Remove hidden incoming messages from correspondence.txt

Adds a spec for what we want to see - no message text in
correspondence.txt, and no attachments. Refactors the
simple_correspondence templates to make it clearer that these are doing
the same job as the html.erb ones, for text.

9 files changed, 80 insertions, 46 deletions

diff --git a/app/controllers/request_controller.rb b/app/controllers/request_controller.rb
index 5ca7c431d..86ee4552d 100644
--- a/app/controllers/request_controller.rb
+++ b/app/controllers/request_controller.rb
@@ -892,6 +892,7 @@ class RequestController < ApplicationController
                         zipfile.get_output_stream(file_info[:filename]) { |f| f.puts(file_info[:data]) }
 
                         for message in @info_request.incoming_messages
+                            next unless message.user_can_view?(authenticated_user)
                             attachments = message.get_attachments_for_display
                             for attachment in attachments
                                 filename = "#{attachment.url_part_number}_#{attachment.display_filename}"
@@ -967,7 +968,7 @@ class RequestController < ApplicationController
         end
         if !done
             file_info = { :filename => 'correspondence.txt',
-                          :data => render_to_string(:template => 'request/simple_correspondence.html.erb',
+                          :data => render_to_string(:template => 'request/show.text.erb',
                                                     :layout => false) }
         end
         file_info
diff --git a/app/views/comment/_single_comment.text.erb b/app/views/comment/_single_comment.text.erb
new file mode 100644
index 000000000..925e8b688
--- /dev/null
+++ b/app/views/comment/_single_comment.text.erb
@@ -0,0 +1,2 @@
+<%= _("{{username}} left an annotation:", :username =>comment.user.name) %> (<%= simple_date(comment.created_at || Time.now) %>)
+<%= comment.body.strip %>
diff --git a/app/views/request/_hidden_correspondence.text.erb b/app/views/request/_hidden_correspondence.text.erb
new file mode 100644
index 000000000..010b6b66d
--- /dev/null
+++ b/app/views/request/_hidden_correspondence.text.erb
@@ -0,0 +1,5 @@
+<%- if !message.prominence_reason.blank? %>
+  <%= _('This message has been hidden.') %> <%= message.prominence_reason %>
+<%- else %>
+  <%= _("This message has been hidden. There are various reasons why we might have done this, sorry we can't be more specific here.") %>
+<%- end %>
diff --git a/app/views/request/_incoming_correspondence.text.erb b/app/views/request/_incoming_correspondence.text.erb
new file mode 100644
index 000000000..33ddad926
--- /dev/null
+++ b/app/views/request/_incoming_correspondence.text.erb
@@ -0,0 +1,12 @@
+<%- if not incoming_message.user_can_view?(@user) %>
+  <%= render :partial =>  'request/hidden_correspondence.text', :locals => { :message => incoming_message }%>
+<%- else %>
+<%= _('From:') %><% if incoming_message.specific_from_name? %> <%= incoming_message.safe_mail_from %><% end %><% if incoming_message.from_public_body? %>, <%= @info_request.public_body.name %><% end %>
+<%= _('To:') %> <% if @info_request.user_name %><%= @info_request.user_name %><% else %><%= "[#{_('An anonymous user')}]"%><% end %>
+<%= _('Date:') %> <%= simple_date(incoming_message.sent_at) %>
+
+  <%= incoming_message.get_body_for_quoting %>
+  <% incoming_message.get_attachments_for_display.each do |a| %>
+<%= _('Attachment:') %> <%= a.display_filename %> (<%= a.display_size %>)
+  <% end %>
+<% end %>
diff --git a/app/views/request/_outgoing_correspondence.text.erb b/app/views/request/_outgoing_correspondence.text.erb
new file mode 100644
index 000000000..c3f2b935d
--- /dev/null
+++ b/app/views/request/_outgoing_correspondence.text.erb
@@ -0,0 +1,6 @@
+<%= _('From:') %> <% if @info_request.user_name %><%= @info_request.user_name %><% else %><%= "[#{_('An anonymous user')}]"%><% end %>
+<%= _('To:') %> <%= @info_request.public_body.name %>
+<%= _('Date:') %> <%= simple_date(info_request_event.created_at) %>
+<%- text = outgoing_message.body.strip
+    outgoing_message.remove_privacy_sensitive_things!(text) %>
+<%= text %>
diff --git a/app/views/request/_resent_outgoing_correspondence.text.erb b/app/views/request/_resent_outgoing_correspondence.text.erb
new file mode 100644
index 000000000..d645e9488
--- /dev/null
+++ b/app/views/request/_resent_outgoing_correspondence.text.erb
@@ -0,0 +1,2 @@
+<%= _('Date:') %> <%= simple_date(info_request_event.created_at) %>
+Sent <% if outgoing_message.message_type == 'initial_request' %> request <% elsif outgoing_message.message_type == 'followup' %> a follow up <% else %> <% raise "unknown message_type" %><% end %> to <%= public_body_link(@info_request.public_body) %> again<% if not info_request_event.same_email_as_previous_send? %>, using a new contact address<% end %>.
