include CanCan::Ability
def initialize(user)
+ can [:relation, :relation_history, :way, :way_history, :node, :node_history, :changeset, :note], :browse
+ can [:index, :feed, :read, :download, :query], Changeset
can :index, ChangesetComment
+ can :search, :direction
can [:index, :permalink, :edit, :help, :fixthemap, :offline, :export, :about, :preview, :copyright, :key, :id], :site
can [:index, :rss, :show, :comments], DiaryEntry
+ can [:finish, :embed], :export
can [:search, :search_latlon, :search_ca_postcode, :search_osm_nominatim,
:search_geonames, :search_osm_nominatim_reverse, :search_geonames_reverse], :geocoder
can [:index, :create, :comment, :feed, :show, :search, :mine], Note
can [:index, :show], Redaction
+ can [:search_all, :search_nodes, :search_ways, :search_relations], :search
+ can [:trackpoints], :swf
+ can [:index, :show, :data, :georss, :picture, :icon], Trace
can [:terms, :api_users, :login, :logout, :new, :create, :save, :confirm, :confirm_resend, :confirm_email, :lost_password, :reset_password, :show, :api_read, :auth_success, :auth_failure], User
can [:index, :show, :blocks_on, :blocks_by], UserBlock
can [:new, :create, :reply, :show, :inbox, :outbox, :mark, :destroy], Message
can [:close, :reopen], Note
can [:new, :create], Report
+ can [:mine, :new, :create, :edit, :update, :delete, :api_create, :api_read, :api_update, :api_delete, :api_data], Trace
can [:account, :go_public, :make_friend, :remove_friend, :api_details, :api_gpx_files], User
can [:read, :read_one, :update, :update_one, :delete_one], UserPreference
- if user.terms_agreed? || !REQUIRE_TERMS_AGREED # rubocop:disable Style/IfUnlessModifier
+ if user.terms_agreed? || !REQUIRE_TERMS_AGREED
+ can [:create, :update, :upload, :close, :subscribe, :unsubscribe, :expand_bbox], Changeset
can :create, ChangesetComment
end
def initialize(token)
can [:create, :comment, :close, :reopen], Note if capability?(token, :allow_write_notes)
+ can [:api_read, :api_data], Trace if capability?(token, :allow_read_gpx)
+ can [:api_create, :api_update, :api_delete], Trace if capability?(token, :allow_write_gpx)
can [:api_details], User if capability?(token, :allow_read_prefs)
can [:api_gpx_files], User if capability?(token, :allow_read_gpx)
can [:read, :read_one], UserPreference if capability?(token, :allow_read_prefs)
can [:update, :update_one, :delete_one], UserPreference if capability?(token, :allow_write_prefs)
if token&.user&.terms_agreed? || !REQUIRE_TERMS_AGREED
+ can [:create, :update, :upload, :close, :subscribe, :unsubscribe, :expand_bbox], Changeset if capability?(token, :allow_write_api)
can :create, ChangesetComment if capability?(token, :allow_write_api)
end
skip_before_action :verify_authenticity_token
before_action :check_api_writable
+ # AMF Controller implements its own authentication and authorization checks
+ # completely independently of the rest of the codebase, so best just to let
+ # it keep doing its own thing.
