diff options
| author | Matthew Somerville <matthew@mysociety.org> | 2014-12-17 11:21:28 +0000 |
|---|---|---|
| committer | Matthew Somerville <matthew-github@dracos.co.uk> | 2014-12-17 12:15:03 +0000 |
| commit | 00090170f96ae43f521ce29a3731859ca5f6738a (patch) | |
| tree | e31c3d9125c13025771f03a317622ca0c4e6fe38 /perllib/FixMyStreet | |
| parent | e57f715a4625507cf6720d22e676c606bcb56053 (diff) | |
Version 1.5.2.v1.5.2
Includes:
* [UK] Don't show topic form field when reporting abuse.
* Use token in moderation response URL to prevent hidden report leak.
* Make sure successful submission page is full width.
Diffstat (limited to 'perllib/FixMyStreet')
| -rw-r--r-- | perllib/FixMyStreet/App/Controller/Contact.pm | 36 | ||||
| -rw-r--r-- | perllib/FixMyStreet/App/Controller/Moderate.pm | 7 | ||||
| -rw-r--r-- | perllib/FixMyStreet/Cobrand/FixMyStreet.pm | 3 |
3 files changed, 22 insertions, 24 deletions
diff --git a/perllib/FixMyStreet/App/Controller/Contact.pm b/perllib/FixMyStreet/App/Controller/Contact.pm index 3ff824691..5a51c8494 100644 --- a/perllib/FixMyStreet/App/Controller/Contact.pm +++ b/perllib/FixMyStreet/App/Controller/Contact.pm @@ -59,33 +59,24 @@ generic contact request and set up things accordingly sub determine_contact_type : Private { my ( $self, $c ) = @_; - my $id = $c->req->param('id'); + my $id = $c->req->param('id'); my $update_id = $c->req->param('update_id'); + my $token = $c->req->param('m'); $id = undef unless $id && $id =~ /^[1-9]\d*$/; $update_id = undef unless $update_id && $update_id =~ /^[1-9]\d*$/; - if ($id) { - - # if we're moderating, then we don't show errors in every case, e.g. - # for hidden reports - if ($c->req->param('m')) { - my $problem - = ( !$id || $id =~ m{\D} ) # is id non-numeric? - ? undef # ...don't even search - : $c->cobrand->problems->find( { id => $id } ); - - if ($problem) { - $c->stash->{problem} = $problem; - $c->stash->{moderation_complaint} = 1; - } - else { - $c->forward( '/report/load_problem_or_display_error', [ $id ] ); - } - } - else { + if ($token) { + my $token_obj = $c->forward('/tokens/load_auth_token', [ $token, 'moderation' ]); + my $problem = $c->cobrand->problems->find( { id => $token_obj->data->{id} } ); + if ($problem) { + $c->stash->{problem} = $problem; + $c->stash->{moderation_complaint} = $token; + } else { $c->forward( '/report/load_problem_or_display_error', [ $id ] ); } + } elsif ($id) { + $c->forward( '/report/load_problem_or_display_error', [ $id ] ); if ($update_id) { my $update = $c->model('DB::Comment')->find( { id => $update_id } @@ -132,9 +123,8 @@ sub validate : Private { ); push @errors, _('Illegal ID') - if $c->req->param('id') && $c->req->param('id') !~ /^[1-9]\d*$/ - or $c->req->param('update_id') - && $c->req->param('update_id') !~ /^[1-9]\d*$/; + if $c->req->param('id') && !$c->stash->{problem} + or $c->req->param('update_id') && !$c->stash->{update}; push @errors, _('There was a problem showing this page. Please try again later.') if $c->req->params->{message} && $c->req->params->{message} =~ /\[url=|<a/; diff --git a/perllib/FixMyStreet/App/Controller/Moderate.pm b/perllib/FixMyStreet/App/Controller/Moderate.pm index 9c10ae36a..ad293fbd7 100644 --- a/perllib/FixMyStreet/App/Controller/Moderate.pm +++ b/perllib/FixMyStreet/App/Controller/Moderate.pm @@ -105,6 +105,11 @@ sub report_moderate_audit : Private { my $sender = FixMyStreet->config('DO_NOT_REPLY_EMAIL'); my $sender_name = _($cobrand->contact_name); + my $token = $c->model("DB::Token")->create({ + scope => 'moderation', + data => { id => $problem->id } + }); + $c->send_email( 'problem-moderated.txt', { to => [ [ $user->email, $user->name ] ], @@ -113,7 +118,7 @@ sub report_moderate_audit : Private { user => $user, problem => $problem, report_uri => $c->stash->{report_uri}, - report_complain_uri => $c->stash->{cobrand_base} . '/contact?m=1&id=' . $problem->id, + report_complain_uri => $c->stash->{cobrand_base} . '/contact?m=' . $token->token, }); } diff --git a/perllib/FixMyStreet/Cobrand/FixMyStreet.pm b/perllib/FixMyStreet/Cobrand/FixMyStreet.pm index 7a0f868d8..9001ca5f7 100644 --- a/perllib/FixMyStreet/Cobrand/FixMyStreet.pm +++ b/perllib/FixMyStreet/Cobrand/FixMyStreet.pm @@ -35,6 +35,9 @@ sub extra_contact_validation { my $self = shift; my $c = shift; + # Don't care about dest if reporting abuse + return () if $c->stash->{problem}; + my %errors; $c->stash->{dest} = $c->req->param('dest'); |