[openstreetmap/openstreetmap-website] Check user instead of scope when getting note author info (PR #5674)

Anton Khorev notifications at github.com
Sat Feb 15 00:51:36 UTC 2025


Previously it was possible to create a note while authorized but having no write_notes scope. The scope check was added to fix #4362.

Currently it's not possible to create notes in this manner and there's a test for that:
https://github.com/openstreetmap/openstreetmap-website/blob/f5af8befa9ffe0c95f4a3c58d2fbb63a2e971ab0/test/controllers/api/notes_controller_test.rb#L233-L242

You can view, comment on, or merge this pull request online at:

  https://github.com/openstreetmap/openstreetmap-website/pull/5674

-- Commit Summary --

  * Check user instead of scope when getting note author info

-- File Changes --

    M app/controllers/api/notes_controller.rb (2)

-- Patch Links --

https://github.com/openstreetmap/openstreetmap-website/pull/5674.patch
https://github.com/openstreetmap/openstreetmap-website/pull/5674.diff

-- 
Reply to this email directly or view it on GitHub:
https://github.com/openstreetmap/openstreetmap-website/pull/5674
You are receiving this because you are subscribed to this thread.

Message ID: <openstreetmap/openstreetmap-website/pull/5674 at github.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstreetmap.org/pipermail/rails-dev/attachments/20250214/6c4e7d3c/attachment-0001.htm>


More information about the rails-dev mailing list