Fix public pages#61
Merged
Merged
Conversation
…config with IUserConfig in public pages, remove unused userId in OsmAPIService, do not save map state in public pages Signed-off-by: Julien Veyssier <julien-nc@posteo.net>
Signed-off-by: Julien Veyssier <julien-nc@posteo.net>
… is set, do not add vector styles when no key is set Signed-off-by: Julien Veyssier <julien-nc@posteo.net>
Signed-off-by: Julien Veyssier <julien-nc@posteo.net>
Signed-off-by: Julien Veyssier <julien-nc@posteo.net>
There was a problem hiding this comment.
Pull request overview
This PR tightens behavior on public pages (no proxying, no user-config reads, no map-state persistence) and adjusts map rendering defaults and reference providers to work in public contexts while removing the bundled default MapTiler key.
Changes:
- Remove
userIdplumbing fromOsmAPIServicenominatim calls and update all call sites + integration tests. - Update MapLibre defaults/fallbacks for “no MapTiler key” scenarios and avoid saving last map state on public pages.
- Make all reference providers implement
IPublicReferenceProviderand adjust CSP/proxy behavior for public pages.
Reviewed changes
Copilot reviewed 16 out of 16 changed files in this pull request and generated no comments.
Show a summary per file
| File | Description |
|---|---|
| tests/integration/OsmAPIServiceIntegrationTest.php | Updates integration tests for the new OsmAPIService method signatures. |
| src/lastMapStateHelper.js | Skips persisting map state when there is no logged-in user (public pages). |
| src/components/map/MaplibreMap.vue | Switches default style to osmRaster, adjusts style fallback logic when no key is set, conditionally enables terrain, and tweaks MapTiler logo proxying + request referrer policy. |
| lib/Service/OsmAPIService.php | Removes unused userId parameter from nominatim helper methods and request(). |
| lib/Search/OsmSearchLocationProvider.php | Updates nominatim search invocation for new service signature. |
| lib/Reference/OsmRouteReferenceProvider.php | Implements IPublicReferenceProvider and avoids user-config reads when user is null. |
| lib/Reference/OsmPointReferenceProvider.php | Implements IPublicReferenceProvider and updates geocode calls for new service signature. |
| lib/Reference/OsmLocationReferenceProvider.php | Implements IPublicReferenceProvider and updates lookup calls for new service signature. |
| lib/Reference/HereMapsReferenceProvider.php | Implements IPublicReferenceProvider and updates geocode calls for new service signature. |
| lib/Reference/GoogleMapsReferenceProvider.php | Implements IPublicReferenceProvider and updates geocode calls for new service signature. |
| lib/Reference/DuckduckgoReferenceProvider.php | Implements IPublicReferenceProvider and avoids user-config reads when user is null. |
| lib/Reference/BingReferenceProvider.php | Implements IPublicReferenceProvider and avoids user-config reads when user is null. |
| lib/Listener/OsmReferenceListener.php | Adjusts initial-state provisioning for public pages and removes default MapTiler key behavior. |
| lib/Listener/CSPListener.php | Disables proxying on public pages and updates CSP behavior accordingly. |
| lib/Controller/OsmAPIController.php | Updates nominatim search call for new service signature. |
| lib/AppInfo/Application.php | Removes the default MapTiler key constant. |
Comments suppressed due to low confidence (1)
lib/Listener/CSPListener.php:70
- The CSP image/connect allow-list doesn’t cover some domains that the frontend actually uses when
proxy_osmis off (and public pages now force non-proxy). In particular: (1) raster tiles are requested fromhttps://tile.openstreetmap.org/...but CSP only allowshttps://*.tile.openstreetmap.org(wildcards don’t match the bare host), and (2) thewaterColorraster style useshttps://tiles.stadiamaps.com/...but that domain isn’t allow-listed. Add explicit allow entries for these domains (image + connect as appropriate) so non-proxied styles work.
$policy
->addAllowedFrameDomain('https://www.openstreetmap.org')
->addAllowedImageDomain('https://*.tile.openstreetmap.org');
// we do not proxy on public pages
$proxyOsm = $this->userId === null
? false
: $this->appConfig->getValueString(Application::APP_ID, 'proxy_osm', Application::DEFAULT_PROXY_OSM_VALUE) === '1';
if (!$proxyOsm) {
$policy
->addAllowedConnectDomain('https://*.openstreetmap.org')
->addAllowedConnectDomain('https://server.arcgisonline.com')
->addAllowedConnectDomain('https://stamen-tiles.a.ssl.fastly.net')
->addAllowedConnectDomain('https://api.maptiler.com')
->addAllowedImageDomain('https://api.maptiler.com');
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Merged
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.