+
+ # create an old changeset to ensure we have the maximum rate limit
+ create(:changeset, :user => user, :created_at => Time.now.utc - 28.days)
# open a new changeset
xml = "<osm><changeset/></osm>"
assert_includes apinode.tags, "\#{@user.inspect}"
end
+ ##
+ # test initial rate limit
+ def test_initial_rate_limit
+ # create a user
+ user = create(:user)
+
+ # create a changeset that puts us near the initial rate limit
+ changeset = create(:changeset, :user => user,
+ :created_at => Time.now.utc - 5.minutes,
+ :num_changes => Settings.initial_changes_per_hour - 1)
+
+ # create authentication header
+ auth_header = basic_authorization_header user.email, "test"
+
+ # try creating a node
+ xml = "<osm><node lat='0' lon='0' changeset='#{changeset.id}'/></osm>"
+ put node_create_path, :params => xml, :headers => auth_header
+ assert_response :success, "node create did not return success status"
+
+ # get the id of the node we created
+ nodeid = @response.body
+
+ # try updating the node, which should be rate limited
+ xml = "<osm><node id='#{nodeid}' version='1' lat='1' lon='1' changeset='#{changeset.id}'/></osm>"
+ put api_node_path(nodeid), :params => xml, :headers => auth_header
+ assert_response :too_many_requests, "node update did not hit rate limit"
+
+ # try deleting the node, which should be rate limited
+ xml = "<osm><node id='#{nodeid}' version='2' lat='1' lon='1' changeset='#{changeset.id}'/></osm>"
+ delete api_node_path(nodeid), :params => xml, :headers => auth_header
+ assert_response :too_many_requests, "node delete did not hit rate limit"
+
+ # try creating a node, which should be rate limited
+ xml = "<osm><node lat='0' lon='0' changeset='#{changeset.id}'/></osm>"
+ put node_create_path, :params => xml, :headers => auth_header
+ assert_response :too_many_requests, "node create did not hit rate limit"
+ end
+
+ ##
+ # test maximum rate limit
+ def test_maximum_rate_limit
+ # create a user
+ user = create(:user)
+
+ # create a changeset to establish our initial edit time
+ changeset = create(:changeset, :user => user,
+ :created_at => Time.now.utc - 28.days)
+
+ # create changeset to put us near the maximum rate limit
+ total_changes = Settings.max_changes_per_hour - 1
+ while total_changes.positive?
+ changes = [total_changes, Changeset::MAX_ELEMENTS].min
+ changeset = create(:changeset, :user => user,
+ :created_at => Time.now.utc - 5.minutes,
+ :num_changes => changes)
+ total_changes -= changes
+ end
+
+ # create authentication header
+ auth_header = basic_authorization_header user.email, "test"
+
+ # try creating a node
+ xml = "<osm><node lat='0' lon='0' changeset='#{changeset.id}'/></osm>"
+ put node_create_path, :params => xml, :headers => auth_header
+ assert_response :success, "node create did not return success status"
+
+ # get the id of the node we created
+ nodeid = @response.body
+
+ # try updating the node, which should be rate limited
+ xml = "<osm><node id='#{nodeid}' version='1' lat='1' lon='1' changeset='#{changeset.id}'/></osm>"
+ put api_node_path(nodeid), :params => xml, :headers => auth_header
+ assert_response :too_many_requests, "node update did not hit rate limit"
+
+ # try deleting the node, which should be rate limited