+ skip_authorization_check
+
# Main AMF handlers: process the raw AMF string (using AMF library) and
# calls each action (private method) accordingly.
# * maximum area that can be requested in a bbox request in square degrees
# * number of tracepoints that are returned in each tracepoints page
def capabilities
- doc = OSM::API.new.get_xml_doc
-
- api = XML::Node.new "api"
- version = XML::Node.new "version"
- version["minimum"] = API_VERSION.to_s
- version["maximum"] = API_VERSION.to_s
- api << version
- area = XML::Node.new "area"
- area["maximum"] = MAX_REQUEST_AREA.to_s
- api << area
- notearea = XML::Node.new "note_area"
- notearea["maximum"] = MAX_NOTE_REQUEST_AREA.to_s
- api << notearea
- tracepoints = XML::Node.new "tracepoints"
- tracepoints["per_page"] = TRACEPOINTS_PER_PAGE.to_s
- api << tracepoints
- waynodes = XML::Node.new "waynodes"
- waynodes["maximum"] = MAX_NUMBER_OF_WAY_NODES.to_s
- api << waynodes
- changesets = XML::Node.new "changesets"
- changesets["maximum_elements"] = Changeset::MAX_ELEMENTS.to_s
- api << changesets
- timeout = XML::Node.new "timeout"
- timeout["seconds"] = API_TIMEOUT.to_s
- api << timeout
- status = XML::Node.new "status"
- status["database"] = database_status.to_s
- status["api"] = api_status.to_s
- status["gpx"] = gpx_status.to_s
- api << status
- doc.root << api
- policy = XML::Node.new "policy"
- blacklist = XML::Node.new "imagery"
- IMAGERY_BLACKLIST.each do |url_regex|
- xnd = XML::Node.new "blacklist"
- xnd["regex"] = url_regex.to_s
- blacklist << xnd
- end
- policy << blacklist
- doc.root << policy
-
- render :xml => doc.to_s
+ @database_status = database_status
+ @api_status = api_status
+ @gpx_status = gpx_status
end
# External apps that use the api are able to query which permissions
before_action(:except => [:query]) { |c| c.check_database_readable(true) }
before_action :require_oauth
around_action :web_timeout
+ authorize_resource :class => false
def relation
@type = "relation"
before_action :authorize_web, :only => [:index, :feed]
before_action :set_locale, :only => [:index, :feed]
before_action :authorize, :only => [:create, :update, :upload, :close, :subscribe, :unsubscribe]
- before_action :require_allow_write_api, :only => [:create, :update, :upload, :close, :subscribe, :unsubscribe]
+ before_action :api_deny_access_handler, :only => [:create, :update, :upload, :close, :subscribe, :unsubscribe, :expand_bbox]
+
+ authorize_resource
+
before_action :require_public_data, :only => [:create, :update, :upload, :close, :subscribe, :unsubscribe]
before_action :check_api_writable, :only => [:create, :update, :upload, :subscribe, :unsubscribe]
before_action :check_api_readable, :except => [:create, :update, :upload, :download, :query, :index, :feed, :subscribe, :unsubscribe]
before_action :authorize_web
before_action :set_locale
before_action :require_oauth, :only => [:search]
+ authorize_resource :class => false
def search
render :layout => map_layout
before_action :authorize_web
before_action :set_locale
before_action :update_totp, :only => [:finish]
+ authorize_resource :class => false
caches_page :embed
before_action :authorize_web
before_action :set_locale
before_action :require_oauth, :only => [:search]
