# * version conflict when POIs and ways are reverted
module Api
- class AmfController < ApplicationController
+ class AmfController < ApiController
include Potlatch
- skip_before_action :verify_authenticity_token
before_action :check_api_writable
# AMF Controller implements its own authentication and authorization checks
module Api
- class CapabilitiesController < ApplicationController
- skip_before_action :verify_authenticity_token
- before_action :api_deny_access_handler
-
+ class CapabilitiesController < ApiController
authorize_resource :class => false
around_action :api_call_handle_error, :api_call_timeout
module Api
- class ChangesController < ApplicationController
- skip_before_action :verify_authenticity_token
- before_action :api_deny_access_handler
-
+ class ChangesController < ApiController
authorize_resource :class => false
before_action :check_api_readable
module Api
- class ChangesetCommentsController < ApplicationController
- skip_before_action :verify_authenticity_token
+ class ChangesetCommentsController < ApiController
before_action :authorize
- before_action :api_deny_access_handler
authorize_resource
# The ChangesetController is the RESTful interface to Changeset objects
module Api
- class ChangesetsController < ApplicationController
+ class ChangesetsController < ApiController
layout "site"
require "xml/libxml"
- skip_before_action :verify_authenticity_token
before_action :authorize, :only => [:create, :update, :upload, :close, :subscribe, :unsubscribe]
- before_action :api_deny_access_handler, :only => [:create, :update, :upload, :close, :subscribe, :unsubscribe, :expand_bbox]
authorize_resource
before_action :require_public_data, :only => [:create, :update, :upload, :close, :subscribe, :unsubscribe]
before_action :check_api_writable, :only => [:create, :update, :upload, :subscribe, :unsubscribe]
before_action :check_api_readable, :except => [:create, :update, :upload, :download, :query, :subscribe, :unsubscribe]
- before_action(:only => [:index, :feed]) { |c| c.check_database_readable(true) }
around_action :api_call_handle_error
around_action :api_call_timeout, :except => [:upload]
module Api
- class MapController < ApplicationController
- skip_before_action :verify_authenticity_token
- before_action :api_deny_access_handler
-
+ class MapController < ApiController
authorize_resource :class => false
before_action :check_api_readable
# The NodeController is the RESTful interface to Node objects
module Api
- class NodesController < ApplicationController
+ class NodesController < ApiController
require "xml/libxml"
- skip_before_action :verify_authenticity_token
before_action :authorize, :only => [:create, :update, :delete]
- before_action :api_deny_access_handler
authorize_resource
module Api
- class NotesController < ApplicationController
+ class NotesController < ApiController
layout "site", :only => [:mine]
- skip_before_action :verify_authenticity_token
before_action :check_api_readable
before_action :setup_user_auth, :only => [:create, :comment, :show]
before_action :authorize, :only => [:close, :reopen, :destroy]
- before_action :api_deny_access_handler
authorize_resource
# into one place. as it turns out, the API methods for historical
# nodes, ways and relations are basically identical.
module Api
- class OldController < ApplicationController
+ class OldController < ApiController
require "xml/libxml"
- skip_before_action :verify_authenticity_token
before_action :setup_user_auth, :only => [:history, :version]
- before_action :api_deny_access_handler
before_action :authorize, :only => [:redact]
authorize_resource
module Api
- class PermissionsController < ApplicationController
- skip_before_action :verify_authenticity_token
- before_action :api_deny_access_handler
-
+ class PermissionsController < ApiController
authorize_resource :class => false
before_action :check_api_readable
module Api
- class RelationsController < ApplicationController
+ class RelationsController < ApiController
require "xml/libxml"
- skip_before_action :verify_authenticity_token
before_action :authorize, :only => [:create, :update, :delete]
