From: Tom Hughes <tom@compton.nu>
Date: Wed, 2 Aug 2023 16:01:05 +0000 (+0100)
Subject: Merge remote-tracking branch 'upstream/pull/4131'
X-Git-Tag: live~1402
X-Git-Url: https://git.openstreetmap.org./rails.git/commitdiff_plain/eae9c15b75eee543b86130d50552d3c2942ae02f?hp=98b1e5f76ce400af3270c3350804d40e30fd7d53

Merge remote-tracking branch 'upstream/pull/4131'
---

diff --git a/app/abilities/ability.rb b/app/abilities/ability.rb
index 5d196fa98..cdf28bd4f 100644
--- a/app/abilities/ability.rb
+++ b/app/abilities/ability.rb
@@ -56,7 +56,7 @@ class Ability
         can [:account, :go_public], User
 
         if user.moderator?
-          can [:hide, :hidecomment], DiaryEntry
+          can [:hide, :unhide, :hidecomment, :unhidecomment], DiaryEntry
           can [:index, :show, :resolve, :ignore, :reopen], Issue
           can :create, IssueComment
           can [:new, :create, :edit, :update, :destroy], Redaction
diff --git a/app/assets/javascripts/index.js b/app/assets/javascripts/index.js
index 38c498169..783c4da8d 100644
--- a/app/assets/javascripts/index.js
+++ b/app/assets/javascripts/index.js
@@ -192,11 +192,11 @@ $(document).ready(function () {
   });
 
   if (Cookies.get("_osm_welcome") !== "hide") {
-    $(".welcome").addClass("visible");
+    $(".welcome").removeAttr("hidden");
   }
 
   $(".welcome .btn-close").on("click", function () {
-    $(".welcome").removeClass("visible");
+    $(".welcome").hide();
     Cookies.set("_osm_welcome", "hide", { secure: true, expires: expiry, path: "/", samesite: "lax" });
   });
 
diff --git a/app/assets/javascripts/leaflet.share.js b/app/assets/javascripts/leaflet.share.js
index 73ca64f63..7b1c995c2 100644
--- a/app/assets/javascripts/leaflet.share.js
+++ b/app/assets/javascripts/leaflet.share.js
@@ -316,7 +316,7 @@ L.OSM.share = function (options) {
       }
 
       $("#embed_html").val(
-        "<iframe width=\"425\" height=\"350\" frameborder=\"0\" scrolling=\"no\" marginheight=\"0\" marginwidth=\"0\" src=\"" +
+        "<iframe width=\"425\" height=\"350\" src=\"" +
           escapeHTML(OSM.SERVER_PROTOCOL + "://" + OSM.SERVER_URL + "/export/embed.html?" + $.param(params)) +
           "\" style=\"border: 1px solid black\"></iframe><br/>" +
           "<small><a href=\"" + escapeHTML(map.getUrl(marker)) + "\">" +
diff --git a/app/assets/stylesheets/common.scss b/app/assets/stylesheets/common.scss
index 848e3f1be..d74ece45a 100644
--- a/app/assets/stylesheets/common.scss
+++ b/app/assets/stylesheets/common.scss
@@ -317,7 +317,7 @@ body.small-nav {
     display: inline-block;
   }
 
-  .overlay-sidebar #sidebar .welcome.visible {
+  .overlay-sidebar #sidebar .welcome {
     display: none;
   }
 
@@ -422,9 +422,6 @@ body.small-nav {
 
     > div {
       position: relative;
-      float: left;
-      clear: both;
-      width: 100%;
     }
   }
 
@@ -439,11 +436,7 @@ body.small-nav {
     }
 
     .welcome {
-      display: none;
-
-      &.visible {
-        display: block;
-      }
+      display: block;
     }
 
     #sidebar_content {
diff --git a/app/controllers/diary_entries_controller.rb b/app/controllers/diary_entries_controller.rb
index 4cdc1b55a..ea9aacb21 100644
--- a/app/controllers/diary_entries_controller.rb
+++ b/app/controllers/diary_entries_controller.rb
@@ -17,7 +17,7 @@ class DiaryEntriesController < ApplicationController
 
