From bda8544d94a10b2ae20db86a2140058d8fe86e30 Mon Sep 17 00:00:00 2001 From: Andy Allan Date: Wed, 9 Jan 2019 16:43:41 +0100 Subject: [PATCH 1/2] Mark non-action methods as protected --- app/controllers/oauth_controller.rb | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/app/controllers/oauth_controller.rb b/app/controllers/oauth_controller.rb index 96b562b5ef..38006fd350 100644 --- a/app/controllers/oauth_controller.rb +++ b/app/controllers/oauth_controller.rb @@ -5,6 +5,17 @@ class OauthController < ApplicationController layout "site" + def revoke + @token = current_user.oauth_tokens.find_by :token => params[:token] + if @token + @token.invalidate! + flash[:notice] = t(".flash", :application => @token.client_application.name) + end + redirect_to oauth_clients_url(:display_name => @token.user.display_name) + end + + protected + def login_required authorize_web set_locale @@ -26,17 +37,6 @@ def user_authorizes_token? any_auth end - def revoke - @token = current_user.oauth_tokens.find_by :token => params[:token] - if @token - @token.invalidate! - flash[:notice] = t(".flash", :application => @token.client_application.name) - end - redirect_to oauth_clients_url(:display_name => @token.user.display_name) - end - - protected - def oauth1_authorize override_content_security_policy_directives(:form_action => []) if CSP_ENFORCE || defined?(CSP_REPORT_URL) From 3e49e4a62ad9ccce7a193ab0393a7722896455aa Mon Sep 17 00:00:00 2001 From: Andy Allan Date: Wed, 9 Jan 2019 16:58:38 +0100 Subject: [PATCH 2/2] Use CanCanCan to control access to oauth controller actions --- app/abilities/ability.rb | 2 ++ app/controllers/oauth_controller.rb | 5 ++++- 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/app/abilities/ability.rb b/app/abilities/ability.rb index dca80ebbab..a3700b305b 100644 --- a/app/abilities/ability.rb +++ b/app/abilities/ability.rb @@ -15,6 +15,7 @@ def initialize(user) can [:search, :search_latlon, :search_ca_postcode, :search_osm_nominatim, :search_geonames, :search_osm_nominatim_reverse, :search_geonames_reverse], :geocoder can [:index, :create, :comment, :feed, :show, :search, :mine], Note + can [:token, :request_token, :access_token, :test_request], :oauth can [:index, :show], Redaction can [:search_all, :search_nodes, :search_ways, :search_relations], :search can [:trackpoints], :swf @@ -28,6 +29,7 @@ def initialize(user) can [:create, :edit, :comment, :subscribe, :unsubscribe], DiaryEntry can [:new, :create, :reply, :show, :inbox, :outbox, :mark, :destroy], Message can [:close, :reopen], Note + can [:revoke, :authorize], :oauth can [:new, :create], Report can [:mine, :new, :create, :edit, :update, :delete, :api_create, :api_read, :api_update, :api_delete, :api_data], Trace can [:account, :go_public, :make_friend, :remove_friend, :api_details, :api_gpx_files], User diff --git a/app/controllers/oauth_controller.rb b/app/controllers/oauth_controller.rb index 38006fd350..0954071a56 100644 --- a/app/controllers/oauth_controller.rb +++ b/app/controllers/oauth_controller.rb @@ -3,6 +3,10 @@ class OauthController < ApplicationController include OAuth::Controllers::ProviderController + # The ProviderController will call login_required for any action that needs + # a login, but we want to check authorization on every action. + authorize_resource :class => false + layout "site" def revoke @@ -19,7 +23,6 @@ def revoke def login_required authorize_web set_locale - require_user end def user_authorizes_token?