10 files changed, 118 insertions, 39 deletions
diff --git a/app/controllers/public_body_controller.rb b/app/controllers/public_body_controller.rb
index 9c3e46ded..308d38e4c 100644
--- a/app/controllers/public_body_controller.rb
+++ b/app/controllers/public_body_controller.rb
@@ -7,6 +7,7 @@
 
 require 'fastercsv'
 require 'confidence_intervals'
+require 'tempfile'
 
 class PublicBodyController < ApplicationController
     # XXX tidy this up with better error messages, and a more standard infrastructure for the redirect to canonical URL
@@ -191,9 +192,32 @@ class PublicBodyController < ApplicationController
     end
 
     def list_all_csv
-        send_data(PublicBody.export_csv, :type=> 'text/csv; charset=utf-8; header=present',
+        # FIXME: this is just using the download directory for zip
+        # archives, since we know that is allowed for X-Sendfile and
+        # the filename can't clash with the numeric subdirectory names
+        # used for the zips.  However, really there should be a
+        # generically named downloads directory that contains all
+        # kinds of downloadable assets.
+        download_directory = File.join(InfoRequest.download_zip_dir(),
+                                       'download')
+        FileUtils.mkdir_p download_directory
+        output_leafname = 'all-authorities.csv'
+        output_filename = File.join download_directory, output_leafname
+        # Create a temporary file in the same directory, so we can
+        # rename it atomically to the intended filename:
+        tmp = Tempfile.new output_leafname, download_directory
+        tmp.close
+        # Export all the public bodies to that temporary path and make
+        # it readable:
+        PublicBody.export_csv tmp.path
+        FileUtils.chmod 0644, tmp.path
+        # Rename into place and send the file:
+        File.rename tmp.path, output_filename
+        send_file(output_filename,
+                  :type => 'text/csv; charset=utf-8; header=present',
                   :filename => 'all-authorities.csv',
-                  :disposition =>'attachment', :encoding => 'utf8')
+                  :disposition =>'attachment',
+                  :encoding => 'utf8')
     end
 
 
diff --git a/app/models/public_body.rb b/app/models/public_body.rb
index fbe2956e3..db6359f6b 100644
--- a/app/models/public_body.rb
+++ b/app/models/public_body.rb
@@ -514,10 +514,8 @@ class PublicBody < ActiveRecord::Base
     end
 
     # Returns all public bodies (except for the internal admin authority) as csv
-    def self.export_csv
-        public_bodies = PublicBody.visible.find(:all, :order => 'url_name',
-                                              :include => [:translations, :tags])
-        FasterCSV.generate() do |csv|
+    def self.export_csv(output_filename)
+        CSV.open(output_filename, "w") do |csv|
             csv << [
                     'Name',
                     'Short name',
@@ -532,7 +530,7 @@ class PublicBody < ActiveRecord::Base
                     'Updated at',
                     'Version',
             ]
-            public_bodies.each do |public_body|
+            PublicBody.visible.find_each(:include => [:translations, :tags]) do |public_body|
                 # Skip bodies we use only for site admin
                 next if public_body.has_tag?('site_administration')
                 csv << [
diff --git a/app/views/contact_mailer/from_admin_message.text.erb b/app/views/contact_mailer/from_admin_message.text.erb
index 4169d8d3a..3af759c5d 100644
--- a/app/views/contact_mailer/from_admin_message.text.erb
+++ b/app/views/contact_mailer/from_admin_message.text.erb
@@ -1,2 +1 @@
 <%= raw @message %>
-
diff --git a/config/application.rb b/config/application.rb
index 92fd30685..ad5d4b03f 100644
--- a/config/application.rb
+++ b/config/application.rb
@@ -70,6 +70,6 @@ module Alaveteli
 
     # Insert a bit of middleware code to prevent uneeded cookie setting.
     require "#{Rails.root}/lib/whatdotheyknow/strip_empty_sessions"
-    config.middleware.insert_before ActionDispatch::Session::CookieStore, WhatDoTheyKnow::StripEmptySessions, :key => '_wdtk_cookie_session', :path => "/", :httponly => true
+    config.middleware.insert_before ::ActionDispatch::Cookies, WhatDoTheyKnow::StripEmptySessions, :key => '_wdtk_cookie_session', :path => "/", :httponly => true
   end
 end
diff --git a/config/general.yml-example b/config/general.yml-example
index 60eb5ae1c..028827d7d 100644
--- a/config/general.yml-example
+++ b/config/general.yml-example
@@ -172,6 +172,11 @@ VARNISH_HOST: localhost
 # Adding a value here will enable Google Analytics on all non-admin pages for non-admin users.
 GA_CODE: ''
 
