diff options
| author | Robin Houston <robin.houston@gmail.com> | 2012-06-03 17:30:25 +0100 |
|---|---|---|
| committer | Robin Houston <robin.houston@gmail.com> | 2012-06-03 17:30:25 +0100 |
| commit | 28fac418f2bf4dd21f150054713f1b7fe410c67a (patch) | |
| tree | b2dba9bdf262b981b9ce92fb6071f75bfe7bdaa4 | |
| parent | 0806fcc7d477b45d158e8a152b1f927f395d3aa7 (diff) | |
Prevent spiders from reporting requests
Make the "report request" button submit a POST rather than a GET
request. Also restrict this action to logged-in users.
Fixes #501.
| -rw-r--r-- | app/controllers/request_controller.rb | 6 | ||||
| -rw-r--r-- | app/views/request/_sidebar.rhtml | 2 | ||||
| -rw-r--r-- | config/routes.rb | 8 |
3 files changed, 14 insertions, 2 deletions
diff --git a/app/controllers/request_controller.rb b/app/controllers/request_controller.rb index 4592b5ac2..bd2bfc974 100644 --- a/app/controllers/request_controller.rb +++ b/app/controllers/request_controller.rb @@ -656,6 +656,12 @@ class RequestController < ApplicationController def report_request info_request = InfoRequest.find_by_url_title(params[:url_title]) + return if !authenticated?( + :web => _("To report this FOI request"), + :email => _("Then you can report the request '{{title}}'", :title => info_request.title), + :email_subject => _("Report an offensive or unsuitable request") + ) + if !info_request.attention_requested info_request.set_described_state('attention_requested') info_request.attention_requested = true # tells us if attention has ever been requested diff --git a/app/views/request/_sidebar.rhtml b/app/views/request/_sidebar.rhtml index bca142fa9..956b3988b 100644 --- a/app/views/request/_sidebar.rhtml +++ b/app/views/request/_sidebar.rhtml @@ -13,7 +13,7 @@ <% else %> <p><%= _('Requests for personal information and vexatious requests are not considered valid for FOI purposes (<a href="/help/about">read more</a>).') %> <p><%= ('If you believe this request is not suitable, you can report it for attention by the site administrators') %></p> - <%= link_to _("Report this request"), report_path, :class => "link_button_green" %> + <%= link_to _("Report this request"), report_path, :class => "link_button_green", :method => "POST" %> <% end %> <% end %> <h2><%= _("Act on what you've learnt") %></h2> diff --git a/config/routes.rb b/config/routes.rb index 0ba8139c2..c0d65042c 100644 --- a/config/routes.rb +++ b/config/routes.rb @@ -66,7 +66,13 @@ ActionController::Routing::Routes.draw do |map| request.upload_response "/upload/request/:url_title", :action => 'upload_response' request.download_entire_request '/request/:url_title/download', :action => 'download_entire_request' - request.report '/request/:url_title/report', :action => 'report_request' + + # It would be nice to add :conditions => { :method => :post } to this next one, + # because it ought not really to be available as a GET request since it changes + # the server state. Unfortunately this doesn’t play well with the PostRedirect + # mechanism, which assumes all post-login actions are available via GET, so we + # refrain. + request.report '/request/:url_title/report', :action => 'report_request' end |