From: Tom Hughes Date: Mon, 11 Apr 2022 19:47:52 +0000 (+0100) Subject: Check API status before authorizing access X-Git-Tag: live~1682 X-Git-Url: https://git.openstreetmap.org./rails.git/commitdiff_plain/7f619c6484ae92d6ea12f1c3a9f67c3d421ae06a Check API status before authorizing access Fixes #3530 --- diff --git a/app/controllers/api/changeset_comments_controller.rb b/app/controllers/api/changeset_comments_controller.rb index 86ac61277..8b971834d 100644 --- a/app/controllers/api/changeset_comments_controller.rb +++ b/app/controllers/api/changeset_comments_controller.rb @@ -1,12 +1,12 @@ module Api class ChangesetCommentsController < ApiController + before_action :check_api_writable + before_action :check_api_readable, :except => [:create] before_action :authorize authorize_resource before_action :require_public_data, :only => [:create] - before_action :check_api_writable - before_action :check_api_readable, :except => [:create] before_action :set_request_formats around_action :api_call_handle_error around_action :api_call_timeout diff --git a/app/controllers/api/changesets_controller.rb b/app/controllers/api/changesets_controller.rb index 354b0b9c2..24e7fb925 100644 --- a/app/controllers/api/changesets_controller.rb +++ b/app/controllers/api/changesets_controller.rb @@ -4,13 +4,13 @@ module Api class ChangesetsController < ApiController require "xml/libxml" + before_action :check_api_writable, :only => [:create, :update, :upload, :subscribe, :unsubscribe] + before_action :check_api_readable, :except => [:create, :update, :upload, :download, :query, :subscribe, :unsubscribe] before_action :authorize, :only => [:create, :update, :upload, :close, :subscribe, :unsubscribe] authorize_resource before_action :require_public_data, :only => [:create, :update, :upload, :close, :subscribe, :unsubscribe] - before_action :check_api_writable, :only => [:create, :update, :upload, :subscribe, :unsubscribe] - before_action :check_api_readable, :except => [:create, :update, :upload, :download, :query, :subscribe, :unsubscribe] before_action :set_request_formats, :except => [:create, :close, :upload] around_action :api_call_handle_error diff --git a/app/controllers/api/map_controller.rb b/app/controllers/api/map_controller.rb index 1b5150537..0d123fc3e 100644 --- a/app/controllers/api/map_controller.rb +++ b/app/controllers/api/map_controller.rb @@ -1,8 +1,9 @@ module Api class MapController < ApiController + before_action :check_api_readable + authorize_resource :class => false - before_action :check_api_readable around_action :api_call_handle_error, :api_call_timeout before_action :set_request_formats diff --git a/app/controllers/api/nodes_controller.rb b/app/controllers/api/nodes_controller.rb index 62eb76505..92779dd67 100644 --- a/app/controllers/api/nodes_controller.rb +++ b/app/controllers/api/nodes_controller.rb @@ -4,13 +4,13 @@ module Api class NodesController < ApiController require "xml/libxml" + before_action :check_api_writable, :only => [:create, :update, :delete] + before_action :check_api_readable, :except => [:create, :update, :delete] before_action :authorize, :only => [:create, :update, :delete] authorize_resource before_action :require_public_data, :only => [:create, :update, :delete] - before_action :check_api_writable, :only => [:create, :update, :delete] - before_action :check_api_readable, :except => [:create, :update, :delete] around_action :api_call_handle_error, :api_call_timeout before_action :set_request_formats, :except => [:create, :update, :delete] diff --git a/app/controllers/api/notes_controller.rb b/app/controllers/api/notes_controller.rb index 8a41d5db8..7454e7f19 100644 --- a/app/controllers/api/notes_controller.rb +++ b/app/controllers/api/notes_controller.rb @@ -1,12 +1,12 @@ module Api class NotesController < ApiController before_action :check_api_readable + before_action :check_api_writable, :only => [:create, :comment, :close, :reopen, :destroy] before_action :setup_user_auth, :only => [:create, :comment, :show] before_action :authorize, :only => [:close, :reopen, :destroy, :comment] authorize_resource - before_action :check_api_writable, :only => [:create, :comment, :close, :reopen, :destroy] before_action :set_locale around_action :api_call_handle_error, :api_call_timeout diff --git a/app/controllers/api/old_controller.rb b/app/controllers/api/old_controller.rb index f8e42476f..ceed10978 100644 --- a/app/controllers/api/old_controller.rb +++ b/app/controllers/api/old_controller.rb @@ -5,13 +5,13 @@ module Api class OldController < ApiController require "xml/libxml" + before_action :check_api_readable + before_action :check_api_writable, :only => [:redact] before_action :setup_user_auth, :only => [:history, :version] before_action :authorize, :only => [:redact] authorize_resource - before_action :check_api_readable - before_action :check_api_writable, :only => [:redact] around_action :api_call_handle_error, :api_call_timeout before_action :lookup_old_element, :except => [:history] before_action :lookup_old_element_versions, :only => [:history] diff --git a/app/controllers/api/permissions_controller.rb b/app/controllers/api/permissions_controller.rb index 07685ed68..8c0c949dc 100644 --- a/app/controllers/api/permissions_controller.rb +++ b/app/controllers/api/permissions_controller.rb @@ -1,8 +1,9 @@ module Api class PermissionsController < ApiController + before_action :check_api_readable + authorize_resource :class => false - before_action :check_api_readable before_action :setup_user_auth before_action :set_request_formats around_action :api_call_handle_error, :api_call_timeout diff --git a/app/controllers/api/relations_controller.rb b/app/controllers/api/relations_controller.rb index 9bb3eb87c..5dd5632ba 100644 --- a/app/controllers/api/relations_controller.rb +++ b/app/controllers/api/relations_controller.rb @@ -2,13 +2,13 @@ module Api class RelationsController < ApiController require "xml/libxml" + before_action :check_api_writable, :only => [:create, :update, :delete] + before_action :check_api_readable, :except => [:create, :update, :delete] before_action :authorize, :only => [:create, :update, :delete] authorize_resource before_action :require_public_data, :only => [:create, :update, :delete] - before_action :check_api_writable, :only => [:create, :update, :delete] - before_action :check_api_readable, :except => [:create, :update, :delete] around_action :api_call_handle_error, :api_call_timeout before_action :set_request_formats, :except => [:create, :update, :delete] diff --git a/app/controllers/api/tracepoints_controller.rb b/app/controllers/api/tracepoints_controller.rb index e758d559f..e8bd97b64 100644 --- a/app/controllers/api/tracepoints_controller.rb +++ b/app/controllers/api/tracepoints_controller.rb @@ -1,8 +1,9 @@ module Api class TracepointsController < ApiController + before_action :check_api_readable + authorize_resource - before_action :check_api_readable around_action :api_call_handle_error, :api_call_timeout # Get an XML response containing a list of tracepoints that have been uploaded diff --git a/app/controllers/api/traces_controller.rb b/app/controllers/api/traces_controller.rb index 6a0ec81ec..8121764a1 100644 --- a/app/controllers/api/traces_controller.rb +++ b/app/controllers/api/traces_controller.rb @@ -1,13 +1,13 @@ module Api class TracesController < ApiController + before_action :check_database_readable, :except => [:show, :data] + before_action :check_database_writable, :only => [:create, :update, :destroy] before_action :authorize_web before_action :set_locale before_action :authorize authorize_resource - before_action :check_database_readable, :except => [:show, :data] - before_action :check_database_writable, :only => [:create, :update, :destroy] before_action :check_api_readable, :only => [:show, :data] before_action :check_api_writable, :only => [:create, :update, :destroy] before_action :offline_error, :only => [:create, :destroy, :data] diff --git a/app/controllers/api/users_controller.rb b/app/controllers/api/users_controller.rb index a452cb930..d4baf4a82 100644 --- a/app/controllers/api/users_controller.rb +++ b/app/controllers/api/users_controller.rb @@ -1,12 +1,12 @@ module Api class UsersController < ApiController + before_action :check_api_readable before_action :disable_terms_redirect, :only => [:details] before_action :setup_user_auth, :only => [:show, :index] before_action :authorize, :only => [:details, :gpx_files] authorize_resource - before_action :check_api_readable around_action :api_call_handle_error before_action :lookup_user_by_id, :only => [:show] diff --git a/app/controllers/api/ways_controller.rb b/app/controllers/api/ways_controller.rb index f88f3a1d0..ca4acd611 100644 --- a/app/controllers/api/ways_controller.rb +++ b/app/controllers/api/ways_controller.rb @@ -2,13 +2,13 @@ module Api class WaysController < ApiController require "xml/libxml" + before_action :check_api_writable, :only => [:create, :update, :delete] + before_action :check_api_readable, :except => [:create, :update, :delete] before_action :authorize, :only => [:create, :update, :delete] authorize_resource before_action :require_public_data, :only => [:create, :update, :delete] - before_action :check_api_writable, :only => [:create, :update, :delete] - before_action :check_api_readable, :except => [:create, :update, :delete] around_action :api_call_handle_error, :api_call_timeout before_action :set_request_formats, :except => [:create, :update, :delete]