diff options
| -rw-r--r-- | app/controllers/admin_controller.rb | 9 | ||||
| -rw-r--r-- | app/controllers/comment_controller.rb | 1 | ||||
| -rw-r--r-- | app/controllers/request_controller.rb | 3 | ||||
| -rw-r--r-- | app/controllers/track_controller.rb | 8 | ||||
| -rw-r--r-- | app/controllers/user_controller.rb | 35 |
5 files changed, 34 insertions, 22 deletions
diff --git a/app/controllers/admin_controller.rb b/app/controllers/admin_controller.rb index 76b4f66e7..004d460c5 100644 --- a/app/controllers/admin_controller.rb +++ b/app/controllers/admin_controller.rb @@ -13,15 +13,16 @@ class AdminController < ApplicationController before_filter :assign_http_auth_user protect_from_forgery # See ActionController::RequestForgeryProtection for details + # action to take if expecting an authenticity token and one isn't received + def handle_unverified_request + raise(ActionController::InvalidAuthenticityToken) + end + # Always give full stack trace for admin interface def local_request? true end - def handle_unverified_request - raise(ActionController::InvalidAuthenticityToken) - end - # Expire cached attachment files for a request def expire_for_request(info_request) # Clear out cached entries, by removing files from disk (the built in diff --git a/app/controllers/comment_controller.rb b/app/controllers/comment_controller.rb index d5f8f89fb..4a0661f34 100644 --- a/app/controllers/comment_controller.rb +++ b/app/controllers/comment_controller.rb @@ -8,6 +8,7 @@ class CommentController < ApplicationController before_filter :check_read_only, :only => [ :new ] + protect_from_forgery :only => [ :new ] def new if params[:type] == 'request' diff --git a/app/controllers/request_controller.rb b/app/controllers/request_controller.rb index 545a40cfe..36fbc2b11 100644 --- a/app/controllers/request_controller.rb +++ b/app/controllers/request_controller.rb @@ -7,7 +7,8 @@ # $Id: request_controller.rb,v 1.192 2009-10-19 19:26:40 francis Exp $ class RequestController < ApplicationController - before_filter :check_read_only, :only => [ :new, :show_response, :describe_state ] + before_filter :check_read_only, :only => [ :new, :show_response, :describe_state, :upload_response ] + protect_from_forgery :only => [ :new, :show_response, :describe_state, :upload_response ] # See ActionController::RequestForgeryProtection for details def show # Look up by old style numeric identifiers diff --git a/app/controllers/track_controller.rb b/app/controllers/track_controller.rb index 89fc74706..e262db099 100644 --- a/app/controllers/track_controller.rb +++ b/app/controllers/track_controller.rb @@ -9,6 +9,8 @@ class TrackController < ApplicationController + protect_from_forgery # See ActionController::RequestForgeryProtection for details + # Track all updates to a particular request def track_request @info_request = InfoRequest.find_by_url_title(params[:url_title]) @@ -106,7 +108,7 @@ class TrackController < ApplicationController flash[:notice] = "You will now be emailed updates about " + @track_thing.params[:list_description] return true - end + end # Old-Style atom track. We're phasing this out, so for now issue a # 301 Redirect. Most aggregators should honour this, but we should @@ -122,7 +124,7 @@ class TrackController < ApplicationController end def atom_feed_internal - @xapian_object = perform_search([InfoRequestEvent], @track_thing.track_query, @track_thing.params[:feed_sortby], nil, 25, 1) + @xapian_object = perform_search([InfoRequestEvent], @track_thing.track_query, @track_thing.params[:feed_sortby], nil, 25, 1) respond_to do |format| format.atom { render :template => 'track/atom_feed' } format.json { render :json => @xapian_object.results.map { |r| r[:model].json_for_api(true, @@ -187,4 +189,4 @@ class TrackController < ApplicationController end - + diff --git a/app/controllers/user_controller.rb b/app/controllers/user_controller.rb index 87152b7ca..49e46b6fa 100644 --- a/app/controllers/user_controller.rb +++ b/app/controllers/user_controller.rb @@ -7,10 +7,17 @@ # $Id: user_controller.rb,v 1.71 2009-09-17 07:51:47 francis Exp $ class UserController < ApplicationController + + protect_from_forgery :only => [ :contact, + :set_profile_photo, + :signchangeemail, + :clear_profile_photo, + :set_profile_about_me ] # See ActionController::RequestForgeryProtection for details + # Show page about a user def show if MySociety::Format.simplify_url_part(params[:url_name], 'user', 32) != params[:url_name] - redirect_to :url_name => MySociety::Format.simplify_url_part(params[:url_name], 'user', 32), :status => :moved_permanently + redirect_to :url_name => MySociety::Format.simplify_url_part(params[:url_name], 'user', 32), :status => :moved_permanently return end @@ -29,8 +36,8 @@ class UserController < ApplicationController @xapian_comments = perform_search([InfoRequestEvent], 'commented_by:' + @display_user.url_name, 'newest', nil) if (@page > 1) - @page_desc = " (page " + @page.to_s + ")" - else + @page_desc = " (page " + @page.to_s + ")" + else @page_desc = "" end rescue @@ -50,7 +57,7 @@ class UserController < ApplicationController # Requests you need to describe if @is_you - @undescribed_requests = @display_user.get_undescribed_requests + @undescribed_requests = @display_user.get_undescribed_requests end respond_to do |format| @@ -81,16 +88,16 @@ class UserController < ApplicationController redirect_to signin_url(:r => params[:r], :again => nil) return end - - if not params[:user_signin] + + if not params[:user_signin] # First time page is shown - render :action => 'sign' + render :action => 'sign' return else @user_signin = User.authenticate_from_form(params[:user_signin], @post_redirect.reason_params[:user_name] ? true : false) if @user_signin.errors.size > 0 # Failed to authenticate - render :action => 'sign' + render :action => 'sign' return else # Successful login @@ -121,7 +128,7 @@ class UserController < ApplicationController if user_alreadyexists already_registered_mail user_alreadyexists return - else + else # New unconfirmed user @user_signup.email_confirmed = false @user_signup.save! @@ -224,7 +231,7 @@ class UserController < ApplicationController if params[:pretoken] and not params[:pretoken].empty? post_redirect = PostRedirect.find_by_token(params[:pretoken]) do_post_redirect post_redirect - else + else redirect_to user_url(@user) end end @@ -338,7 +345,7 @@ class UserController < ApplicationController { :message => "" + @recipient_user.name + ",\n\n\n\nYours,\n\n" + @user.name } ) end - + end # River of News: What's happening with your tracked things @@ -388,11 +395,11 @@ class UserController < ApplicationController elsif !params[:submitted_crop_profile_photo].nil? # crop the draft photo according to jquery parameters and set it as the users photo draft_profile_photo = ProfilePhoto.find(params[:draft_profile_photo_id]) - @profile_photo = ProfilePhoto.new(:data => draft_profile_photo.data, :draft => false, + @profile_photo = ProfilePhoto.new(:data => draft_profile_photo.data, :draft => false, :x => params[:x], :y => params[:y], :w => params[:w], :h => params[:h]) @user.set_profile_photo(@profile_photo) draft_profile_photo.destroy - + if !@user.get_about_me_for_html_display.empty? flash[:notice] = "Thank you for updating your profile photo" redirect_to user_url(@user) @@ -487,7 +494,7 @@ class UserController < ApplicationController def work_out_post_redirect # Redirect to front page later if nothing else specified if not params[:r] and not params[:token] - params[:r] = "/" + params[:r] = "/" end # The explicit "signin" link uses this to specify where to go back to if params[:r] |