diff --git a/app/assets/stylesheets/mobile/settings.scss b/app/assets/stylesheets/mobile/settings.scss
index 45b7c633e..76bbbffb2 100644
--- a/app/assets/stylesheets/mobile/settings.scss
+++ b/app/assets/stylesheets/mobile/settings.scss
@@ -33,3 +33,15 @@
.applications-page .applications-explanation {
margin-bottom: 15px;
}
+
+.application-img {
+ margin: auto;
+ max-width: 150px;
+ text-align: center;
+
+ .entypo-browser {
+ font-size: 137px;
+ height: 160px;
+ margin-top: -45px;
+ }
+}
diff --git a/app/controllers/api/openid_connect/authorizations_controller.rb b/app/controllers/api/openid_connect/authorizations_controller.rb
index e89b72764..3176b2981 100644
--- a/app/controllers/api/openid_connect/authorizations_controller.rb
+++ b/app/controllers/api/openid_connect/authorizations_controller.rb
@@ -114,11 +114,7 @@ module Api
]
save_request_parameters
- @app = {
- name: @o_auth_application.client_name,
- image: @o_auth_application.image_uri,
- authorizations: @scopes
- }
+ @app = UserApplicationPresenter.new @o_auth_application, @scopes
render :new
end
diff --git a/app/helpers/user_applications_helper.rb b/app/helpers/user_applications_helper.rb
new file mode 100644
index 000000000..6fe2a7f57
--- /dev/null
+++ b/app/helpers/user_applications_helper.rb
@@ -0,0 +1,9 @@
+module UserApplicationsHelper
+ def user_application_name(app)
+ if app.name?
+ "#{app.name} (#{link_to(app.url, app.url)})"
+ else
+ link_to(app.url, app.url)
+ end
+ end
+end
diff --git a/app/presenters/user_application_presenter.rb b/app/presenters/user_application_presenter.rb
new file mode 100644
index 000000000..17dc1b1b2
--- /dev/null
+++ b/app/presenters/user_application_presenter.rb
@@ -0,0 +1,36 @@
+class UserApplicationPresenter
+ def initialize(application, scopes, authorization_id=nil)
+ @app = application
+ @scopes = scopes
+ @authorization_id = authorization_id
+ end
+
+ def scopes
+ @scopes
+ end
+
+ def id
+ @authorization_id
+ end
+
+ def name
+ @app.client_name
+ end
+
+ def image
+ @app.image_uri
+ end
+
+ def name?
+ if @app.client_name
+ true
+ else
+ false
+ end
+ end
+
+ def url
+ client_redirect = URI(@app.redirect_uris[0])
+ "#{client_redirect.scheme}://#{client_redirect.host}"
+ end
+end
diff --git a/app/presenters/user_applications_presenter.rb b/app/presenters/user_applications_presenter.rb
index fe94a73b0..f04b97394 100644
--- a/app/presenters/user_applications_presenter.rb
+++ b/app/presenters/user_applications_presenter.rb
@@ -4,7 +4,10 @@ class UserApplicationsPresenter
end
def user_applications
- @applications ||= @user.o_auth_applications.map {|app| app_as_json(app) }
+ @applications ||= @user.o_auth_applications.map do |app|
+ authorization = Api::OpenidConnect::Authorization.find_by_client_id_and_user(app.client_id, @user)
+ UserApplicationPresenter.new app, authorization.scopes, authorization.id
+ end
end
def applications_count
@@ -14,27 +17,4 @@ class UserApplicationsPresenter
def applications?
