From ad68d4c6341ef5e9a804c9605092e7269980bc7b Mon Sep 17 00:00:00 2001 From: Andy Allan Date: Wed, 2 Jan 2019 19:17:32 +0100 Subject: [PATCH 1/7] Use CanCanCan for search controller --- app/abilities/ability.rb | 1 + app/controllers/search_controller.rb | 1 + 2 files changed, 2 insertions(+) diff --git a/app/abilities/ability.rb b/app/abilities/ability.rb index 1fcf6cbeef..01af7eede8 100644 --- a/app/abilities/ability.rb +++ b/app/abilities/ability.rb @@ -11,6 +11,7 @@ def initialize(user) :search_geonames, :search_osm_nominatim_reverse, :search_geonames_reverse], :geocoder can [:index, :create, :comment, :feed, :show, :search, :mine], Note can [:index, :show], Redaction + can [:search_all, :search_nodes, :search_ways, :search_relations], :search can [:terms, :api_users, :login, :logout, :new, :create, :save, :confirm, :confirm_resend, :confirm_email, :lost_password, :reset_password, :show, :api_read, :auth_success, :auth_failure], User can [:index, :show, :blocks_on, :blocks_by], UserBlock diff --git a/app/controllers/search_controller.rb b/app/controllers/search_controller.rb index 0d40b6691a..3a2e4040f8 100644 --- a/app/controllers/search_controller.rb +++ b/app/controllers/search_controller.rb @@ -3,6 +3,7 @@ class SearchController < ApplicationController # Can search by tag k, v, or both (type->k,value->v) # Can search by name (k=name,v=....) skip_before_action :verify_authenticity_token + authorize_resource :class => false def search_all do_search(true, true, true) From 44eea9dcaf42cdd0737ae9344e357901c9fe31b6 Mon Sep 17 00:00:00 2001 From: Andy Allan Date: Wed, 2 Jan 2019 19:21:10 +0100 Subject: [PATCH 2/7] Use CanCanCan for export controller --- app/abilities/ability.rb | 1 + app/controllers/export_controller.rb | 1 + 2 files changed, 2 insertions(+) diff --git a/app/abilities/ability.rb b/app/abilities/ability.rb index 01af7eede8..97a1c5d04c 100644 --- a/app/abilities/ability.rb +++ b/app/abilities/ability.rb @@ -7,6 +7,7 @@ def initialize(user) can :index, ChangesetComment can [:index, :permalink, :edit, :help, :fixthemap, :offline, :export, :about, :preview, :copyright, :key, :id], :site can [:index, :rss, :show, :comments], DiaryEntry + can [:finish, :embed], :export can [:search, :search_latlon, :search_ca_postcode, :search_osm_nominatim, :search_geonames, :search_osm_nominatim_reverse, :search_geonames_reverse], :geocoder can [:index, :create, :comment, :feed, :show, :search, :mine], Note diff --git a/app/controllers/export_controller.rb b/app/controllers/export_controller.rb index afdf4d8d7e..18ac15c101 100644 --- a/app/controllers/export_controller.rb +++ b/app/controllers/export_controller.rb @@ -2,6 +2,7 @@ class ExportController < ApplicationController before_action :authorize_web before_action :set_locale before_action :update_totp, :only => [:finish] + authorize_resource :class => false caches_page :embed From 1e30edba53f179fb06a1233b245252d1d5a8ead1 Mon Sep 17 00:00:00 2001 From: Andy Allan Date: Wed, 9 Jan 2019 10:10:12 +0100 Subject: [PATCH 3/7] Use CanCanCan for browse controller --- app/abilities/ability.rb | 1 + app/controllers/browse_controller.rb | 1 + 2 files changed, 2 insertions(+) diff --git a/app/abilities/ability.rb b/app/abilities/ability.rb index 97a1c5d04c..b5026196fb 100644 --- a/app/abilities/ability.rb +++ b/app/abilities/ability.rb @@ -4,6 +4,7 @@ class Ability include CanCan::Ability def initialize(user) + can [:relation, :relation_history, :way, :way_history, :node, :node_history, :changeset, :note], :browse can :index, ChangesetComment can [:index, :permalink, :edit, :help, :fixthemap, :offline, :export, :about, :preview, :copyright, :key, :id], :site can [:index, :rss, :show, :comments], DiaryEntry diff --git a/app/controllers/browse_controller.rb b/app/controllers/browse_controller.rb index 6eb9675683..0fccbb506b 100644 --- a/app/controllers/browse_controller.rb +++ b/app/controllers/browse_controller.rb @@ -6,6 +6,7 @@ class BrowseController < ApplicationController before_action(:except => [:query]) { |c| c.check_database_readable(true) } before_action :require_oauth around_action :web_timeout + authorize_resource :class => false def relation @type = "relation" From 7420479cdea7629b66a2da628cfd4ace54567b68 Mon Sep 17 00:00:00 2001 From: Andy Allan Date: Wed, 9 Jan 2019 10:12:14 +0100 Subject: [PATCH 