       if @user
         @title = t ".user_title", :user => @user.display_name
-        @entries = @user.diary_entries
+        entries = @user.diary_entries
       else
         render_unknown_user params[:display_name]
         return
@@ -25,7 +25,7 @@ class DiaryEntriesController < ApplicationController
     elsif params[:friends]
       if current_user
         @title = t ".title_friends"
-        @entries = DiaryEntry.where(:user_id => current_user.friends)
+        entries = DiaryEntry.where(:user_id => current_user.friends)
       else
         require_user
         return
@@ -33,36 +33,46 @@ class DiaryEntriesController < ApplicationController
     elsif params[:nearby]
       if current_user
         @title = t ".title_nearby"
-        @entries = DiaryEntry.where(:user_id => current_user.nearby)
+        entries = DiaryEntry.where(:user_id => current_user.nearby)
       else
         require_user
         return
       end
     else
-      @entries = DiaryEntry.joins(:user).where(:users => { :status => %w[active confirmed] })
+      entries = DiaryEntry.joins(:user).where(:users => { :status => %w[active confirmed] })
 
       if params[:language]
         @title = t ".in_language_title", :language => Language.find(params[:language]).english_name
-        @entries = @entries.where(:language_code => params[:language])
+        entries = entries.where(:language_code => params[:language])
       else
         @title = t ".title"
       end
     end
 
+    entries = entries.visible unless can? :unhide, DiaryEntry
+
     @params = params.permit(:display_name, :friends, :nearby, :language)
 
-    @page = (params[:page] || 1).to_i
-    @page_size = 20
+    @entries = if params[:before]
+                 entries.where("diary_entries.id < ?", params[:before]).order(:id => :desc)
+               elsif params[:after]
+                 entries.where("diary_entries.id > ?", params[:after]).order(:id => :asc)
+               else
+                 entries.order(:id => :desc)
+               end
 
-    @entries = @entries.visible unless can? :unhide, DiaryEntry
-    @entries = @entries.order("created_at DESC")
-    @entries = @entries.offset((@page - 1) * @page_size)
-    @entries = @entries.limit(@page_size)
+    @entries = @entries.limit(20)
     @entries = @entries.includes(:user, :language)
+    @entries = @entries.sort.reverse
+
+    @newer_entries = @entries.count.positive? && entries.exists?(["diary_entries.id > ?", @entries.first.id])
+    @older_entries = @entries.count.positive? && entries.exists?(["diary_entries.id < ?", @entries.last.id])
   end
 
   def show
-    @entry = @user.diary_entries.visible.where(:id => params[:id]).first
+    entries = @user.diary_entries
+    entries = entries.visible unless can? :unhide, DiaryEntry
+    @entry = entries.where(:id => params[:id]).first
     if @entry
       @title = t ".title", :user => params[:display_name], :title => @entry.title
       @comments = can?(:unhidecomment, DiaryEntry) ? @entry.comments : @entry.visible_comments
diff --git a/app/models/oauth2_application.rb b/app/models/oauth2_application.rb
index 165761520..73a02417d 100644
--- a/app/models/oauth2_application.rb
+++ b/app/models/oauth2_application.rb
@@ -3,6 +3,10 @@ class Oauth2Application < Doorkeeper::Application
 
   validate :allowed_scopes
 
+  def authorized_scopes_for(user)
+    authorized_tokens.where(:resource_owner_id => user).sum(Doorkeeper::OAuth::Scopes.new, &:scopes)
+  end
+
   private
 
   def allowed_scopes
diff --git a/app/views/application/_sidebar_header.html.erb b/app/views/application/_sidebar_header.html.erb
index 88a1fff4a..9e7877f8a 100644
--- a/app/views/application/_sidebar_header.html.erb
+++ b/app/views/application/_sidebar_header.html.erb
@@ -1,4 +1,4 @@
-<div class="d-flex w-100">
+<div class="d-flex">
   <h2 class="flex-grow-1 text-break"><%= title %></h2>
   <div>
     <button type="button" class="btn-close" aria-label="<%= t("javascripts.close") %>"></button>
diff --git a/app/views/diary_entries/index.html.erb b/app/views/diary_entries/index.html.erb
index 9c0112cd0..4a8beab37 100644
--- a/app/views/diary_entries/index.html.erb
+++ b/app/views/diary_entries/index.html.erb
@@ -38,9 +38,9 @@
 
   <nav>
     <ul class="pagination">
-      <% if @entries.size >= @page_size -%>
+      <% if @older_entries -%>
         <li class="page-item">
-          <%= link_to t(".older_entries"), @params.merge(:page => @page + 1), :class => "page-link" %>
+          <%= link_to t(".older_entries"), @params.merge(:before => @entries.last.id), :class => "page-link" %>
         </li>
       <% else -%>
         <li class="page-item disabled">
@@ -48,9 +48,9 @@
         </li>
       <% end -%>
 