+ xml = "<osm><node id='#{nodeid}' version='2' lat='1' lon='1' changeset='#{changeset.id}'/></osm>"
+ delete api_node_path(nodeid), :params => xml, :headers => auth_header
+ assert_response :too_many_requests, "node delete did not hit rate limit"
+
+ # try creating a node, which should be rate limited
+ xml = "<osm><node lat='0' lon='0' changeset='#{changeset.id}'/></osm>"
+ put node_create_path, :params => xml, :headers => auth_header
+ assert_response :too_many_requests, "node create did not hit rate limit"
+ end
+
private
##
end
end
+ ##
+ # test initial rate limit
+ def test_initial_rate_limit
+ # create a user
+ user = create(:user)
+
+ # create some nodes
+ node1 = create(:node)
+ node2 = create(:node)
+
+ # create a changeset that puts us near the initial rate limit
+ changeset = create(:changeset, :user => user,
+ :created_at => Time.now.utc - 5.minutes,
+ :num_changes => Settings.initial_changes_per_hour - 1)
+
+ # create authentication header
+ auth_header = basic_authorization_header user.email, "test"
+
+ # try creating a relation
+ xml = "<osm><relation changeset='#{changeset.id}'>" \
+ "<member ref='#{node1.id}' type='node' role='some'/>" \
+ "<member ref='#{node2.id}' type='node' role='some'/>" \
+ "<tag k='test' v='yes' /></relation></osm>"
+ put relation_create_path, :params => xml, :headers => auth_header
+ assert_response :success, "relation create did not return success status"
+
+ # get the id of the relation we created
+ relationid = @response.body
+
+ # try updating the relation, which should be rate limited
+ xml = "<osm><relation id='#{relationid}' version='1' changeset='#{changeset.id}'>" \
+ "<member ref='#{node2.id}' type='node' role='some'/>" \
+ "<member ref='#{node1.id}' type='node' role='some'/>" \
+ "<tag k='test' v='yes' /></relation></osm>"
+ put api_relation_path(relationid), :params => xml, :headers => auth_header
+ assert_response :too_many_requests, "relation update did not hit rate limit"
+
+ # try deleting the relation, which should be rate limited
+ xml = "<osm><relation id='#{relationid}' version='2' changeset='#{changeset.id}'/></osm>"
+ delete api_relation_path(relationid), :params => xml, :headers => auth_header
+ assert_response :too_many_requests, "relation delete did not hit rate limit"
+
+ # try creating a relation, which should be rate limited
+ xml = "<osm><relation changeset='#{changeset.id}'>" \
+ "<member ref='#{node1.id}' type='node' role='some'/>" \
+ "<member ref='#{node2.id}' type='node' role='some'/>" \
+ "<tag k='test' v='yes' /></relation></osm>"
+ put relation_create_path, :params => xml, :headers => auth_header
+ assert_response :too_many_requests, "relation create did not hit rate limit"
+ end
+
+ ##
+ # test maximum rate limit
+ def test_maximum_rate_limit
+ # create a user
+ user = create(:user)
+
+ # create some nodes
+ node1 = create(:node)
+ node2 = create(:node)
+
+ # create a changeset to establish our initial edit time
+ changeset = create(:changeset, :user => user,
+ :created_at => Time.now.utc - 28.days)
+
+ # create changeset to put us near the maximum rate limit
+ total_changes = Settings.max_changes_per_hour - 1
+ while total_changes.positive?
