From: Tom Hughes Date: Tue, 3 Jun 2014 19:59:25 +0000 (+0100) Subject: Add support for ACL blocks on note commenting X-Git-Tag: live~5066 X-Git-Url: https://git.openstreetmap.org./rails.git/commitdiff_plain/098c2675ba07c12cc6c26b98aeed62d1c68e96fa Add support for ACL blocks on note commenting --- diff --git a/app/controllers/notes_controller.rb b/app/controllers/notes_controller.rb index 76c97ba5b..acd88be04 100644 --- a/app/controllers/notes_controller.rb +++ b/app/controllers/notes_controller.rb @@ -53,6 +53,9 @@ class NotesController < ApplicationController ## # Create a new note def create + # Check the ACLs + raise OSM::APIAccessDenied if Acl.no_note_comment(request.remote_ip) + # Check the arguments are sane raise OSM::APIBadUserInput.new("No lat was given") unless params[:lat] raise OSM::APIBadUserInput.new("No lon was given") unless params[:lon] @@ -86,6 +89,9 @@ class NotesController < ApplicationController ## # Add a comment to an existing note def comment + # Check the ACLs + raise OSM::APIAccessDenied if Acl.no_note_comment(request.remote_ip) + # Check the arguments are sane raise OSM::APIBadUserInput.new("No id was given") unless params[:id] raise OSM::APIBadUserInput.new("No text was given") if params[:text].blank? diff --git a/app/models/acl.rb b/app/models/acl.rb index 2db7fb765..e2f163ea5 100644 --- a/app/models/acl.rb +++ b/app/models/acl.rb @@ -11,6 +11,10 @@ class Acl < ActiveRecord::Base self.match(address, domain).where(:k => "no_account_creation").exists? end + def self.no_note_comment(address, domain = nil) + self.match(address, domain).where(:k => "no_note_comment").exists? + end + def self.no_trace_download(address, domain = nil) self.match(address, domain).where(:k => "no_trace_download").exists? end diff --git a/lib/osm.rb b/lib/osm.rb index 9e8198299..daef8d3f0 100644 --- a/lib/osm.rb +++ b/lib/osm.rb @@ -24,6 +24,17 @@ module OSM end end + # Raised when access is denied. + class APIAccessDenied < RuntimeError + def status + :forbidden + end + + def to_s + "Access denied" + end + end + # Raised when an API object is not found. class APINotFoundError < APIError def status