[openstreetmap/openstreetmap-website] Remove ability to upload/edit traces from blocked users (PR #4129)
Andy Allan
notifications at github.com
Wed Aug 16 13:06:10 UTC 2023
> The API block did what? It didn't block trace uploads did it?
Presumably it would. An API block applies to all API methods that call the [`setup_user_auth`](https://github.com/openstreetmap/openstreetmap-website/blob/6b633e9d4a49df1f9308ef392203437cb7742558/app/controllers/api_controller.rb#L127) method (or that call it indirectly, e.g. via [`authorize`](https://github.com/openstreetmap/openstreetmap-website/blob/6b633e9d4a49df1f9308ef392203437cb7742558/app/controllers/api_controller.rb#L48-L50))
So a user_block will block API access to nodes/ways/relations/changesets and also traces, notes, changeset comments, user preferences, permissions APIs. There's a few other API methods that are not blocked (e.g. map, capabilities, versions, users)
I can see the logic in expanding this to cover any API methods that are duplicated in html versions. I view a "User Block" as something to stop a user from doing bad stuff, so if we added e.g. inline tag editing through the website, I would expect it to be blocked too, regardless of implementation details.
I suspect we might need to expand UserBlocks themselves at some point, e.g. to have a list of checkboxes for different features, e.g. so that a user can be blocked from uploading traces while still being able to respond to changeset comments, but that's out of scope for now.
--
Reply to this email directly or view it on GitHub:
https://github.com/openstreetmap/openstreetmap-website/pull/4129#issuecomment-1680571181
You are receiving this because you are subscribed to this thread.
Message ID: <openstreetmap/openstreetmap-website/pull/4129/c1680571181 at github.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstreetmap.org/pipermail/rails-dev/attachments/20230816/1bc4d181/attachment.htm>
More information about the rails-dev
mailing list