Fixes #4861
Since the around_action is defined before authorize_resource is called,
the handler needs to pass on the CanCan::AccessDenied exception.
I've added the timeouts where I think they were missing (e.g. UserPreferencesController)
but I've kept the exception for changeset#upload and traces#create
18 files changed:
authorize_resource :class => false
before_action :set_request_formats
authorize_resource :class => false
before_action :set_request_formats
- around_action :api_call_handle_error, :api_call_timeout
# External apps that use the api are able to query the api to find out some
# parameters of the API. It currently returns:
# External apps that use the api are able to query the api to find out some
# parameters of the API. It currently returns:
authorize_resource
before_action :require_public_data, :only => [:create]
authorize_resource
before_action :require_public_data, :only => [:create]
before_action :set_request_formats
before_action :set_request_formats
- around_action :api_call_handle_error
- around_action :api_call_timeout
##
# Add a comment to a changeset
##
# Add a comment to a changeset
before_action :require_public_data, :only => [:create, :update, :upload, :close, :subscribe, :unsubscribe]
before_action :set_request_formats, :except => [:create, :close, :upload]
before_action :require_public_data, :only => [:create, :update, :upload, :close, :subscribe, :unsubscribe]
before_action :set_request_formats, :except => [:create, :close, :upload]
- around_action :api_call_handle_error
- around_action :api_call_timeout, :except => [:upload]
+ skip_around_action :api_call_timeout, :only => [:upload]
# Helper methods for checking consistency
include ConsistencyValidations
# Helper methods for checking consistency
include ConsistencyValidations
class MapController < ApiController
authorize_resource :class => false
class MapController < ApiController
authorize_resource :class => false
- around_action :api_call_handle_error, :api_call_timeout
-
before_action :set_request_formats
# This is probably the most common call of all. It is used for getting the
before_action :set_request_formats
# This is probably the most common call of all. It is used for getting the
- around_action :api_call_handle_error, :api_call_timeout
-
before_action :set_request_formats
def inbox
before_action :set_request_formats
def inbox
authorize_resource
before_action :require_public_data, :only => [:create, :update, :delete]
authorize_resource
before_action :require_public_data, :only => [:create, :update, :delete]
- around_action :api_call_handle_error, :api_call_timeout
-
before_action :set_request_formats, :except => [:create, :update, :delete]
before_action :check_rate_limit, :only => [:create, :update, :delete]
before_action :set_request_formats, :except => [:create, :update, :delete]
before_action :check_rate_limit, :only => [:create, :update, :delete]
authorize_resource
before_action :set_locale
authorize_resource
before_action :set_locale
- around_action :api_call_handle_error, :api_call_timeout
before_action :set_request_formats, :except => [:feed]
##
before_action :set_request_formats, :except => [:feed]
##
- around_action :api_call_handle_error, :api_call_timeout
before_action :lookup_old_element, :except => [:history]
before_action :lookup_old_element_versions, :only => [:history]
before_action :lookup_old_element, :except => [:history]
before_action :lookup_old_element_versions, :only => [:history]
before_action :setup_user_auth
before_action :set_request_formats
before_action :setup_user_auth
before_action :set_request_formats
- around_action :api_call_handle_error, :api_call_timeout
# External apps that use the api are able to query which permissions
# they have. This currently returns a list of permissions granted to the current user:
# External apps that use the api are able to query which permissions
# they have. This currently returns a list of permissions granted to the current user:
authorize_resource
before_action :require_public_data, :only => [:create, :update, :delete]
authorize_resource
before_action :require_public_data, :only => [:create, :update, :delete]
- around_action :api_call_handle_error, :api_call_timeout
-
before_action :set_request_formats, :except => [:create, :update, :delete]
before_action :check_rate_limit, :only => [:create, :update, :delete]
before_action :set_request_formats, :except => [:create, :update, :delete]
before_action :check_rate_limit, :only => [:create, :update, :delete]
class TracepointsController < ApiController
authorize_resource
class TracepointsController < ApiController
authorize_resource
- around_action :api_call_handle_error, :api_call_timeout
-
# Get an XML response containing a list of tracepoints that have been uploaded
# within the specified bounding box, and in the specified page.
def index
# Get an XML response containing a list of tracepoints that have been uploaded
# within the specified bounding box, and in the specified page.
def index
authorize_resource
before_action :offline_error, :only => [:create, :destroy, :data]
authorize_resource
before_action :offline_error, :only => [:create, :destroy, :data]
- around_action :api_call_handle_error
+ skip_around_action :api_call_timeout, :only => :create
def show
@trace = Trace.visible.find(params[:id])
def show
@trace = Trace.visible.find(params[:id])
class UserBlocksController < ApiController
authorize_resource
class UserBlocksController < ApiController
authorize_resource
- around_action :api_call_handle_error, :api_call_timeout
before_action :set_request_formats
def show
before_action :set_request_formats
def show
- around_action :api_call_handle_error
-
before_action :set_request_formats
##
before_action :set_request_formats
##
- around_action :api_call_handle_error
load_resource :only => :show
before_action :set_request_formats, :except => [:gpx_files]
load_resource :only => :show
before_action :set_request_formats, :except => [:gpx_files]
authorize_resource :class => false
before_action :set_request_formats
authorize_resource :class => false
before_action :set_request_formats
- around_action :api_call_handle_error, :api_call_timeout
# Show the list of available API versions. This will replace the global
# unversioned capabilities call in due course.
# Show the list of available API versions. This will replace the global
# unversioned capabilities call in due course.
authorize_resource
before_action :require_public_data, :only => [:create, :update, :delete]
authorize_resource
before_action :require_public_data, :only => [:create, :update, :delete]
- around_action :api_call_handle_error, :api_call_timeout
-
before_action :set_request_formats, :except => [:create, :update, :delete]
before_action :check_rate_limit, :only => [:create, :update, :delete]
before_action :set_request_formats, :except => [:create, :update, :delete]
before_action :check_rate_limit, :only => [:create, :update, :delete]
before_action :check_api_readable
before_action :check_api_readable
+ around_action :api_call_handle_error, :api_call_timeout
+
report_error message, :bad_request
rescue OSM::APIError => e
report_error e.message, e.status
report_error message, :bad_request
rescue OSM::APIError => e
report_error e.message, e.status
- rescue AbstractController::ActionNotFound => e
+ rescue AbstractController::ActionNotFound, CanCan::AccessDenied => e
raise
rescue StandardError => e
logger.info("API threw unexpected #{e.class} exception: #{e.message}")
raise
rescue StandardError => e
logger.info("API threw unexpected #{e.class} exception: #{e.message}")