diff --git a/app/views/request/show.text.erb b/app/views/request/show.text.erb
new file mode 100644
index 000000000..29ac2987f
--- /dev/null
+++ b/app/views/request/show.text.erb
@@ -0,0 +1,17 @@
+<%= _('This is a plain-text version of the Freedom of Information request "{{request_title}}".  The latest, full version is available online at {{full_url}}', :request_title => @info_request.title, :full_url => "http://#{AlaveteliConfiguration::domain}#{show_request_path(:url_title=>@info_request.url_title)}") %>.
+
+<% @info_request_events.each do |info_request_event| %>
+  <% if info_request_event.visible %>
+    <% case info_request_event.event_type %>
+    <% when 'response' %>
+      <%= render :partial => 'request/incoming_correspondence.text', :locals => { :incoming_message => info_request_event.incoming_message } %>
+    <% when 'sent', 'followup_sent' %>
+      <%= render :partial => 'request/outgoing_correspondence.text', :locals => { :outgoing_message => info_request_event.outgoing_message, :info_request_event => info_request_event }%>
+    <% when 'resent', 'followup_resent' %>
+      <%= render :partial => 'request/resent_outgoing_correspondence.text', :locals => { outgoing_message => info_request_event.outgoing_message, :info_request_event => info_request_event }%>
+  <% when 'comment' %>
+    <%= render :partial => 'comment/single_comment.text', :locals => { :comment => info_request_event.comment } %>
+    <% end %>
+-------------------------------
+  <% end %>
+<% end %>
diff --git a/app/views/request/simple_correspondence.html.erb b/app/views/request/simple_correspondence.html.erb
deleted file mode 100644
index 461fa3912..000000000
--- a/app/views/request/simple_correspondence.html.erb
+++ /dev/null
@@ -1,45 +0,0 @@
-<%= _('This is a plain-text version of the Freedom of Information request "{{request_title}}".  The latest, full version is available online at {{full_url}}', :request_title => @info_request.title, :full_url => "http://#{AlaveteliConfiguration::domain}#{show_request_path(:url_title=>@info_request.url_title)}") %>.
-
-<% for info_request_event in @info_request_events %>
-<%
-    incoming_message = nil
-    if info_request_event.visible
-    if !info_request_event.nil? && info_request_event.event_type == 'response'
-       incoming_message = info_request_event.incoming_message
-    end
-
-
-    if not incoming_message.nil?
-        if !incoming_message.safe_mail_from.nil? && incoming_message.safe_mail_from.strip != @info_request.public_body.name.strip %>
-<%= _('From:') %> <%= incoming_message.safe_mail_from %><% end
-        if incoming_message.safe_mail_from.nil? || (incoming_message.mail_from_domain == @info_request.public_body.request_email_domain) %>, <%= @info_request.public_body.name %><% end %>
-<%= _('To:') %> <% if @info_request.user_name %><%= @info_request.user_name %><% else %><%= "[#{_('An anonymous user')}]"%><% end %>
-<%= _('Date:') %> <%= simple_date(incoming_message.sent_at) %>
-
-<%= incoming_message.get_body_for_quoting %>
-<%        incoming_message.get_attachments_for_display.each do |a| %>
-  <%= _('Attachment:') %> <%= a.display_filename %> (<%= a.display_size %>)
-        <% end %>
-<%
-elsif [ 'sent', 'followup_sent' ].include?(info_request_event.event_type)
-    outgoing_message = info_request_event.outgoing_message
-    %>
-<%= _('From:') %> <% if @info_request.user_name %><%= @info_request.user_name %><% else %><%= "[#{_('An anonymous user')}]"%><% end %>
-<%= _('To:') %> <%= @info_request.public_body.name %>
-<%= _('Date:') %> <%= simple_date(info_request_event.created_at) %>
-<%
-        text = outgoing_message.body.strip
-        outgoing_message.remove_privacy_sensitive_things!(text) %>
-
-<%= text %>
-<% elsif [ 'resent', 'followup_resent' ].include?(info_request_event.event_type) %>
-<%= _('Date:') %> <%= simple_date(info_request_event.created_at) %>
-Sent <% if info_request_event.outgoing_message.message_type == 'initial_request' %> request <% elsif info_request_event.outgoing_message.message_type == 'followup' %> a follow up <% else %> <% raise "unknown message_type" %><% end %> to <%= public_body_link(@info_request.public_body) %> again<% if not info_request_event.same_email_as_previous_send? %>, using a new contact address<% end %>.
-
-<% elsif info_request_event.event_type == 'comment'
-    comment = info_request_event.comment
-%>
-<%= _("{{username}} left an annotation:", :username =>comment.user.name) %> (<%= simple_date(comment.created_at || Time.now) %>)
-<%= comment.body.strip %>
-<% end %>
--------------------------------<% end %><% end %>
diff --git a/spec/integration/download_request_spec.rb b/spec/integration/download_request_spec.rb
index 563efbf50..33e90d435 100644
--- a/spec/integration/download_request_spec.rb
+++ b/spec/integration/download_request_spec.rb
@@ -50,6 +50,40 @@ describe 'when making a zipfile available' do
         end
     end
 