- before_action :api_deny_access_handler
authorize_resource
module Api
- class SearchController < ApplicationController
+ class SearchController < ApiController
# Support searching for nodes, ways, or all
# Can search by tag k, v, or both (type->k,value->v)
# Can search by name (k=name,v=....)
- skip_before_action :verify_authenticity_token
authorize_resource :class => false
def search_all
module Api
- class SwfController < ApplicationController
- skip_before_action :verify_authenticity_token
+ class SwfController < ApiController
before_action :check_api_readable
authorize_resource :class => false
module Api
- class TracepointsController < ApplicationController
- skip_before_action :verify_authenticity_token
- before_action :api_deny_access_handler
-
+ class TracepointsController < ApiController
authorize_resource
before_action :check_api_readable
module Api
- class TracesController < ApplicationController
+ class TracesController < ApiController
layout "site", :except => :georss
- skip_before_action :verify_authenticity_token
before_action :authorize_web
before_action :set_locale
before_action :authorize
- before_action :api_deny_access_handler
authorize_resource
# Update and read user preferences, which are arbitrayr key/val pairs
module Api
- class UserPreferencesController < ApplicationController
- skip_before_action :verify_authenticity_token
+ class UserPreferencesController < ApiController
before_action :authorize
authorize_resource
module Api
- class UsersController < ApplicationController
+ class UsersController < ApiController
layout "site", :except => [:api_details]
- skip_before_action :verify_authenticity_token
before_action :disable_terms_redirect, :only => [:api_details]
before_action :authorize, :only => [:api_details, :api_gpx_files]
- before_action :api_deny_access_handler
authorize_resource
module Api
- class WaysController < ApplicationController
+ class WaysController < ApiController
require "xml/libxml"
- skip_before_action :verify_authenticity_token
before_action :authorize, :only => [:create, :update, :delete]
- before_action :api_deny_access_handler
authorize_resource
--- /dev/null
+class ApiController < ApplicationController
+ skip_before_action :verify_authenticity_token
+
+ private
+
+ def authorize(realm = "Web Password", errormessage = "Couldn't authenticate you")
+ # make the current_user object from any auth sources we have
+ setup_user_auth
+
+ # handle authenticate pass/fail
+ unless current_user
+ # no auth, the user does not exist or the password was wrong
+ response.headers["WWW-Authenticate"] = "Basic realm=\"#{realm}\""
+ render :plain => errormessage, :status => :unauthorized
+ return false
+ end
+ end
+
+ def deny_access(_exception)
+ if current_token
+ set_locale
+ report_error t("oauth.permissions.missing"), :forbidden
+ elsif current_user
+ head :forbidden
+ else
+ realm = "Web Password"
+ errormessage = "Couldn't authenticate you"
+ response.headers["WWW-Authenticate"] = "Basic realm=\"#{realm}\""
+ render :plain => errormessage, :status => :unauthorized
+ end
+ end
+
+ def gpx_status
+ status = database_status
+ status = "offline" if status == "online" && Settings.status == "gpx_offline"
+ status
+ end
+
+ ##
+ # sets up the current_user for use by other methods. this is mostly called
+ # from the authorize method, but can be called elsewhere if authorisation
+ # is optional.
+ def setup_user_auth
+ # try and setup using OAuth
+ unless Authenticator.new(self, [:token]).allow?
+ username, passwd = get_auth_data # parse from headers
+ # authenticate per-scheme
+ self.current_user = if username.nil?
+ nil # no authentication provided - perhaps first connect (client should retry after 401)
+ elsif username == "token"
+ User.authenticate(:token => passwd) # preferred - random token for user from db, passed in basic auth
+ else
+ User.authenticate(:username => username, :password => passwd) # basic auth
+ end
+ end
+
+ # have we identified the user?
+ if current_user
+ # check if the user has been banned
+ user_block = current_user.blocks.active.take
+ unless user_block.nil?
+ set_locale
+ if user_block.zero_hour?
+ report_error t("application.setup_user_auth.blocked_zero_hour"), :forbidden
+ else
+ report_error t("application.setup_user_auth.blocked"), :forbidden
+ end
+ end
+
+ # if the user hasn't seen the contributor terms then don't
+ # allow editing - they have to go to the web site and see
+ # (but can decline) the CTs to continue.
+ if !current_user.terms_seen && flash[:skip_terms].nil?
+ set_locale
+ report_error t("application.setup_user_auth.need_to_see_terms"), :forbidden
+ end
+ end
+ end
+end
attr_accessor :current_user
helper_method :current_user
+ private
+
def authorize_web
if session[:user]
self.current_user = User.where(:id => session[:user]).where("status IN ('active', 'confirmed', 'suspended')").first
end
end
- ##
- # sets up the current_user for use by other methods. this is mostly called
- # from the authorize method, but can be called elsewhere if authorisation
- # is optional.
- def setup_user_auth
- # try and setup using OAuth
- unless Authenticator.new(self, [:token]).allow?
- username, passwd = get_auth_data # parse from headers
- # authenticate per-scheme
- self.current_user = if username.nil?
- nil # no authentication provided - perhaps first connect (client should retry after 401)
- elsif username == "token"
- User.authenticate(:token => passwd) # preferred - random token for user from db, passed in basic auth
- else
- User.authenticate(:username => username, :password => passwd) # basic auth
- end
- end
-
- # have we identified the user?
- if current_user
- # check if the user has been banned
- user_block = current_user.blocks.active.take
- unless user_block.nil?
- set_locale
- if user_block.zero_hour?