+ changes = [total_changes, Changeset::MAX_ELEMENTS].min
+ changeset = create(:changeset, :user => user,
+ :created_at => Time.now.utc - 5.minutes,
+ :num_changes => changes)
+ total_changes -= changes
+ end
+
+ # create authentication header
+ auth_header = basic_authorization_header user.email, "test"
+
+ # try creating a relation
+ xml = "<osm><relation changeset='#{changeset.id}'>" \
+ "<member ref='#{node1.id}' type='node' role='some'/>" \
+ "<member ref='#{node2.id}' type='node' role='some'/>" \
+ "<tag k='test' v='yes' /></relation></osm>"
+ put relation_create_path, :params => xml, :headers => auth_header
+ assert_response :success, "relation create did not return success status"
+
+ # get the id of the relation we created
+ relationid = @response.body
+
+ # try updating the relation, which should be rate limited
+ xml = "<osm><relation id='#{relationid}' version='1' changeset='#{changeset.id}'>" \
+ "<member ref='#{node2.id}' type='node' role='some'/>" \
+ "<member ref='#{node1.id}' type='node' role='some'/>" \
+ "<tag k='test' v='yes' /></relation></osm>"
+ put api_relation_path(relationid), :params => xml, :headers => auth_header
+ assert_response :too_many_requests, "relation update did not hit rate limit"
+
+ # try deleting the relation, which should be rate limited
+ xml = "<osm><relation id='#{relationid}' version='2' changeset='#{changeset.id}'/></osm>"
+ delete api_relation_path(relationid), :params => xml, :headers => auth_header
+ assert_response :too_many_requests, "relation delete did not hit rate limit"
+
+ # try creating a relation, which should be rate limited
+ xml = "<osm><relation changeset='#{changeset.id}'>" \
+ "<member ref='#{node1.id}' type='node' role='some'/>" \
+ "<member ref='#{node2.id}' type='node' role='some'/>" \
+ "<tag k='test' v='yes' /></relation></osm>"
+ put relation_create_path, :params => xml, :headers => auth_header
+ assert_response :too_many_requests, "relation create did not hit rate limit"
+ end
+
private
def check_relations_for_element(path, type, id, expected_relations)
end
end
+ ##
+ # test initial rate limit
+ def test_initial_rate_limit
+ # create a user
+ user = create(:user)
+
+ # create some nodes
+ node1 = create(:node)
+ node2 = create(:node)
+
+ # create a changeset that puts us near the initial rate limit
+ changeset = create(:changeset, :user => user,
+ :created_at => Time.now.utc - 5.minutes,
+ :num_changes => Settings.initial_changes_per_hour - 1)
+
+ # create authentication header
+ auth_header = basic_authorization_header user.email, "test"
+
+ # try creating a way
+ xml = "<osm><way changeset='#{changeset.id}'>" \
+ "<nd ref='#{node1.id}'/><nd ref='#{node2.id}'/>" \
+ "<tag k='test' v='yes' /></way></osm>"
+ put way_create_path, :params => xml, :headers => auth_header
+ assert_response :success, "way create did not return success status"
+
+ # get the id of the way we created
+ wayid = @response.body
+
+ # try updating the way, which should be rate limited
+ xml = "<osm><way id='#{wayid}' version='1' changeset='#{changeset.id}'>" \
+ "<nd ref='#{node2.id}'/><nd ref='#{node1.id}'/>" \
+ "<tag k='test' v='yes' /></way></osm>"
+ put api_way_path(wayid), :params => xml, :headers => auth_header
+ assert_response :too_many_requests, "way update did not hit rate limit"
+
+ # try deleting the way, which should be rate limited
+ xml = "<osm><way id='#{wayid}' version='2' changeset='#{changeset.id}'/></osm>"
+ delete api_way_path(wayid), :params => xml, :headers => auth_header
+ assert_response :too_many_requests, "way delete did not hit rate limit"
+
+ # try creating a way, which should be rate limited
+ xml = "<osm><way changeset='#{changeset.id}'>" \
+ "<nd ref='#{node1.id}'/><nd ref='#{node2.id}'/>" \
+ "<tag k='test' v='yes' /></way></osm>"
+ put way_create_path, :params => xml, :headers => auth_header
+ assert_response :too_many_requests, "way create did not hit rate limit"
+ end
+
+ ##
+ # test maximum rate limit
+ def test_maximum_rate_limit
+ # create a user
+ user = create(:user)
+
+ # create some nodes
+ node1 = create(:node)
+ node2 = create(:node)
+
+ # create a changeset to establish our initial edit time
+ changeset = create(:changeset, :user => user,
+ :created_at => Time.now.utc - 28.days)
+
+ # create changeset to put us near the maximum rate limit
+ total_changes = Settings.max_changes_per_hour - 1
+ while total_changes.positive?
