From 00090170f96ae43f521ce29a3731859ca5f6738a Mon Sep 17 00:00:00 2001
From: Matthew Somerville <matthew@mysociety.org>
Date: Wed, 17 Dec 2014 11:21:28 +0000
Subject: Version 1.5.2.

Includes:
* [UK] Don't show topic form field when reporting abuse.
* Use token in moderation response URL to prevent hidden report leak.
* Make sure successful submission page is full width.
---
 README.md                                      |  8 +++++-
 bin/site-specific-install.sh                   |  2 +-
 perllib/FixMyStreet/App/Controller/Contact.pm  | 36 ++++++++++----------------
 perllib/FixMyStreet/App/Controller/Moderate.pm |  7 ++++-
 perllib/FixMyStreet/Cobrand/FixMyStreet.pm     |  3 +++
 t/app/controller/moderate.t                    | 12 +++++++++
 templates/web/base/contact/index.html          |  1 +
 templates/web/base/contact/submit.html         |  2 +-
 templates/web/base/report/_main.html           | 30 ++++++++-------------
 templates/web/fixmystreet.com/contact/who.html |  6 +++--
 templates/web/fixmystreet/contact/index.html   |  1 +
 11 files changed, 60 insertions(+), 48 deletions(-)

diff --git a/README.md b/README.md
index 50e89584c..6e6a92c9c 100644
--- a/README.md
+++ b/README.md
@@ -14,7 +14,7 @@ RSS alerts of problems in their area.
 
 It was created in 2007 by [mySociety](https://www.mysociety.org/) for reporting
 problems to UK councils and has been copied around the world. The FixMyStreet
-Platform is now at version 1.5.1.
+Platform is now at version 1.5.2.
 
 ## Installation
 
@@ -38,6 +38,12 @@ We've extracted all of the mobile apps from this repository into the
 
 ## Releases
 
+* v1.5.2 (17th December 2014)
+    - Hide unneeded heading on default footer.
+    - Suppress 'Argument "" isn't numeric' warning on admin report edit page.
+    - [UK] Don't show topic form field when reporting abuse.
+    - Use token in moderation response URL to prevent hidden report leak.
+
 * v1.5.1 (12th December 2014)
     - Bugfixes
         - Use correct cobrand signature in SendReport emails. #960
diff --git a/bin/site-specific-install.sh b/bin/site-specific-install.sh
index 774f90b15..3d01be469 100644
--- a/bin/site-specific-install.sh
+++ b/bin/site-specific-install.sh
@@ -1,7 +1,7 @@
 #!/bin/sh
 
 # Set this to the version we want to check out
-VERSION=${VERSION_OVERRIDE:-v1.5.1}
+VERSION=${VERSION_OVERRIDE:-v1.5.2}
 
 PARENT_SCRIPT_URL=https://github.com/mysociety/commonlib/blob/master/bin/install-site.sh
 
diff --git a/perllib/FixMyStreet/App/Controller/Contact.pm b/perllib/FixMyStreet/App/Controller/Contact.pm
index 3ff824691..5a51c8494 100644
--- a/perllib/FixMyStreet/App/Controller/Contact.pm
+++ b/perllib/FixMyStreet/App/Controller/Contact.pm
@@ -59,33 +59,24 @@ generic contact request and set up things accordingly
 sub determine_contact_type : Private {
     my ( $self, $c ) = @_;
 
-    my $id        = $c->req->param('id');
+    my $id = $c->req->param('id');
     my $update_id = $c->req->param('update_id');
+    my $token = $c->req->param('m');
     $id        = undef unless $id        && $id        =~ /^[1-9]\d*$/;
     $update_id = undef unless $update_id && $update_id =~ /^[1-9]\d*$/;
 
-    if ($id) {
-
-        # if we're moderating, then we don't show errors in every case, e.g.
-        # for hidden reports
-        if ($c->req->param('m')) {
-            my $problem
-            = ( !$id || $id =~ m{\D} ) # is id non-numeric?
-            ? undef                    # ...don't even search
-            : $c->cobrand->problems->find( { id => $id } );
-
-            if ($problem) {
-                $c->stash->{problem} = $problem;
-                $c->stash->{moderation_complaint} = 1;
-            }
-            else {
-                $c->forward( '/report/load_problem_or_display_error', [ $id ] );
-            }
-        }
-        else {
+    if ($token) {
+        my $token_obj = $c->forward('/tokens/load_auth_token', [ $token, 'moderation' ]);
+        my $problem = $c->cobrand->problems->find( { id => $token_obj->data->{id} } );
+        if ($problem) {
+            $c->stash->{problem} = $problem;
+            $c->stash->{moderation_complaint} = $token;
+        } else {
             $c->forward( '/report/load_problem_or_display_error', [ $id ] );
         }
 