+# We need to add the WDTK survey variables here, or else the deployment
+# system will cry.
+SURVEY_SECRET: ''
+SURVEY_URL: ''
+
 # If you want to override *all* the public body request emails with your own
 # email so that request emails that would normally go to the public body
 # go to you, then uncomment below and fill in your email.
diff --git a/lib/whatdotheyknow/strip_empty_sessions.rb b/lib/whatdotheyknow/strip_empty_sessions.rb
index e162acf67..6d175ca98 100644
--- a/lib/whatdotheyknow/strip_empty_sessions.rb
+++ b/lib/whatdotheyknow/strip_empty_sessions.rb
@@ -1,9 +1,9 @@
 module WhatDoTheyKnow
-  
+
   class StripEmptySessions
     ENV_SESSION_KEY = "rack.session".freeze
     HTTP_SET_COOKIE = "Set-Cookie".freeze
-    STRIPPABLE_KEYS = [:session_id, :_csrf_token, :locale]
+    STRIPPABLE_KEYS = ['session_id', '_csrf_token', 'locale']
 
     def initialize(app, options = {})
       @app = app
diff --git a/spec/controllers/public_body_controller_spec.rb b/spec/controllers/public_body_controller_spec.rb
index 6800765f2..2663f2a75 100644
--- a/spec/controllers/public_body_controller_spec.rb
+++ b/spec/controllers/public_body_controller_spec.rb
@@ -273,6 +273,20 @@ describe PublicBodyController, "when showing JSON version for API" do
 
 end
 
+describe PublicBodyController, "when asked to export public bodies as CSV" do
+
+    it "should return a valid CSV file with the right number of rows" do
+        get :list_all_csv
+        all_data = CSV.parse response.body
+        all_data.length.should == 8
+        # Check that the header has the right number of columns:
+        all_data[0].length.should == 11
+        # And an actual line of data:
+        all_data[1].length.should == 11
+    end
+
+end
+
 describe PublicBodyController, "when showing public body statistics" do
 
     it "should render the right template with the right data" do
diff --git a/spec/integration/cookie_stripping_spec.rb b/spec/integration/cookie_stripping_spec.rb
new file mode 100644
index 000000000..897899fd5
--- /dev/null
+++ b/spec/integration/cookie_stripping_spec.rb
@@ -0,0 +1,12 @@
+require File.expand_path(File.dirname(__FILE__) + '/../spec_helper')
+require File.expand_path(File.dirname(__FILE__) + '/alaveteli_dsl')
+
+describe 'when making stripping cookies' do
+
+    it 'should not set a cookie when no significant session data is set' do
+        get 'country_message'
+        response.headers['Set-Cookie'].should be_blank
+    end
+
+end
+
diff --git a/spec/lib/whatdotheyknow/strip_empty_sessions_spec.rb b/spec/lib/whatdotheyknow/strip_empty_sessions_spec.rb
index 9bd5ccb93..fcd729b48 100644
--- a/spec/lib/whatdotheyknow/strip_empty_sessions_spec.rb
+++ b/spec/lib/whatdotheyknow/strip_empty_sessions_spec.rb
@@ -1,71 +1,71 @@
 require File.expand_path(File.dirname(__FILE__) + '/../../spec_helper')
 describe WhatDoTheyKnow::StripEmptySessions do
-  
+
   def make_response(session_data, response_headers)
     app = lambda do |env|
       env['rack.session'] = session_data
-      return [200, response_headers, ['content']] 
+      return [200, response_headers, ['content']]
     end
     strip_empty_sessions = WhatDoTheyKnow::StripEmptySessions
     app = strip_empty_sessions.new(app, {:key => 'mykey', :path => '', :httponly => true})
     response = Rack::MockRequest.new(app).get('/', 'HTTP_ACCEPT' => 'text/html')
   end
 
-  
-  it 'should not prevent a cookie being set if there is data in the session' do 
-    session_data = { :some_real_data => 'important', 
-                     :session_id => 'my_session_id', 
-                     :_csrf_token => 'hi_there' }
-    application_response_headers = { 'Content-Type' => 'text/html', 
+
+  it 'should not prevent a cookie being set if there is data in the session' do
+    session_data = { 'some_real_data' => 'important',
+                     'session_id' => 'my_session_id',
+                     '_csrf_token' => 'hi_there' }
+    application_response_headers = { 'Content-Type' => 'text/html',
                                      'Set-Cookie' => 'mykey=f274c61a35320c52d45e9f8d7d4e2649; path=/; HttpOnly'}
     response = make_response(session_data, application_response_headers)
     response.headers['Set-Cookie'].should == 'mykey=f274c61a35320c52d45e9f8d7d4e2649; path=/; HttpOnly'
   end
 