+ changes = [total_changes, Changeset::MAX_ELEMENTS].min
+ changeset = create(:changeset, :user => user,
+ :created_at => Time.now.utc - 5.minutes,
+ :num_changes => changes)
+ total_changes -= changes
+ end
+
+ # create authentication header
+ auth_header = basic_authorization_header user.email, "test"
+
+ # try creating a way
+ xml = "<osm><way changeset='#{changeset.id}'>" \
+ "<nd ref='#{node1.id}'/><nd ref='#{node2.id}'/>" \
+ "<tag k='test' v='yes' /></way></osm>"
+ put way_create_path, :params => xml, :headers => auth_header
+ assert_response :success, "way create did not return success status"
+
+ # get the id of the way we created
+ wayid = @response.body
+
+ # try updating the way, which should be rate limited
+ xml = "<osm><way id='#{wayid}' version='1' changeset='#{changeset.id}'>" \
+ "<nd ref='#{node2.id}'/><nd ref='#{node1.id}'/>" \
+ "<tag k='test' v='yes' /></way></osm>"
+ put api_way_path(wayid), :params => xml, :headers => auth_header
+ assert_response :too_many_requests, "way update did not hit rate limit"
+
+ # try deleting the way, which should be rate limited
+ xml = "<osm><way id='#{wayid}' version='2' changeset='#{changeset.id}'/></osm>"
+ delete api_way_path(wayid), :params => xml, :headers => auth_header
+ assert_response :too_many_requests, "way delete did not hit rate limit"
+
+ # try creating a way, which should be rate limited
+ xml = "<osm><way changeset='#{changeset.id}'>" \
+ "<nd ref='#{node1.id}'/><nd ref='#{node2.id}'/>" \
+ "<tag k='test' v='yes' /></way></osm>"
+ put way_create_path, :params => xml, :headers => auth_header
+ assert_response :too_many_requests, "way create did not hit rate limit"
+ end
+
private
##
end
end
+ factory :importer_user do
+ after(:create) do |user, _evaluator|
+ create(:user_role, :role => "importer", :user => user)
+ end
+ end
+
factory :moderator_user do
after(:create) do |user, _evaluator|
create(:user_role, :role => "moderator", :user => user)
icon = role_icon(current_user, "moderator")
assert_dom_equal "", icon
+ icon = role_icon(current_user, "importer")
+ assert_dom_equal "", icon
+
icon = role_icon(create(:moderator_user), "moderator")
expected = <<~HTML.delete("\n")
<img srcset="/images/roles/moderator.svg" border="0" alt="This user is a moderator" title="This user is a moderator" src="/images/roles/moderator.png" width="20" height="20" />
HTML
assert_dom_equal expected, icon
+
+ icon = role_icon(create(:importer_user), "importer")
+ expected = <<~HTML.delete("\n")
+ <img srcset="/images/roles/importer.svg" border="0" alt="This user is a importer" title="This user is a importer" src="/images/roles/importer.png" width="20" height="20" />
+ HTML
+ assert_dom_equal expected, icon
end
def test_role_icon_administrator
self.current_user = create(:administrator_user)
user = create(:user)
+
icon = role_icon(user, "moderator")
expected = <<~HTML.delete("\n")
<a data-confirm="Are you sure you want to grant the role `moderator' to the user `#{user.display_name}'?" rel="nofollow" data-method="post" href="/user/#{ERB::Util.u(user.display_name)}/role/moderator/grant">
HTML
assert_dom_equal expected, icon
+ icon = role_icon(user, "importer")
+ expected = <<~HTML.delete("\n")
+ <a data-confirm="Are you sure you want to grant the role `importer' to the user `#{user.display_name}'?" rel="nofollow" data-method="post" href="/user/#{ERB::Util.u(user.display_name)}/role/importer/grant">
+ <img srcset="/images/roles/blank_importer.svg" border="0" alt="Grant importer access" title="Grant importer access" src="/images/roles/blank_importer.png" width="20" height="20" />