+    context 'when an incoming message is made "requester_only"' do
+        it 'should not include the incoming message or attachments in a download of the entire request
+            by a non-request owner', :focus => true do
+
+            # Non-owner can download zip with incoming and attachments
+            non_owner = login(FactoryGirl.create(:user))
+            info_request = FactoryGirl.create(:info_request_with_incoming_attachments)
+            inspect_zip_download(non_owner, info_request) do |zip|
+                zip.count.should == 3
+                zip.read('correspondence.txt').should match('hereisthetext')
+            end
+
+            # Admin makes the incoming message requester only
+            admin = login(FactoryGirl.create(:admin_user))
+            post_data = {:incoming_message => {:prominence => 'requester_only',
+                                               :prominence_reason => 'boring'}}
+            admin.post_via_redirect "/en/admin/incoming/update/#{info_request.incoming_messages.first.id}", post_data
+            admin.response.should be_success
+
+            inspect_zip_download(non_owner, info_request) do |zip|
+                zip.count.should == 1
+                correspondence_text = zip.read('correspondence.txt')
+                correspondence_text.should_not match('hereisthetext')
+                expected_text = 'This message has been hidden. boring'
+                correspondence_text.should match(expected_text)
+            end
+
+        end
+
+        it 'should include the incoming message and attachments in a download of the entire request
+            by the owner'
+
+    end
+
 
     it 'should successfully make a zipfile for an external request' do
         info_request = info_requests(:external_request)