- report_error t("application.setup_user_auth.blocked_zero_hour"), :forbidden
- else
- report_error t("application.setup_user_auth.blocked"), :forbidden
- end
- end
-
- # if the user hasn't seen the contributor terms then don't
- # allow editing - they have to go to the web site and see
- # (but can decline) the CTs to continue.
- if !current_user.terms_seen && flash[:skip_terms].nil?
- set_locale
- report_error t("application.setup_user_auth.need_to_see_terms"), :forbidden
- end
- end
- end
-
- def authorize(realm = "Web Password", errormessage = "Couldn't authenticate you")
- # make the current_user object from any auth sources we have
- setup_user_auth
-
- # handle authenticate pass/fail
- unless current_user
- # no auth, the user does not exist or the password was wrong
- response.headers["WWW-Authenticate"] = "Basic realm=\"#{realm}\""
- render :plain => errormessage, :status => :unauthorized
- return false
- end
- end
-
def check_database_readable(need_api = false)
if Settings.status == "database_offline" || (need_api && Settings.status == "api_offline")
if request.xhr?
end
def check_api_readable
- if api_status == :offline
+ if api_status == "offline"
report_error "Database offline for maintenance", :service_unavailable
false
end
end
def check_api_writable
- unless api_status == :online
+ unless api_status == "online"
report_error "Database offline for maintenance", :service_unavailable
false
end
def database_status
if Settings.status == "database_offline"
- :offline
+ "offline"
elsif Settings.status == "database_readonly"
- :readonly
+ "readonly"
else
- :online
+ "online"
end
end
def api_status
status = database_status
- if status == :online
+ if status == "online"
if Settings.status == "api_offline"
- status = :offline
+ status = "offline"
elsif Settings.status == "api_readonly"
- status = :readonly
+ status = "readonly"
end
end
status
end
- def gpx_status
- status = database_status
- status = :offline if status == :online && Settings.status == "gpx_offline"
- status
- end
-
def require_public_data
unless current_user.data_public?
report_error "You must make your edits public to upload new data", :forbidden
end
end
- def deny_access(exception)
- if @api_deny_access_handling
- api_deny_access(exception)
- else
- web_deny_access(exception)
- end
- end
-
- def web_deny_access(_exception)
+ def deny_access(_exception)
if current_token
set_locale
report_error t("oauth.permissions.missing"), :forbidden
end
end
- def api_deny_access(_exception)
- if current_token
- set_locale
- report_error t("oauth.permissions.missing"), :forbidden
- elsif current_user
- head :forbidden
- else
- realm = "Web Password"
- errormessage = "Couldn't authenticate you"
- response.headers["WWW-Authenticate"] = "Basic realm=\"#{realm}\""
- render :plain => errormessage, :status => :unauthorized
- end
- end
-
- attr_accessor :api_access_handling
-
- def api_deny_access_handler
- @api_deny_access_handling = true
- end
-
- private
-
# extract authorisation credentials from headers, returns user = nil if none
def get_auth_data
if request.env.key? "X-HTTP_AUTHORIZATION" # where mod_rewrite might have put it
before_action :authorize_web
before_action :set_locale
- before_action(:except => [:query]) { |c| c.check_database_readable(true) }
+ before_action -> { check_database_readable(true) }
before_action :require_oauth
around_action :web_timeout
authorize_resource :class => false
authorize_resource
- before_action(:only => [:index]) { |c| c.check_database_readable(true) }
+ before_action -> { check_database_readable(true) }
around_action :web_timeout
##
skip_before_action :verify_authenticity_token, :except => [:index]
before_action :authorize_web
before_action :set_locale
- before_action(:only => [:index, :feed]) { |c| c.check_database_readable(true) }
+ before_action -> { check_database_readable(true) }, :only => [:index, :feed]
authorize_resource
contributors_si_html: '<strong>Slovinsko</strong>: Obsahuje data <a href="http://www.gu.gov.si/">Zeměměřického
a mapovacího úřadu</a> a <a href="http://www.mkgp.gov.si/">Ministerstva
zemědělství, lesnictví a potravin</a> (veřejné informace o Slovinsku).'
+ contributors_es_html: '<strong>Španělsko</strong>: Obsahuje data od španělského
+ Národního geografického institutu (<a href="http://www.ign.es/">IGN</a>
+ a Národního kartografického systému (<a href="http://www.scne.es/">SCNE</a>),
+ licencovaná pod <a href="https://creativecommons.org/licenses/by/4.0/deed.cs">CC
+ BY 4.0</a>.'
contributors_za_html: |-
<strong>Jihoafrická republika</strong>: Obsahuje data pocházející z <a href="http://www.ngi.gov.za/">Chief Directorate:
National Geo-Spatial Information</a>, State copyright reserved.
contributors_gb_html: '<strong>Spojené království</strong>: Obsahuje data
- Ordnance Survey © Crown copyright a právo k databázi 2010–12.'