+ </a>
+ HTML
+ assert_dom_equal expected, icon
+
moderator_user = create(:moderator_user)
+
icon = role_icon(moderator_user, "moderator")
expected = <<~HTML.delete("\n")
<a data-confirm="Are you sure you want to revoke the role `moderator' from the user `#{moderator_user.display_name}'?" rel="nofollow" data-method="post" href="/user/#{ERB::Util.u(moderator_user.display_name)}/role/moderator/revoke">
</a>
HTML
assert_dom_equal expected, icon
+
+ icon = role_icon(user, "importer")
+ expected = <<~HTML.delete("\n")
+ <a data-confirm="Are you sure you want to grant the role `importer' to the user `#{user.display_name}'?" rel="nofollow" data-method="post" href="/user/#{ERB::Util.u(user.display_name)}/role/importer/grant">
+ <img srcset="/images/roles/blank_importer.svg" border="0" alt="Grant importer access" title="Grant importer access" src="/images/roles/blank_importer.png" width="20" height="20" />
+ </a>
+ HTML
+ assert_dom_equal expected, icon
+
+ importer_user = create(:importer_user)
+
+ icon = role_icon(user, "moderator")
+ expected = <<~HTML.delete("\n")
+ <a data-confirm="Are you sure you want to grant the role `moderator' to the user `#{user.display_name}'?" rel="nofollow" data-method="post" href="/user/#{ERB::Util.u(user.display_name)}/role/moderator/grant">
+ <img srcset="/images/roles/blank_moderator.svg" border="0" alt="Grant moderator access" title="Grant moderator access" src="/images/roles/blank_moderator.png" width="20" height="20" />
+ </a>
+ HTML
+ assert_dom_equal expected, icon
+
+ icon = role_icon(importer_user, "importer")
+ expected = <<~HTML.delete("\n")
+ <a data-confirm="Are you sure you want to revoke the role `importer' from the user `#{importer_user.display_name}'?" rel="nofollow" data-method="post" href="/user/#{ERB::Util.u(importer_user.display_name)}/role/importer/revoke">
+ <img srcset="/images/roles/importer.svg" border="0" alt="Revoke importer access" title="Revoke importer access" src="/images/roles/importer.png" width="20" height="20" />
+ </a>
+ HTML
+ assert_dom_equal expected, icon
end
def test_role_icons_normal
HTML
assert_dom_equal expected, icons
+ icons = role_icons(create(:importer_user))
+ expected = <<~HTML.delete("\n")
+ <img srcset="/images/roles/importer.svg" border="0" alt="This user is a importer" title="This user is a importer" src="/images/roles/importer.png" width="20" height="20" />
+ HTML
+ assert_dom_equal expected, icons
+
icons = role_icons(create(:super_user))
expected = <<~HTML.delete("\n")
<img srcset="/images/roles/administrator.svg" border="0" alt="This user is an administrator" title="This user is an administrator" src="/images/roles/administrator.png" width="20" height="20" />
<img srcset="/images/roles/moderator.svg" border="0" alt="This user is a moderator" title="This user is a moderator" src="/images/roles/moderator.png" width="20" height="20" />
+ <img srcset="/images/roles/importer.svg" border="0" alt="This user is a importer" title="This user is a importer" src="/images/roles/importer.png" width="20" height="20" />
HTML
assert_dom_equal expected, icons
end
<a data-confirm="Are you sure you want to grant the role `moderator' to the user `#{user.display_name}'?" rel="nofollow" data-method="post" href="/user/#{ERB::Util.u(user.display_name)}/role/moderator/grant">
<img srcset="/images/roles/blank_moderator.svg" border="0" alt="Grant moderator access" title="Grant moderator access" src="/images/roles/blank_moderator.png" width="20" height="20" />
</a>