+    } elsif ($id) {
+        $c->forward( '/report/load_problem_or_display_error', [ $id ] );
         if ($update_id) {
             my $update = $c->model('DB::Comment')->find(
                 { id => $update_id }
@@ -132,9 +123,8 @@ sub validate : Private {
     );
 
     push @errors, _('Illegal ID')
-      if $c->req->param('id') && $c->req->param('id') !~ /^[1-9]\d*$/
-          or $c->req->param('update_id')
-          && $c->req->param('update_id') !~ /^[1-9]\d*$/;
+      if $c->req->param('id') && !$c->stash->{problem}
+          or $c->req->param('update_id') && !$c->stash->{update};
 
     push @errors, _('There was a problem showing this page. Please try again later.')
       if $c->req->params->{message} && $c->req->params->{message} =~ /\[url=|<a/;
diff --git a/perllib/FixMyStreet/App/Controller/Moderate.pm b/perllib/FixMyStreet/App/Controller/Moderate.pm
index 9c10ae36a..ad293fbd7 100644
--- a/perllib/FixMyStreet/App/Controller/Moderate.pm
+++ b/perllib/FixMyStreet/App/Controller/Moderate.pm
@@ -105,6 +105,11 @@ sub report_moderate_audit : Private {
     my $sender = FixMyStreet->config('DO_NOT_REPLY_EMAIL');
     my $sender_name = _($cobrand->contact_name);
 
+    my $token = $c->model("DB::Token")->create({
+        scope => 'moderation',
+        data => { id => $problem->id }
+    });
+
     $c->send_email( 'problem-moderated.txt', {
 
         to      => [ [ $user->email, $user->name ] ],
@@ -113,7 +118,7 @@ sub report_moderate_audit : Private {
         user => $user,
         problem => $problem,
         report_uri => $c->stash->{report_uri},
-        report_complain_uri => $c->stash->{cobrand_base} . '/contact?m=1&id=' . $problem->id,
+        report_complain_uri => $c->stash->{cobrand_base} . '/contact?m=' . $token->token,
     });
 }
 
diff --git a/perllib/FixMyStreet/Cobrand/FixMyStreet.pm b/perllib/FixMyStreet/Cobrand/FixMyStreet.pm
index 7a0f868d8..9001ca5f7 100644
--- a/perllib/FixMyStreet/Cobrand/FixMyStreet.pm
+++ b/perllib/FixMyStreet/Cobrand/FixMyStreet.pm
@@ -35,6 +35,9 @@ sub extra_contact_validation {
     my $self = shift;
     my $c = shift;
 
+    # Don't care about dest if reporting abuse
+    return () if $c->stash->{problem};
+
     my %errors;
 
     $c->stash->{dest} = $c->req->param('dest');
diff --git a/t/app/controller/moderate.t b/t/app/controller/moderate.t
index 84e8670b7..cd4c742bb 100644
--- a/t/app/controller/moderate.t
+++ b/t/app/controller/moderate.t
@@ -68,6 +68,9 @@ subtest 'Auth' => sub {
 
         $mech->get_ok($REPORT_URL);
         $mech->content_lacks('Moderat');
+
+        $mech->get_ok('/contact?m=1&id=' . $report->id);
+        $mech->content_lacks('Good bad bad bad');
     };
 
     subtest 'Affiliated and permissioned user can see moderation' => sub {
@@ -158,6 +161,8 @@ subtest 'Problem moderation' => sub {
     };
 
     subtest 'Hide report' => sub {
+        $mech->clear_emails_ok;
+
         my $resp = $mech->post('/moderate/report/' . $report->id, {
             %problem_prepopulated,
             problem_hide => 1,
@@ -167,6 +172,13 @@ subtest 'Problem moderation' => sub {
         $report->discard_changes;
         is $report->state, 'hidden', 'Is hidden';
 
+        my $email = $mech->get_email;
+        my ($url) = $email->body =~ m{(http://\S+)};
+        ok $url, "extracted complain url '$url'";
+
+        $mech->get_ok($url);
+        $mech->content_contains('Good bad bad bad');
+
         # reset
         $report->update({ state => 'confirmed' });
     };
diff --git a/templates/web/base/contact/index.html b/templates/web/base/contact/index.html
index 439091f88..228a77def 100644
--- a/templates/web/base/contact/index.html
+++ b/templates/web/base/contact/index.html
@@ -35,6 +35,7 @@
 [% ELSIF problem %]
     <p>
     [% IF moderation_complaint %]
+    <input type="hidden" name="m" value="[% moderation_complaint %]">
     [% loc('You are complaining that this problem report was unnecessarily moderated:') %]
     [% ELSE %]
     [% loc('You are reporting the following problem report for being abusive, containing personal information, or similar:') %]
diff --git a/templates/web/base/contact/submit.html b/templates/web/base/contact/submit.html
index 3845e9210..fc416c2d7 100644
--- a/templates/web/base/contact/submit.html
+++ b/templates/web/base/contact/submit.html
@@ -1,4 +1,4 @@
-[% INCLUDE 'header.html', title = loc('Contact Us') %]
+[% INCLUDE 'header.html', title = loc('Contact Us'), bodyclass = 'fullwidthpage' %]
 