+ Ordnance Survey © Crown copyright a právo k databázi 2010–19.'
contributors_footer_1_html: |-
Další podrobnosti o těchto a dalších zdrojích, které se používaly pro vylepšení OpenStreetMap, najdete na <a
href="https://wiki.openstreetmap.org/wiki/Contributors">stránce Contributors</a> na wiki OpenStreetMap.
<a href="http://www.gu.gov.si/en/">Surveying and Mapping Authority</a> y
<a href="http://www.mkgp.gov.si/en/">Ministry of Agriculture, Forestry and Food</a>
(información pública de Eslovenia).
- contributors_es_html: '<strong>España<strong>: Contiene datos provenientes
+ contributors_es_html: '<strong>España</strong>: Contiene datos provenientes
del Instituto Geográfico Nacional (<a href="http://www.ign.es/">IGN</a>)
y del Sistema Cartográfico Nacional (<a href="http://www.scne.es/">SCNE</a>),
licenciados para su reutilización bajo la <a href="https://creativecommons.org/licenses/by/4.0/">CC
about:
next: بعدی
copyright_html: <span>©</span>مشارکتکنندگان<br>OpenStreetMap
- used_by: صدها وبسایت، برنامهٔ موبایل و دستگاه سختافزاری از دادههای نقشهٔ %{name}
+ used_by: صدها وبسایت، برنامهٔ موبایل و دستگاه سختافزاری از دادههای %{name}
نیرو گرفتهاند.
lede_text: OpenStreetMap را جامعهای از نقشهکشان ساختهاند که در ایجاد و نگهداری
دادههای مربوط به جادهها، مسیرهای تریل، کافهها، ایستگاههای راهآهن و بسیاری
<strong>Afrique du Sud</strong> : contient des données issues de la <a href="http://www.ngi.gov.za/">Direction principale des
Informations Géospatiales Nationales</a>, copyright de l’État réservé.
contributors_gb_html: '<strong>Royaume-Uni</strong> : contient des données
- issues de l’<em>Ordnance Survey</em> © 2010-2019 Droits d’auteurs et de
- la base de données de la Couronne.'
+ issues de l’<em>Ordnance Survey</em> © 2010-2019 Droits d’auteurs et
+ de la base de données de la Couronne.'
contributors_footer_1_html: Pour plus de détails sur celles-ci et sur les
autres sources utilisées pour aider à améliorer OpenStreetMap, consultez
la page des <a href="https://wiki.openstreetmap.org/wiki/Contributors">contributeurs</a>
href="http://www.mkgp.gov.si/en/">農林食料省</a>(スロベニアの公開情報)による。'
contributors_za_html: '<strong>南アフリカ</strong>: <a href="http://www.ngi.gov.za/">Chief
Directorate: National Geo-Spatial Information</a>,政府によるデータを含み、著作権を保持します。'
- contributors_gb_html: '<strong>イギリス</strong>: 陸地測量データ ©著作権はクラウン・コピーライト及びdatabase
- right 2010-12 を含みます。'
+ contributors_gb_html: "<strong>イギリス</strong>: 陸地測量\nデータ © クラウン・コピーライト及びデータベース権限
+ database right \n2010-19 を含みます。"
contributors_footer_1_html: |-
これらの詳細について、またOpenStreetMapの向上に使用されたその他のソースについては、OpenStreetMap Wikiの<a
href="https://wiki.openstreetmap.org/wiki/Contributors">協力者ページ</a>をご覧ください。
<strong>Africa do Sul</strong>: contém dados originários de
<a href="http://www.ngi.gov.za/">Chief Directorate:
National Geo-Spatial Information</a>, com direitos autorais reservados àquele Estado.
- contributors_gb_html: |-
- <strong>Reino Unido</strong>: Contém dados da Ordnance
- Survey © Direitos da base e autorais da Crown 2010.
+ contributors_gb_html: '<strong>Reino Unido</strong>: Contém dados do Ordnance
+ Survey © Crown copyright and database right 2010-2019.'
contributors_footer_1_html: Para mais informações sobre estas e outras fontes
utilizadas para melhorar o OpenStreetMap, consulte a <a href="https://wiki.openstreetmap.org/wiki/Contributors">página
de contribuidores</a> (em inglês) na wiki do OpenStreetMap.
projects / rails.git / commitdiff