+ <a data-confirm="Are you sure you want to grant the role `importer' to the user `#{user.display_name}'?" rel="nofollow" data-method="post" href="/user/#{ERB::Util.u(user.display_name)}/role/importer/grant">
+ <img srcset="/images/roles/blank_importer.svg" border="0" alt="Grant importer access" title="Grant importer access" src="/images/roles/blank_importer.png" width="20" height="20" />
+ </a>
HTML
assert_dom_equal expected, icons
<a data-confirm="Are you sure you want to revoke the role `moderator' from the user `#{moderator_user.display_name}'?" rel="nofollow" data-method="post" href="/user/#{ERB::Util.u(moderator_user.display_name)}/role/moderator/revoke">
<img srcset="/images/roles/moderator.svg" border="0" alt="Revoke moderator access" title="Revoke moderator access" src="/images/roles/moderator.png" width="20" height="20" />
</a>
+ <a data-confirm="Are you sure you want to grant the role `importer' to the user `#{moderator_user.display_name}'?" rel="nofollow" data-method="post" href="/user/#{ERB::Util.u(moderator_user.display_name)}/role/importer/grant">
+ <img srcset="/images/roles/blank_importer.svg" border="0" alt="Grant importer access" title="Grant importer access" src="/images/roles/blank_importer.png" width="20" height="20" />
+ </a>
+ HTML
+ assert_dom_equal expected, icons
+
+ importer_user = create(:importer_user)
+ icons = role_icons(importer_user)
+ expected = <<~HTML.delete("\n")
+ <a data-confirm="Are you sure you want to grant the role `administrator' to the user `#{importer_user.display_name}'?" rel="nofollow" data-method="post" href="/user/#{ERB::Util.u(importer_user.display_name)}/role/administrator/grant">
+ <img srcset="/images/roles/blank_administrator.svg" border="0" alt="Grant administrator access" title="Grant administrator access" src="/images/roles/blank_administrator.png" width="20" height="20" />
+ </a>
+ <a data-confirm="Are you sure you want to grant the role `moderator' to the user `#{importer_user.display_name}'?" rel="nofollow" data-method="post" href="/user/#{ERB::Util.u(importer_user.display_name)}/role/moderator/grant">
+ <img srcset="/images/roles/blank_moderator.svg" border="0" alt="Grant moderator access" title="Grant moderator access" src="/images/roles/blank_moderator.png" width="20" height="20" />
+ </a>
+ <a data-confirm="Are you sure you want to revoke the role `importer' from the user `#{importer_user.display_name}'?" rel="nofollow" data-method="post" href="/user/#{ERB::Util.u(importer_user.display_name)}/role/importer/revoke">
+ <img srcset="/images/roles/importer.svg" border="0" alt="Revoke importer access" title="Revoke importer access" src="/images/roles/importer.png" width="20" height="20" />
+ </a>
HTML
assert_dom_equal expected, icons
<a data-confirm="Are you sure you want to revoke the role `moderator' from the user `#{super_user.display_name}'?" rel="nofollow" data-method="post" href="/user/#{ERB::Util.u(super_user.display_name)}/role/moderator/revoke">
<img srcset="/images/roles/moderator.svg" border="0" alt="Revoke moderator access" title="Revoke moderator access" src="/images/roles/moderator.png" width="20" height="20" />
</a>
+ <a data-confirm="Are you sure you want to revoke the role `importer' from the user `#{super_user.display_name}'?" rel="nofollow" data-method="post" href="/user/#{ERB::Util.u(super_user.display_name)}/role/importer/revoke">
+ <img srcset="/images/roles/importer.svg" border="0" alt="Revoke importer access" title="Revoke importer access" src="/images/roles/importer.png" width="20" height="20" />
+ </a>
HTML
assert_dom_equal expected, icons
end
projects / rails.git / commitdiff