 <h1>[% loc('Contact the team') %]</h1>
  
diff --git a/templates/web/base/report/_main.html b/templates/web/base/report/_main.html
index 6ae96f97c..00b0188af 100644
--- a/templates/web/base/report/_main.html
+++ b/templates/web/base/report/_main.html
@@ -66,28 +66,20 @@
     </em></p>
     [% INCLUDE 'report/_support.html' %]
 
-    [% IF c.cobrand.moniker != 'southampton' %]
-        [% INCLUDE 'report/photo.html' object=problem %]
-    [% END %]
+    [% INCLUDE 'report/photo.html' object=problem %]
+    <div class="moderate-display">
+        [% add_links( problem.detail ) | html_para %]
+    </div>
 
-        <div class="moderate-display">
-            [% add_links( problem.detail ) | html_para %]
-        </div>
-        [% IF moderating %]
-            <div class="moderate-edit">
-            [% IF problem.detail != original.detail %]
-            <input type="checkbox" name="problem_revert_detail" class="revert-textarea">
-            <label for="problem_revert_detail">Revert to original text</label>
-            [% END %]
-            <textarea name="problem_detail">[% add_links( problem.detail ) %]</textarea>
-            </div>
+    [% IF moderating %]
+        <div class="moderate-edit">
+        [% IF problem.detail != original.detail %]
+        <input type="checkbox" name="problem_revert_detail" class="revert-textarea">
+        <label for="problem_revert_detail">Revert to original text</label>
         [% END %]
+        <textarea name="problem_detail">[% add_links( problem.detail ) %]</textarea>
+        </div>
 
-    [% IF c.cobrand.moniker == 'southampton' %]
-        [% INCLUDE 'report/photo.html' object=problem %]
-    [% END %]
-
-  [% IF moderating %]
         <div class="moderate-edit">
             <label for="moderation_reason">Moderation reason:</label>
             <input type="text" name="moderation_reason" placeholder="Describe why you are moderating this">
diff --git a/templates/web/fixmystreet.com/contact/who.html b/templates/web/fixmystreet.com/contact/who.html
index 7084c17dc..cdfc4eff8 100644
--- a/templates/web/fixmystreet.com/contact/who.html
+++ b/templates/web/fixmystreet.com/contact/who.html
@@ -1,3 +1,4 @@
+[% IF NOT problem %]
 <h4>Topic:</h4>
 
 [% IF field_errors.dest %]
@@ -55,8 +56,8 @@
 </div>
 
 <div class="checkbox-group">
-    <input name="dest" id="dest_feeback" type="radio" value="feeback" class="required"[% IF dest AND dest == 'feeback' %] checked[% END %]>
-    <label class="inline" for="dest_feeback">I have feedback about the site</label>
+    <input name="dest" id="dest_feedback" type="radio" value="feedback" class="required"[% IF dest AND dest == 'feedback' %] checked[% END %]>
+    <label class="inline" for="dest_feedback">I have feedback about the site</label>
 </div>
 
 <div class="checkbox-group">
@@ -73,3 +74,4 @@
     <input name="dest" id="dest_update" type="radio" value="update"[% IF dest AND dest == 'update' %] checked[% END %]>
     <label class="inline" for="dest_update">My street problem hasn't been fixed</label>
 </div>
+[% END %]
diff --git a/templates/web/fixmystreet/contact/index.html b/templates/web/fixmystreet/contact/index.html
index 2d145ce09..92f2451ef 100644
--- a/templates/web/fixmystreet/contact/index.html
+++ b/templates/web/fixmystreet/contact/index.html
@@ -50,6 +50,7 @@
         [% ELSIF problem %]
             <p>
             [% IF moderation_complaint %]
+            <input type="hidden" name="m" value="[% moderation_complaint %]">
             [% loc('You are complaining that this problem report was unnecessarily moderated:') %]
             [% ELSE %]
             [% loc('You are reporting the following problem report for being abusive, containing personal information, or similar:') %]
-- 
cgit v1.2.3