applications_count > 0
end
-
- private
-
- def app_as_json(application)
- {
- id: find_id(application),
- name: application.client_name,
- image: application.image_uri,
- authorizations: find_scopes(application)
- }
- end
-
- def find_scopes(application)
- find_auth(application).scopes
- end
-
- def find_id(application)
- find_auth(application).id
- end
-
- def find_auth(application)
- Api::OpenidConnect::Authorization.find_by_client_id_and_user(application.client_id, @user)
- end
end
diff --git a/app/views/api/openid_connect/authorizations/_grants_list.haml b/app/views/api/openid_connect/authorizations/_grants_list.haml
index 72c183221..4f858457a 100644
--- a/app/views/api/openid_connect/authorizations/_grants_list.haml
+++ b/app/views/api/openid_connect/authorizations/_grants_list.haml
@@ -1,16 +1,17 @@
.application-img
- - if app[:image]
- = image_tag app[:image], class: "img-responsive"
+ - if app.image
+ = image_tag app.image, class: "img-responsive"
- else
%i.entypo-browser
.application-authorizations
- - if app[:authorizations].count > 0
- %h4= t("api.openid_connect.authorizations.new.access", name: app[:name])
+ - if app.scopes.count > 0
+ %h4
+ = t("api.openid_connect.authorizations.new.access", name: user_application_name(app)).html_safe
%ul
- - app[:authorizations].each do |authorization|
+ - app.scopes.each do |scope|
%li
- %b= t("api.openid_connect.scopes.#{authorization}.name")
- %p= t("api.openid_connect.scopes.#{authorization}.description")
+ %b= t("api.openid_connect.scopes.#{scope}.name")
+ %p= t("api.openid_connect.scopes.#{scope}.description")
- else
.well
- = t("api.openid_connect.authorizations.new.no_requirement", name: app[:name])
+ = t("api.openid_connect.authorizations.new.no_requirement", name: user_application_name(app)).html_safe
diff --git a/app/views/api/openid_connect/authorizations/new.html.haml b/app/views/api/openid_connect/authorizations/new.html.haml
index e292f3125..e7bc33028 100644
--- a/app/views/api/openid_connect/authorizations/new.html.haml
+++ b/app/views/api/openid_connect/authorizations/new.html.haml
@@ -1,6 +1,6 @@
-.user-consent.col-md-6.col-md-offset-1
+.user-consent.col-md-10.col-md-offset-1
%ul.list-group
- %li.list-group-item.authorized-application
+ %li.list-group-item.authorized-application.clearfix
= render "grants_list", app: @app
.clearfix.pull-right
diff --git a/app/views/api/openid_connect/user_applications/_add_remove_applications.haml b/app/views/api/openid_connect/user_applications/_add_remove_applications.haml
index 4837111f6..ff467c3f2 100644
--- a/app/views/api/openid_connect/user_applications/_add_remove_applications.haml
+++ b/app/views/api/openid_connect/user_applications/_add_remove_applications.haml
@@ -3,7 +3,7 @@
- @user_apps.user_applications.each do |app|
%li.list-group-item.authorized-application
= render "grants_list", app: app
- = form_for "application", url: "#{api_openid_connect_authorizations_path}/#{app[:id]}",
+ = form_for "application", url: "#{api_openid_connect_authorization_path(app.id)}",
html: {method: :delete, class: "form-horizontal"} do |f|
.clearfix= f.submit t("api.openid_connect.user_applications.revoke_autorization"),
class: "btn btn-danger pull-right app-revoke"
diff --git a/app/views/api/openid_connect/user_applications/_grants_list.haml b/app/views/api/openid_connect/user_applications/_grants_list.haml
index 4b11c0030..eb874053c 100644
--- a/app/views/api/openid_connect/user_applications/_grants_list.haml
+++ b/app/views/api/openid_connect/user_applications/_grants_list.haml
@@ -1,16 +1,16 @@
.application-img
- - if app[:image]
- = image_tag app[:image], class: "img-responsive"
+ - if app.image
+ = image_tag app.image, class: "img-responsive"
- else
%i.entypo-browser
.application-authorizations
- - if app[:authorizations].count > 0
- %h4= t("api.openid_connect.user_applications.index.access", name: app[:name])
+ - if app.scopes.count > 0
+ %h4= t("api.openid_connect.user_applications.index.access", name: user_application_name(app)).html_safe
%ul
- - app[:authorizations].each do |authorization|
+ - app.scopes.each do |scope|
%li
- %b= t("api.openid_connect.scopes.#{authorization}.name")
- %p= t("api.openid_connect.scopes.#{authorization}.description")
+ %b= t("api.openid_connect.scopes.#{scope}.name")