4/7] Use CanCanCan for directions controller --- app/abilities/ability.rb | 1 + app/controllers/directions_controller.rb | 1 + 2 files changed, 2 insertions(+) diff --git a/app/abilities/ability.rb b/app/abilities/ability.rb index b5026196fb..fa0e30f03b 100644 --- a/app/abilities/ability.rb +++ b/app/abilities/ability.rb @@ -6,6 +6,7 @@ class Ability def initialize(user) can [:relation, :relation_history, :way, :way_history, :node, :node_history, :changeset, :note], :browse can :index, ChangesetComment + can :search, :direction can [:index, :permalink, :edit, :help, :fixthemap, :offline, :export, :about, :preview, :copyright, :key, :id], :site can [:index, :rss, :show, :comments], DiaryEntry can [:finish, :embed], :export diff --git a/app/controllers/directions_controller.rb b/app/controllers/directions_controller.rb index b04db6b6f6..ec23274006 100644 --- a/app/controllers/directions_controller.rb +++ b/app/controllers/directions_controller.rb @@ -2,6 +2,7 @@ class DirectionsController < ApplicationController before_action :authorize_web before_action :set_locale before_action :require_oauth, :only => [:search] + authorize_resource :class => false def search render :layout => map_layout From 89399c5ba1926a6c50662a8c9ac7f5fe0cf1f730 Mon Sep 17 00:00:00 2001 From: Andy Allan Date: Wed, 9 Jan 2019 10:14:52 +0100 Subject: [PATCH 5/7] Add missing authorize_resource declaration to geocoder controller --- app/controllers/geocoder_controller.rb | 1 + 1 file changed, 1 insertion(+) diff --git a/app/controllers/geocoder_controller.rb b/app/controllers/geocoder_controller.rb index da5245687f..b9cf8d096f 100644 --- a/app/controllers/geocoder_controller.rb +++ b/app/controllers/geocoder_controller.rb @@ -6,6 +6,7 @@ class GeocoderController < ApplicationController before_action :authorize_web before_action :set_locale before_action :require_oauth, :only => [:search] + authorize_resource :class => false def search @params = normalize_params From 18e418cc4c01ba1ea17daa1bf114e1fd05328df1 Mon Sep 17 00:00:00 2001 From: Andy Allan Date: Wed, 9 Jan 2019 10:26:12 +0100 Subject: [PATCH 6/7] Skip authorization checks for amf controller --- app/controllers/amf_controller.rb | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/app/controllers/amf_controller.rb b/app/controllers/amf_controller.rb index 4f6adae5da..fdad432a8d 100644 --- a/app/controllers/amf_controller.rb +++ b/app/controllers/amf_controller.rb @@ -41,6 +41,11 @@ class AmfController < ApplicationController skip_before_action :verify_authenticity_token before_action :check_api_writable + # AMF Controller implements its own authentication and authorization checks + # completely independently of the rest of the codebase, so best just to let + # it keep doing its own thing. + skip_authorization_check + # Main AMF handlers: process the raw AMF string (using AMF library) and # calls each action (private method) accordingly. From 73201ca96be48a5113283709904ac29a6fee9cc8 Mon Sep 17 00:00:00 2001 From: Andy Allan Date: Wed, 9 Jan 2019 10:32:57 +0100 Subject: [PATCH 7/7] Use CanCanCan for swf controller --- app/abilities/ability.rb | 1 + app/controllers/swf_controller.rb | 1 + 2 files changed, 2 insertions(+) diff --git a/app/abilities/ability.rb b/app/abilities/ability.rb index fa0e30f03b..c182af6056 100644 --- a/app/abilities/ability.rb +++ b/app/abilities/ability.rb @@ -15,6 +15,7 @@ def initialize(user) can [:index, :create, :comment, :feed, :show, :search, :mine], Note can [:index, :show], Redaction can [:search_all, :search_nodes, :search_ways, :search_relations], :search + can [:trackpoints], :swf can [:terms, :api_users, :login, :logout, :new, :create, :save, :confirm, :confirm_resend, :confirm_email, :lost_password, :reset_password, :show, :api_read, :auth_success, :auth_failure], User can [:index, :show, :blocks_on, :blocks_by], UserBlock diff --git a/app/controllers/swf_controller.rb b/app/controllers/swf_controller.rb index 96237f029c..1a424c387b 100644 --- a/app/controllers/swf_controller.rb +++ b/app/controllers/swf_controller.rb @@ -1,6 +1,7 @@ class SwfController < ApplicationController skip_before_action :verify_authenticity_token before_action :check_api_readable + authorize_resource :class => false # to log: # RAILS_DEFAULT_LOGGER.error("Args: #{args[0]}, #{args[1]}, #{args[2]}, #{args[3]}")