diff options
| author | Matthew Landauer <matthew@openaustralia.org> | 2013-03-22 14:50:01 +1100 |
|---|---|---|
| committer | Matthew Landauer <matthew@openaustralia.org> | 2013-03-22 14:50:01 +1100 |
| commit | 661ad52ef88de7afcbd7820d8283057764f4d1ac (patch) | |
| tree | dcaebe1fd1020c10c74d55261e6312e49a2a2104 | |
| parent | adac483b0f8133c8d9623dba24b6c52f1cc0f8a9 (diff) | |
Only allow posts for reporting request. Don't try redirection when not logged in
| -rw-r--r-- | app/controllers/request_controller.rb | 14 | ||||
| -rw-r--r-- | config/routes.rb | 8 | ||||
| -rw-r--r-- | spec/controllers/request_controller_spec.rb | 7 |
3 files changed, 10 insertions, 19 deletions
diff --git a/app/controllers/request_controller.rb b/app/controllers/request_controller.rb index a018d76c9..e12c408ea 100644 --- a/app/controllers/request_controller.rb +++ b/app/controllers/request_controller.rb @@ -682,19 +682,15 @@ class RequestController < ApplicationController def report_request info_request = InfoRequest.find_by_url_title!(params[:url_title]) - return if !authenticated?( - :web => _("To report this FOI request"), - :email => _("Then you can report the request '{{title}}'", :title => info_request.title), - :email_subject => _("Report an offensive or unsuitable request") - ) - - if !info_request.attention_requested + if !authenticated_user + flash[:notice] = _("You need to be logged in to report a request for administrator attention") + elsif info_request.attention_requested + flash[:notice] = _("This request has already been reported for administrator attention") + else info_request.set_described_state('attention_requested', @user, "Reason: #{params[:reason]}\n\n#{params[:message]}") info_request.attention_requested = true # tells us if attention has ever been requested info_request.save! flash[:notice] = _("This request has been reported for administrator attention") - else - flash[:notice] = _("This request has already been reported for administrator attention") end redirect_to request_url(info_request) end diff --git a/config/routes.rb b/config/routes.rb index 60e33b3cf..4869990e3 100644 --- a/config/routes.rb +++ b/config/routes.rb @@ -59,14 +59,8 @@ Alaveteli::Application.routes.draw do match '/upload/request/:url_title' => 'request#upload_response', :as => :upload_response match '/request/:url_title/download' => 'request#download_entire_request', :as => :download_entire_request - # It would be nice to add :conditions => { :method => :post } to this next one, - # because it ought not really to be available as a GET request since it changes - # the server state. Unfortunately this doesn’t play well with the PostRedirect - # mechanism, which assumes all post-login actions are available via GET, so we - # refrain. - match '/request/:url_title/report' => 'request#report_request', :as => :report + match '/request/:url_title/report' => 'request#report_request', :as => :report, :via => :post match '/request/:url_title/report/new' => 'request#new_report_request', :as => :new_report_request - #### #### User controller diff --git a/spec/controllers/request_controller_spec.rb b/spec/controllers/request_controller_spec.rb index d73fb89c7..260fbb9fa 100644 --- a/spec/controllers/request_controller_spec.rb +++ b/spec/controllers/request_controller_spec.rb @@ -2294,9 +2294,10 @@ end describe RequestController, "when reporting a request when not logged in" do it "should only allow logged-in users to report requests" do - get :report_request, :url_title => info_requests(:badger_request).url_title - post_redirect = PostRedirect.get_last_post_redirect - response.should redirect_to(:controller => 'user', :action => 'signin', :token => post_redirect.token) + post :report_request, :url_title => info_requests(:badger_request).url_title + + flash[:notice].should =~ /You need to be logged in/ + response.should redirect_to show_request_path(:url_title => info_requests(:badger_request).url_title) end end |