-  describe 'if there is no meaningful data in the session' do 
+  describe 'if there is no meaningful data in the session' do
 
-    before do 
-      @session_data = { :session_id => 'my_session_id', 
-                       :_csrf_token => 'hi_there' }
+    before do
+      @session_data = { 'session_id' => 'my_session_id',
+                       '_csrf_token' => 'hi_there' }
     end
-    
-    it 'should not strip any other header' do 
+
+    it 'should not strip any other header' do
       application_response_headers = { 'Content-Type' => 'text/html',
                                        'Set-Cookie' => 'mykey=f274c61a35320c52d45e9f8d7d4e2649; path=/; HttpOnly'}
       response = make_response(@session_data, application_response_headers)
       response.headers['Content-Type'].should == 'text/html'
     end
-    
-    it 'should strip the session cookie setting header ' do 
-      application_response_headers = { 'Content-Type' => 'text/html', 
+
+    it 'should strip the session cookie setting header ' do
+      application_response_headers = { 'Content-Type' => 'text/html',
                                        'Set-Cookie' => 'mykey=f274c61a35320c52d45e9f8d7d4e2649; path=/; HttpOnly'}
       response = make_response(@session_data, application_response_headers)
       response.headers['Set-Cookie'].should == ""
     end
-  
-    it 'should strip the session cookie setting header even with a locale' do 
-      @session_data[:locale] = 'en'
-      application_response_headers = { 'Content-Type' => 'text/html', 
+
+    it 'should strip the session cookie setting header even with a locale' do
+      @session_data['locale'] = 'en'
+      application_response_headers = { 'Content-Type' => 'text/html',
                                        'Set-Cookie' => 'mykey=f274c61a35320c52d45e9f8d7d4e2649; path=/; HttpOnly'}
       response = make_response(@session_data, application_response_headers)
       response.headers['Set-Cookie'].should == ""
     end
 
-    it 'should not strip the session cookie setting for admins' do 
-      @session_data[:using_admin] = 1
-      application_response_headers = { 'Content-Type' => 'text/html', 
+    it 'should not strip the session cookie setting for admins' do
+      @session_data['using_admin'] = 1
+      application_response_headers = { 'Content-Type' => 'text/html',
                                        'Set-Cookie' => 'mykey=f274c61a35320c52d45e9f8d7d4e2649; path=/; HttpOnly'}
       response = make_response(@session_data, application_response_headers)
       response.headers['Set-Cookie'].should == "mykey=f274c61a35320c52d45e9f8d7d4e2649; path=/; HttpOnly"
     end
-  
-    it 'should strip the session cookie setting header (but no other cookie setting header) if there is more than one' do 
-      application_response_headers = { 'Content-Type' => 'text/html', 
+
+    it 'should strip the session cookie setting header (but no other cookie setting header) if there is more than one' do
+      application_response_headers = { 'Content-Type' => 'text/html',
                                        'Set-Cookie' => ['mykey=f274c61a35320c52d45e9f8d7d4e2649; path=/; HttpOnly',
                                                         'other=mydata']}
       response = make_response(@session_data, application_response_headers)
       response.headers['Set-Cookie'].should == ['other=mydata']
     end
-    
+
   end
 end
diff --git a/spec/models/info_request_spec.rb b/spec/models/info_request_spec.rb
index 64ad1972e..cf4dda62c 100644
--- a/spec/models/info_request_spec.rb
+++ b/spec/models/info_request_spec.rb
@@ -550,6 +550,33 @@ describe InfoRequest do
 
     end
 
+    describe 'when an instance is asked if all can view it' do
+
+        before do
+            @info_request = InfoRequest.new
+        end
+
+        it 'should return true if its prominence is normal' do
+            @info_request.prominence = 'normal'
+            @info_request.all_can_view?.should == true
+        end
+
+        it 'should return true if its prominence is backpage' do
+            @info_request.prominence = 'backpage'
+            @info_request.all_can_view?.should == true
+        end
+
+        it 'should return false if its prominence is hidden' do
+            @info_request.prominence = 'hidden'
+            @info_request.all_can_view?.should == false
+        end
+
+        it 'should return false if its prominence is requester_only' do
+            @info_request.prominence = 'requester_only'
+            @info_request.all_can_view?.should == false
+        end
+    end
+
     describe 'when applying censor rules' do
 
         before do