From e7f943c715d7104fd4f22fe59a79a5d52e71a7c4 Mon Sep 17 00:00:00 2001 From: Andy Allan Date: Wed, 9 Jan 2019 18:28:27 +0100 Subject: [PATCH 1/1] Use CanCanCan for nodes, ways, relations, old and api controllers --- app/abilities/ability.rb | 15 +++++++++++++++ app/abilities/capability.rb | 8 ++++++++ app/controllers/api_controller.rb | 4 ++++ app/controllers/nodes_controller.rb | 5 ++++- app/controllers/old_controller.rb | 6 ++++-- app/controllers/relations_controller.rb | 7 ++++++- app/controllers/ways_controller.rb | 5 ++++- 7 files changed, 45 insertions(+), 5 deletions(-) diff --git a/app/abilities/ability.rb b/app/abilities/ability.rb index dca80ebba..9609ee8bb 100644 --- a/app/abilities/ability.rb +++ b/app/abilities/ability.rb @@ -4,6 +4,7 @@ class Ability include CanCan::Ability def initialize(user) + can [:trackpoints, :map, :changes, :capabilities, :permissions], :api can [:relation, :relation_history, :way, :way_history, :node, :node_history, :changeset, :note, :new_note, :query], :browse can [:index, :feed, :read, :download, :query], Changeset @@ -21,6 +22,12 @@ class Ability can [:index, :show, :data, :georss, :picture, :icon], Trace can [:terms, :api_users, :login, :logout, :new, :create, :save, :confirm, :confirm_resend, :confirm_email, :lost_password, :reset_password, :show, :api_read, :auth_success, :auth_failure], User can [:index, :show, :blocks_on, :blocks_by], UserBlock + can [:read, :nodes], Node + can [:read, :full, :ways, :ways_for_node], Way + can [:read, :full, :relations, :relations_for_node, :relations_for_way, :relations_for_relation], Relation + can [:history, :version], OldNode + can [:history, :version], OldWay + can [:history, :version], OldRelation if user can :welcome, :site @@ -36,6 +43,9 @@ class Ability if user.terms_agreed? || !REQUIRE_TERMS_AGREED can [:create, :update, :upload, :close, :subscribe, :unsubscribe, :expand_bbox], Changeset can :create, ChangesetComment + can [:create, :update, :delete], Node + can [:create, :update, :delete], Way + can [:create, :update, :delete], Relation end if user.moderator? @@ -45,6 +55,11 @@ class Ability can :destroy, Note can [:new, :create, :edit, :update, :destroy], Redaction can [:new, :edit, :create, :update, :revoke], UserBlock + if user.terms_agreed? || !REQUIRE_TERMS_AGREED + can :redact, OldNode + can :redact, OldWay + can :redact, OldRelation + end end if user.administrator? diff --git a/app/abilities/capability.rb b/app/abilities/capability.rb index 556d4036c..3d951900b 100644 --- a/app/abilities/capability.rb +++ b/app/abilities/capability.rb @@ -15,11 +15,19 @@ class Capability if token&.user&.terms_agreed? || !REQUIRE_TERMS_AGREED can [:create, :update, :upload, :close, :subscribe, :unsubscribe, :expand_bbox], Changeset if capability?(token, :allow_write_api) can :create, ChangesetComment if capability?(token, :allow_write_api) + can [:create, :update, :delete], Node if capability?(token, :allow_write_api) + can [:create, :update, :delete], Way if capability?(token, :allow_write_api) + can [:create, :update, :delete], Relation if capability?(token, :allow_write_api) end if token&.user&.moderator? can [:destroy, :restore], ChangesetComment if capability?(token, :allow_write_api) can :destroy, Note if capability?(token, :allow_write_notes) + if token&.user&.terms_agreed? || !REQUIRE_TERMS_AGREED + can :redact, OldNode if capability?(token, :allow_write_api) + can :redact, OldWay if capability?(token, :allow_write_api) + can :redact, OldRelation if capability?(token, :allow_write_api) + end end end diff --git a/app/controllers/api_controller.rb b/app/controllers/api_controller.rb index 90883376c..3273665d2 100644 --- a/app/controllers/api_controller.rb +++ b/app/controllers/api_controller.rb @@ -1,5 +1,9 @@ class ApiController < ApplicationController skip_before_action :verify_authenticity_token + before_action :api_deny_access_handler + + authorize_resource :class => false + before_action :check_api_readable, :except => [:capabilities] before_action :setup_user_auth, :only => [:permissions] around_action :api_call_handle_error, :api_call_timeout diff --git a/app/controllers/nodes_controller.rb b/app/controllers/nodes_controller.rb index baa6d8195..65f9b27ed 100644 --- a/app/controllers/nodes_controller.rb +++ b/app/controllers/nodes_controller.rb @@ -5,7 +5,10 @@ class NodesController < ApplicationController skip_before_action :verify_authenticity_token before_action :authorize, :only => [:create, :update, :delete] - before_action :require_allow_write_api, :only => [:create, :update, :delete] + before_action :api_deny_access_handler + + authorize_resource + before_action :require_public_data, :only => [:create, :update, :delete] before_action :check_api_writable, :only => [:create, :update, :delete] before_action :check_api_readable, :except => [:create, :update, :delete] diff --git a/app/controllers/old_controller.rb b/app/controllers/old_controller.rb index 4f01b1e2a..74fe0883b 100644 --- a/app/controllers/old_controller.rb +++ b/app/controllers/old_controller.rb @@ -6,9 +6,11 @@ class OldController < ApplicationController skip_before_action :verify_authenticity_token before_action :setup_user_auth, :only => [:history, :version] + before_action :api_deny_access_handler before_action :authorize, :only => [:redact] - before_action :authorize_moderator, :only => [:redact] - before_action :require_allow_write_api, :only => [:redact] + + authorize_resource + before_action :check_api_readable before_action :check_api_writable, :only => [:redact] around_action :api_call_handle_error, :api_call_timeout diff --git a/app/controllers/relations_controller.rb b/app/controllers/relations_controller.rb index b9108cea1..27bf5cdf8 100644 --- a/app/controllers/relations_controller.rb +++ b/app/controllers/relations_controller.rb @@ -3,7 +3,10 @@ class RelationsController < ApplicationController skip_before_action :verify_authenticity_token before_action :authorize, :only => [:create, :update, :delete] - before_action :require_allow_write_api, :only => [:create, :update, :delete] + before_action :api_deny_access_handler + + authorize_resource + before_action :require_public_data, :only => [:create, :update, :delete] before_action :check_api_writable, :only => [:create, :update, :delete] before_action :check_api_readable, :except => [:create, :update, :delete] @@ -148,6 +151,8 @@ class RelationsController < ApplicationController relations_for_object("Relation") end + private + def relations_for_object(objtype) relationids = RelationMember.where(:member_type => objtype, :member_id => params[:id]).collect(&:relation_id).uniq diff --git a/app/controllers/ways_controller.rb b/app/controllers/ways_controller.rb index 39129ebf3..85d9b5a5b 100644 --- a/app/controllers/ways_controller.rb +++ b/app/controllers/ways_controller.rb @@ -3,7 +3,10 @@ class WaysController < ApplicationController skip_before_action :verify_authenticity_token before_action :authorize, :only => [:create, :update, :delete] - before_action :require_allow_write_api, :only => [:create, :update, :delete] + before_action :api_deny_access_handler + + authorize_resource + before_action :require_public_data, :only => [:create, :update, :delete] before_action :check_api_writable, :only => [:create, :update, :delete] before_action :check_api_readable, :except => [:create, :update, :delete] -- 2.39.5