+ %p= t("api.openid_connect.scopes.#{scope}.description")
- else
.well
- = t("api.openid_connect.user_applications.index.no_requirement", name: app[:name])
+ = t("api.openid_connect.user_applications.index.no_requirement", name: user_application_name(app)).html_safe
diff --git a/app/views/api/openid_connect/user_applications/index.html.haml b/app/views/api/openid_connect/user_applications/index.html.haml
index 07ebf6a24..ea2241b74 100644
--- a/app/views/api/openid_connect/user_applications/index.html.haml
+++ b/app/views/api/openid_connect/user_applications/index.html.haml
@@ -2,16 +2,12 @@
= t(".edit_applications")
.container-fluid.applications-page
- = render "shared/settings_nav"
- .container-fluid
- .row
- .col-lg-8.col-lg-offset-2
- %h3= t(".title")
- %p.visible-sm-block.visible-xs-block
- = t(".applications_explanation")
- .row
- .col-md-7
- = render "add_remove_applications"
- .col-md-5
- %p.hidden-sm.hidden-xs
- = t(".applications_explanation")
+ .row
+ .col-lg-10.col-lg-offset-1
+ = render "shared/settings_nav"
+ .row
+ .col-lg-8.col-lg-offset-2
+ %h3= t(".title")
+ .row
+ .col-md-12
+ = render "add_remove_applications"
diff --git a/app/views/api/openid_connect/user_applications/index.mobile.haml b/app/views/api/openid_connect/user_applications/index.mobile.haml
index da89efde1..9e75a012d 100644
--- a/app/views/api/openid_connect/user_applications/index.mobile.haml
+++ b/app/views/api/openid_connect/user_applications/index.mobile.haml
@@ -1,13 +1,9 @@
-.settings_container.applications-page
- - content_for :page_title do
- = t(".edit_applications")
-
- = render "shared/settings_nav"
-
- .container-fluid
- .row
- .col-md-12.applications-explanation
- = t(".applications_explanation")
- .col-md-12
- = render "add_remove_applications"
-
+.container-fluid.settings_container.applications-page
+ .row
+ .col-lg-10.col-lg-offset-1
+ - content_for :page_title do
+ = t(".edit_applications")
+ = render "shared/settings_nav"
+ .row
+ .col-md-12
+ = render "add_remove_applications"
diff --git a/config/locales/diaspora/en.yml b/config/locales/diaspora/en.yml
index 89095b5cf..3539d69fd 100644
--- a/config/locales/diaspora/en.yml
+++ b/config/locales/diaspora/en.yml
@@ -898,7 +898,6 @@ en:
title: "Authorized applications"
access: "%{name} has access to:"
no_requirement: "%{name} requires no permissions"
- applications_explanation: "Here is a list of applications you have authorized"
no_applications: "You have no authorized applications"
revoke_autorization: "Revoke"
scopes:
diff --git a/features/desktop/user_applications.feature b/features/desktop/user_applications.feature
index b1147ae1a..ac51b4d4c 100644
--- a/features/desktop/user_applications.feature
+++ b/features/desktop/user_applications.feature
@@ -21,3 +21,7 @@ Feature: managing authorized applications
Then I should see 1 authorized applications
And I revoke the first authorization
Then I should see 0 authorized applications
+
+ Scenario: XSS escaping
+ When An application manually registers
+ Then I should not see ""
diff --git a/features/step_definitions/user_applications_steps.rb b/features/step_definitions/user_applications_steps.rb
index 7cef79050..afbae1930 100644
--- a/features/step_definitions/user_applications_steps.rb
+++ b/features/step_definitions/user_applications_steps.rb
@@ -14,3 +14,9 @@ end
When /^I revoke the first authorization$/ do
find(".app-revoke", match: :first).click
end
+
+When /^An application manually registers$/ do
+ post api_openid_connect_authorizations_new_path, client_name: "",
+ redirect_uri: "http://example.org/", response_type: "id_token", scope: "openid",
+ state: 1234, display: "page", prompt: "none"
+end
diff --git a/spec/controllers/api/openid_connect/authorizations_controller_spec.rb b/spec/controllers/api/openid_connect/authorizations_controller_spec.rb
index 7527bacce..9c07d9177 100644
--- a/spec/controllers/api/openid_connect/authorizations_controller_spec.rb
+++ b/spec/controllers/api/openid_connect/authorizations_controller_spec.rb
@@ -130,6 +130,7 @@ describe Api::OpenidConnect::AuthorizationsController, type: :controller do
end
end
end
+
context "when already authorized" do
let!(:auth) {
Api::OpenidConnect::Authorization.find_or_create_by(o_auth_application: client, user: alice,