From 7d3a5899c9ef20b9a67eda05c1b1c167b6677bdd Mon Sep 17 00:00:00 2001 From: Thomas Wood Date: Mon, 23 Mar 2009 19:40:33 +0000 Subject: [PATCH 1/1] More fixes to the changeset viewer, including logged-in-ness on per-user edit lists, fix XSS potential on usernames here, and general tidyups. --- app/controllers/changeset_controller.rb | 34 +++++++++++++------------ app/views/changeset/_changeset.rhtml | 14 +++++----- app/views/changeset/list_user.rhtml | 11 +++++--- 3 files changed, 32 insertions(+), 27 deletions(-) diff --git a/app/controllers/changeset_controller.rb b/app/controllers/changeset_controller.rb index bb628d48e..b905ae663 100644 --- a/app/controllers/changeset_controller.rb +++ b/app/controllers/changeset_controller.rb @@ -320,24 +320,26 @@ class ChangesetController < ApplicationController ## # list edits (changesets) belonging to a user def list_user - #find user by display name - user = User.find(:first, :conditions => [ "visible = ? and display_name = ?", true, params[:display_name]]) + user = User.find_by_display_name(params[:display_name], :conditions => {:visible => true}) - conditions = nil - begin - conditions = conditions_user(user.id); - rescue OSM::APINotFoundError - + if user + @display_name = user.display_name + if not user.data_public? and @user != user + @edits = nil + render + else + conditions = cond_merge conditions, ['user_id = ?', user.id] + conditions = cond_merge conditions, conditions_nonempty + @edit_pages, @edits = paginate(:changesets, + :include => [:user, :changeset_tags], + :conditions => conditions, + :order => "changesets.created_at DESC", + :per_page => 20) + end + else + @not_found_user = params[:display_name] + render :template => 'user/no_such_user', :status => :not_found end - conditions = cond_merge conditions, conditions_nonempty - @edit_pages, @edits = paginate(:changesets, - :include => [:user, :changeset_tags], - :conditions => conditions, - :order => "changesets.created_at DESC", - :per_page => 20) - - @display_name = user.display_name - # FIXME needs rescues in here end ## diff --git a/app/views/changeset/_changeset.rhtml b/app/views/changeset/_changeset.rhtml index 67f3e72bb..7e5aeed88 100644 --- a/app/views/changeset/_changeset.rhtml +++ b/app/views/changeset/_changeset.rhtml @@ -9,13 +9,13 @@ <% else %><%= changeset.closed_at.strftime("%d %b %Y %H:%M") %><% end %> - <%if showusername==true %> - - <% if changeset.user.data_public? %> - <%= link_to h(changeset.user.display_name), :controller => "user", :action => "view", :display_name => changeset.user.display_name %> - <% else %> - annon - <% end %> + <%if showusername %> + + <% if changeset.user.data_public? %> + <%= link_to h(changeset.user.display_name), :controller => "user", :action => "view", :display_name => changeset.user.display_name %> + <% else %> + Anonymous + <% end %> <% end %> diff --git a/app/views/changeset/list_user.rhtml b/app/views/changeset/list_user.rhtml index a2096adef..2f3ca04ce 100644 --- a/app/views/changeset/list_user.rhtml +++ b/app/views/changeset/list_user.rhtml @@ -1,6 +1,9 @@ -

Edits by <%= link_to(@display_name, {:controller=>'user', :action=>'view', :display_name=>@display_name}) %>

-<%= render :partial => 'changeset_paging_nav' %> +

Edits by <%= link_to(h(@display_name), {:controller=>'user', :action=>'view', :display_name=>@display_name}) %>

+<% if not @edits or @edits.empty? %> +

No visible edits by <%= h(@display_name) %>.

+<% else %> +<%= render :partial => 'changeset_paging_nav' %> @@ -9,7 +12,7 @@ - <%= render :partial => 'changeset', :locals => {:showusername => false}, :collection => @edits unless @edits.nil? %> + <%= render :partial => 'changeset', :locals => {:showusername => false}, :collection => @edits %>
IDArea
- <%= render :partial => 'changeset_paging_nav' %> +<% end %> -- 2.39.5