-      <% if @page > 1 -%>
+      <% if @newer_entries -%>
         <li class="page-item">
-          <%= link_to t(".newer_entries"), @params.merge(:page => @page - 1), :class => "page-link" %>
+          <%= link_to t(".newer_entries"), @params.merge(:after => @entries.first.id), :class => "page-link" %>
         </li>
       <% else -%>
         <li class="page-item disabled">
diff --git a/app/views/layouts/map.html.erb b/app/views/layouts/map.html.erb
index b3c85d918..6d983d30e 100644
--- a/app/views/layouts/map.html.erb
+++ b/app/views/layouts/map.html.erb
@@ -41,7 +41,7 @@
     </div>
 
     <% unless current_user %>
-      <div class="welcome p-3">
+      <div class="welcome p-3" hidden>
         <%= render "sidebar_header", :title => t("layouts.intro_header") %>
         <div>
           <p><%= t "layouts.intro_text" %></p>
diff --git a/app/views/oauth2_authorized_applications/_application.html.erb b/app/views/oauth2_authorized_applications/_application.html.erb
index 7cb03de2f..8abbb26ed 100644
--- a/app/views/oauth2_authorized_applications/_application.html.erb
+++ b/app/views/oauth2_authorized_applications/_application.html.erb
@@ -4,7 +4,7 @@
   </td>
   <td class="align-middle">
     <ul class="list-unstyled mb-0">
-      <% application.scopes.each do |scope| -%>
+      <% application.authorized_scopes_for(current_user).each do |scope| -%>
         <li><%= t "oauth.scopes.#{scope}" %></li>
       <% end -%>
     </ul>
diff --git a/app/views/site/about.html.erb b/app/views/site/about.html.erb
index 277fb1384..f6f6ba137 100644
--- a/app/views/site/about.html.erb
+++ b/app/views/site/about.html.erb
@@ -11,7 +11,7 @@
         </div>
       </div>
       <div class='row'>
-        <div class="w-100 px-5 py-4 bg-dark">
+        <div class="px-5 py-4 bg-dark">
           <h1 class="text-white fw-light"><%= t ".used_by_html", :name => tag.span("OpenStreetMap", :class => "user-name") %></h1>
         </div>
       </div>
diff --git a/test/controllers/diary_entries_controller_test.rb b/test/controllers/diary_entries_controller_test.rb
index 42d042645..c9464ffed 100644
--- a/test/controllers/diary_entries_controller_test.rb
+++ b/test/controllers/diary_entries_controller_test.rb
@@ -564,11 +564,36 @@ class DiaryEntriesControllerTest < ActionDispatch::IntegrationTest
     get diary_entries_path
     assert_response :success
     assert_select "div.diary_post", :count => 20
+    assert_select "li.page-item a.page-link", :text => "Older Entries", :count => 1
+    assert_select "li.page-item.disabled span.page-link", :text => "Newer Entries", :count => 1
 
     # Try and get the second page
-    get diary_entries_path(:page => 2)
+    get css_select("li.page-item a.page-link").first["href"]
     assert_response :success
     assert_select "div.diary_post", :count => 20
+    assert_select "li.page-item a.page-link", :text => "Older Entries", :count => 1
+    assert_select "li.page-item a.page-link", :text => "Newer Entries", :count => 1
+
+    # Try and get the third page
+    get css_select("li.page-item a.page-link").first["href"]
+    assert_response :success
+    assert_select "div.diary_post", :count => 10
+    assert_select "li.page-item.disabled span.page-link", :text => "Older Entries", :count => 1
+    assert_select "li.page-item a.page-link", :text => "Newer Entries", :count => 1
+
+    # Go back to the second page
+    get css_select("li.page-item a.page-link").last["href"]
+    assert_response :success
+    assert_select "div.diary_post", :count => 20
+    assert_select "li.page-item a.page-link", :text => "Older Entries", :count => 1
+    assert_select "li.page-item a.page-link", :text => "Newer Entries", :count => 1
+
+    # Go back to the first page
+    get css_select("li.page-item a.page-link").last["href"]
+    assert_response :success
+    assert_select "div.diary_post", :count => 20
+    assert_select "li.page-item a.page-link", :text => "Older Entries", :count => 1
+    assert_select "li.page-item.disabled span.page-link", :text => "Newer Entries", :count => 1
   end
 
   def test_rss
@@ -680,14 +705,26 @@ class DiaryEntriesControllerTest < ActionDispatch::IntegrationTest
     assert_response :not_found
 
