diff options
| author | Louise Crow <louise.crow@gmail.com> | 2013-08-22 15:23:46 +0100 |
|---|---|---|
| committer | Louise Crow <louise.crow@gmail.com> | 2013-09-16 12:42:19 +0100 |
| commit | fd0c811cc4e01435ca89a419a521f6ac31a858b1 (patch) | |
| tree | 477952cff8d4aec4e7ae8ca67d91f5ae0f64aeac /app | |
| parent | c954d92fe4f558a5f4375016ee6cf517d3ec5ddd (diff) | |
Restore the download for hidden requests
This was disabled for hidden requests as the download was by redirect,
allowing people who have not been authenticated to conceivably access
the download. We'll be moving to send_file instead, so can restore it.
Diffstat (limited to 'app')
| -rw-r--r-- | app/controllers/request_controller.rb | 8 | ||||
| -rw-r--r-- | app/views/request/_after_actions.html.erb | 2 |
2 files changed, 4 insertions, 6 deletions
diff --git a/app/controllers/request_controller.rb b/app/controllers/request_controller.rb index 0180ad840..8b978cc01 100644 --- a/app/controllers/request_controller.rb +++ b/app/controllers/request_controller.rb @@ -868,10 +868,6 @@ class RequestController < ApplicationController @locale = self.locale_from_params() I18n.with_locale(@locale) do @info_request = InfoRequest.find_by_url_title!(params[:url_title]) - # Test for whole request being hidden or requester-only - if !@info_request.all_can_view? - return render_hidden - end if authenticated?( :web => _("To download the zip file"), :email => _("Then you can download a zip file of {{info_request_title}}.", @@ -879,6 +875,10 @@ class RequestController < ApplicationController :email_subject => _("Log in to download a zip file of {{info_request_title}}", :info_request_title=>@info_request.title) ) + # Test for whole request being hidden or requester-only + if !@info_request.user_can_view?(@user) + return render_hidden + end @url_path = File.join("/download", request_dirs(@info_request), @info_request.last_update_hash, diff --git a/app/views/request/_after_actions.html.erb b/app/views/request/_after_actions.html.erb index b54a8f5fb..f780e3a37 100644 --- a/app/views/request/_after_actions.html.erb +++ b/app/views/request/_after_actions.html.erb @@ -15,11 +15,9 @@ <%= link_to _('Update the status of this request'), '#describe_state_form_1' %> </li> <% end %> - <% if @info_request.all_can_view? %> <li> <%= link_to _("Download a zip file of all correspondence"), download_entire_request_path(:url_title => @info_request.url_title) %> </li> - <% end %> </ul> </div> <% if ! @info_request.is_external? %> |