diff options
author | Robin Houston <robin.houston@gmail.com> | 2012-01-17 08:48:41 +0000 |
---|---|---|
committer | Robin Houston <robin.houston@gmail.com> | 2012-01-17 08:48:41 +0000 |
commit | e60d21cb129d1de487ebedd6b5e9efb22913130d (patch) | |
tree | aa1f987ff0d92b2d819f39d89afe2d3d6d821679 /app/controllers/request_controller.rb | |
parent | 9ab3cf355db5b8b6c558aea4744c2803fa658176 (diff) | |
parent | bae21e38242aac2c5843bae5ea5fe3b09408a4f9 (diff) |
Merge branch 'release/0.5' into develop
Diffstat (limited to 'app/controllers/request_controller.rb')
-rw-r--r-- | app/controllers/request_controller.rb | 9 |
1 files changed, 6 insertions, 3 deletions
diff --git a/app/controllers/request_controller.rb b/app/controllers/request_controller.rb index fbf862af3..8714f03cf 100644 --- a/app/controllers/request_controller.rb +++ b/app/controllers/request_controller.rb @@ -151,11 +151,14 @@ class RequestController < ApplicationController def list medium_cache @view = params[:view] + @page = get_search_page_from_params if !@page # used in cache case, as perform_search sets @page as side effect + if @view == "recent" + return redirect_to request_list_all_path(:action => "list", :view => "all", :page => @page), :status => :moved_permanently + end params[:latest_status] = @view query = make_query_from_params @title = _("View and search requests") sortby = "newest" - @page = get_search_page_from_params if !@page # used in cache case, as perform_search sets @page as side effect behavior_cache :tag => [@view, @page] do xapian_object = perform_search([InfoRequestEvent], query, sortby, 'request_collapse') @list_results = xapian_object.results.map { |r| r[:model] } @@ -601,10 +604,10 @@ class RequestController < ApplicationController before_filter :authenticate_attachment, :only => [ :get_attachment, :get_attachment_as_html ] def authenticate_attachment - # Test for hidden - if request.path =~ /\/$/ + if request.path =~ /\/$/ || !(params[:part] =~ /^\d+$/) raise PermissionDenied.new("Directory listing not allowed") else + # Test for hidden incoming_message = IncomingMessage.find(params[:incoming_message_id]) if !incoming_message.info_request.user_can_view?(authenticated_user) @info_request = incoming_message.info_request # used by view |