     # Try an entry by a suspended user
-    diary_entry_suspended = create(:diary_entry, :user => suspended_user)
-    get diary_entry_path(:display_name => suspended_user.display_name, :id => diary_entry_suspended)
+    diary_entry_suspended_user = create(:diary_entry, :user => suspended_user)
+    get diary_entry_path(:display_name => suspended_user.display_name, :id => diary_entry_suspended_user)
     assert_response :not_found
 
     # Try an entry by a deleted user
-    diary_entry_deleted = create(:diary_entry, :user => deleted_user)
-    get diary_entry_path(:display_name => deleted_user.display_name, :id => diary_entry_deleted)
+    diary_entry_deleted_user = create(:diary_entry, :user => deleted_user)
+    get diary_entry_path(:display_name => deleted_user.display_name, :id => diary_entry_deleted_user)
     assert_response :not_found
+
+    # Now try as a moderator
+    session_for(create(:moderator_user))
+    get diary_entry_path(:display_name => user.display_name, :id => diary_entry_deleted)
+    assert_response :success
+    assert_template :show
+
+    # Finally try as an administrator
+    session_for(create(:administrator_user))
+    get diary_entry_path(:display_name => user.display_name, :id => diary_entry_deleted)
+    assert_response :success
+    assert_template :show
   end
 
   def test_show_hidden_comments
@@ -764,8 +801,11 @@ class DiaryEntriesControllerTest < ActionDispatch::IntegrationTest
     session_for(create(:moderator_user))
     post unhide_diary_entry_path(:display_name => user.display_name, :id => diary_entry)
     assert_response :redirect
-    assert_redirected_to :controller => :errors, :action => :forbidden
-    assert_not DiaryEntry.find(diary_entry.id).visible
+    assert_redirected_to :action => :index, :display_name => user.display_name
+    assert DiaryEntry.find(diary_entry.id).visible
+
+    # Reset
+    diary_entry.reload.update(:visible => true)
 
     # Finally try as an administrator
     session_for(create(:administrator_user))
@@ -831,8 +871,11 @@ class DiaryEntriesControllerTest < ActionDispatch::IntegrationTest
     session_for(create(:moderator_user))
     post unhide_diary_comment_path(:display_name => user.display_name, :id => diary_entry, :comment => diary_comment)
     assert_response :redirect
-    assert_redirected_to :controller => :errors, :action => :forbidden
-    assert_not DiaryComment.find(diary_comment.id).visible
+    assert_redirected_to :action => :show, :display_name => user.display_name, :id => diary_entry.id
+    assert DiaryComment.find(diary_comment.id).visible
+
+    # Reset
+    diary_comment.reload.update(:visible => true)
 
     # Finally try as an administrator
     session_for(create(:administrator_user))
diff --git a/test/controllers/oauth2_authorized_applications_controller_test.rb b/test/controllers/oauth2_authorized_applications_controller_test.rb
index 347d3e40e..c01f7d6f3 100644
--- a/test/controllers/oauth2_authorized_applications_controller_test.rb
+++ b/test/controllers/oauth2_authorized_applications_controller_test.rb
@@ -36,6 +36,32 @@ class Oauth2AuthorizedApplicationsControllerTest < ActionDispatch::IntegrationTe
     assert_select "tbody tr", 2
   end
 
+  def test_index_scopes
+    user = create(:user)
+    application1 = create(:oauth_application, :scopes => %w[read_prefs write_prefs write_diary read_gpx write_gpx])
+    create(:oauth_access_grant, :resource_owner_id => user.id, :application => application1, :scopes => %w[read_prefs write_prefs])
+    create(:oauth_access_token, :resource_owner_id => user.id, :application => application1, :scopes => %w[read_prefs write_prefs])
+    create(:oauth_access_grant, :resource_owner_id => user.id, :application => application1, :scopes => %w[read_prefs write_diary])
+    create(:oauth_access_token, :resource_owner_id => user.id, :application => application1, :scopes => %w[read_prefs write_diary])
+
+    get oauth_authorized_applications_path
+    assert_response :redirect
+    assert_redirected_to login_path(:referer => oauth_authorized_applications_path)
+
+    session_for(user)
+
+    get oauth_authorized_applications_path
+    assert_response :success
+    assert_template "oauth2_authorized_applications/index"
+    assert_select "tbody tr", 1
+    assert_select "tbody tr td ul" do
+      assert_select "li", :count => 3
+      assert_select "li", :text => "Read user preferences"
+      assert_select "li", :text => "Modify user preferences"
+      assert_select "li", :text => "Create diary entries, comments and make friends"
+    end
+  end
+
   def test_destroy
     user = create(:user)
     application1 = create(:oauth_application)