diff options
| -rw-r--r-- | app/controllers/request_controller.rb | 6 | ||||
| -rw-r--r-- | spec/controllers/request_controller_spec.rb | 11 |
2 files changed, 17 insertions, 0 deletions
diff --git a/app/controllers/request_controller.rb b/app/controllers/request_controller.rb index d66c28275..125791ef8 100644 --- a/app/controllers/request_controller.rb +++ b/app/controllers/request_controller.rb @@ -303,6 +303,12 @@ class RequestController < ApplicationController return render_new_compose(batch=false) end + # Check we have :public_body_id - spammers seem to be using :public_body + # erroneously instead + if params[:info_request][:public_body_id].blank? + redirect_to frontpage_path && return + end + # See if the exact same request has already been submitted # XXX this check should theoretically be a validation rule in the # model, except we really want to pass @existing_request to the view so diff --git a/spec/controllers/request_controller_spec.rb b/spec/controllers/request_controller_spec.rb index 9353efcb3..070511fb0 100644 --- a/spec/controllers/request_controller_spec.rb +++ b/spec/controllers/request_controller_spec.rb @@ -1007,6 +1007,17 @@ describe RequestController, "when creating a new request" do # post_redirect.post_params.should == params # XXX get this working. there's a : vs '' problem amongst others end + it 'redirects to the frontpage if the action is sent the invalid + public_body param' do + post :new, :info_request => { :public_body => @body.id, + :title => 'Why Geraldine?', + :tag_string => '' }, + :outgoing_message => { :body => 'This is a silly letter.' }, + :submitted_new_request => 1, + :preview => 1 + response.should redirect_to frontpage_url + end + it "should show preview when input is good" do session[:user_id] = @user.id post :new, { :info_request => { :public_body_id => @body.id, |