+ authorize_resource :class => false
def search
@params = normalize_params
# Can search by tag k, v, or both (type->k,value->v)
# Can search by name (k=name,v=....)
skip_before_action :verify_authenticity_token
+ authorize_resource :class => false
def search_all
do_search(true, true, true)
class SwfController < ApplicationController
skip_before_action :verify_authenticity_token
before_action :check_api_readable
+ authorize_resource :class => false
# to log:
# RAILS_DEFAULT_LOGGER.error("Args: #{args[0]}, #{args[1]}, #{args[2]}, #{args[3]}")
skip_before_action :verify_authenticity_token, :only => [:api_create, :api_read, :api_update, :api_delete, :api_data]
before_action :authorize_web
before_action :set_locale
- before_action :require_user, :only => [:mine, :new, :create, :edit, :delete]
before_action :authorize, :only => [:api_create, :api_read, :api_update, :api_delete, :api_data]
+ before_action :api_deny_access_handler, :only => [:api_create, :api_read, :api_update, :api_delete, :api_data]
+
+ authorize_resource
+
before_action :check_database_readable, :except => [:api_read, :api_data]
before_action :check_database_writable, :only => [:new, :create, :edit, :delete, :api_create, :api_update, :api_delete]
before_action :check_api_readable, :only => [:api_read, :api_data]
before_action :check_api_writable, :only => [:api_create, :api_update, :api_delete]
- before_action :require_allow_read_gpx, :only => [:api_read, :api_data]
- before_action :require_allow_write_gpx, :only => [:api_create, :api_update, :api_delete]
before_action :offline_warning, :only => [:mine, :show]
before_action :offline_redirect, :only => [:new, :create, :edit, :delete, :data, :api_create, :api_delete, :api_data]
around_action :api_call_handle_error, :only => [:api_create, :api_read, :api_update, :api_delete, :api_data]
--- /dev/null
+xml.instruct! :xml, :version => "1.0"
+xml.osm(OSM::API.new.xml_root_attributes) do |osm|
+ osm.api do |api|
+ api.version(:minimum => API_VERSION.to_s, :maximum => API_VERSION.to_s)
+ api.area(:maximum => MAX_REQUEST_AREA.to_s)
+ api.note_area(:maximum => MAX_NOTE_REQUEST_AREA.to_s)
+ api.tracepoints(:per_page => TRACEPOINTS_PER_PAGE.to_s)
+ api.waynodes(:maximum => MAX_NUMBER_OF_WAY_NODES.to_s)
+ api.changesets(:maximum_elements => Changeset::MAX_ELEMENTS.to_s)
+ api.timeout(:seconds => API_TIMEOUT.to_s)
+ api.status(:database => @database_status.to_s,
+ :api => @api_status.to_s,
+ :gpx => @gpx_status.to_s)
+ end
+ osm.policy do |policy|
+ policy.imagery do |imagery|
+ IMAGERY_BLACKLIST.each do |url_regex|
+ imagery.blacklist(:regex => url_regex.to_s)
+ end
+ end
+ end
+end
# create list of permissions
xml.instruct! :xml, :version => "1.0"
-xml.osm("version" => API_VERSION.to_s, "generator" => "OpenStreetMap Server") do
+xml.osm(OSM::API.new.xml_root_attributes) do
xml.permissions do
@permissions.each do |permission|
xml.permission :name => permission
xml.instruct!
-xml.osm(:version => API_VERSION, :generator => GENERATOR) do |osm|
+xml.osm(OSM::API.new.xml_root_attributes) do |osm|
osm << (render(:partial => "note", :collection => @notes) || "")
end
xml.instruct!
-xml.osm(:version => API_VERSION, :generator => GENERATOR) do |osm|
+xml.osm(OSM::API.new.xml_root_attributes) do |osm|
osm << render(:partial => "note", :object => @note)
end
xml.instruct! :xml, :version => "1.0"
-xml.osm("version" => API_VERSION, "generator" => GENERATOR) do |osm|
+xml.osm(OSM::API.new.xml_root_attributes) do |osm|
osm << render(:partial => "api_user", :object => @user)
end
xml.instruct! :xml, :version => "1.0"
-xml.osm("version" => API_VERSION, "generator" => GENERATOR) do |osm|
+xml.osm(OSM::API.new.xml_root_attributes) do |osm|
osm << render(:partial => "api_user", :collection => @users)
end
doc = XML::Document.new
doc.encoding = XML::Encoding::UTF_8
root = XML::Node.new "osm"
- root["version"] = API_VERSION.to_s
- root["generator"] = GENERATOR
- root["copyright"] = COPYRIGHT_OWNER
- root["attribution"] = ATTRIBUTION_URL
- root["license"] = LICENSE_URL
+ xml_root_attributes.each do |k, v|
+ root[k] = v
+ end
doc.root = root
doc
end
+
+ def xml_root_attributes
+ { "version" => API_VERSION.to_s,
+ "generator" => GENERATOR,
+ "copyright" => COPYRIGHT_OWNER,
+ "attribution" => ATTRIBUTION_URL,
+ "license" => LICENSE_URL }
+ end
end
def self.ip_to_country(ip_address)
projects / rails.git / commitdiff