diff options
Diffstat (limited to 'app/controllers')
| -rw-r--r-- | app/controllers/application_controller.rb | 10 | ||||
| -rw-r--r-- | app/controllers/request_controller.rb | 24 |
2 files changed, 22 insertions, 12 deletions
diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb index 8fd2da54a..7aa522389 100644 --- a/app/controllers/application_controller.rb +++ b/app/controllers/application_controller.rb @@ -11,6 +11,8 @@ require 'open-uri' class ApplicationController < ActionController::Base + class PermissionDenied < StandardError + end # Standard headers, footers and navigation for whole site layout "default" include FastGettext::Translation # make functions like _, n_, N_ etc available) @@ -120,6 +122,8 @@ class ApplicationController < ActionController::Base case exception when ActiveRecord::RecordNotFound, ActionController::UnknownAction, ActionController::RoutingError @status = 404 + when PermissionDenied + @status = 403 else @status = 500 notify_about_exception exception @@ -189,7 +193,7 @@ class ApplicationController < ActionController::Base return File.exists?(key_path) end def foi_fragment_cache_read(key_path) - cached = File.read(key_path) + return File.read(key_path) end def foi_fragment_cache_write(key_path, content) FileUtils.mkdir_p(File.dirname(key_path)) @@ -367,8 +371,8 @@ class ApplicationController < ActionController::Base # XXX this is a result of the OR hack below -- should fix by # allowing a parameter to perform_search to control the # default operator! - query = query.gsub(/(\s-\s|&)/, "") - query = query.split(/ +(?!-)/) + query = query.strip.gsub(/(\s-\s|&)/, "") + query = query.split(/ +(?![-+]+)/) if query.last.nil? || query.last.strip.length < 3 xapian_requests = nil else diff --git a/app/controllers/request_controller.rb b/app/controllers/request_controller.rb index 6e33fe043..99aa3c7ea 100644 --- a/app/controllers/request_controller.rb +++ b/app/controllers/request_controller.rb @@ -37,8 +37,7 @@ class RequestController < ApplicationController end if !params[:query].nil? query = params[:query] - query = query.split(' ').join(' OR ') # XXX: HACK for OR instead of default AND! - @xapian_requests = perform_search([PublicBody], query, 'relevant', nil, 5) + @xapian_requests = perform_search_typeahead(query, PublicBody) end medium_cache end @@ -118,11 +117,14 @@ class RequestController < ApplicationController def details long_cache @info_request = InfoRequest.find_by_url_title(params[:url_title]) - if !@info_request.user_can_view?(authenticated_user) - render :template => 'request/hidden', :status => 410 # gone - return + if @info_request.nil? + raise ActiveRecord::RecordNotFound.new("Request not found") + else + if !@info_request.user_can_view?(authenticated_user) + render :template => 'request/hidden', :status => 410 # gone + return + end end - @columns = ['id', 'event_type', 'created_at', 'described_state', 'last_described_at', 'calculated_state' ] end @@ -600,9 +602,13 @@ class RequestController < ApplicationController before_filter :authenticate_attachment, :only => [ :get_attachment, :get_attachment_as_html ] def authenticate_attachment # Test for hidden - incoming_message = IncomingMessage.find(params[:incoming_message_id]) - if !incoming_message.info_request.user_can_view?(authenticated_user) - render :template => 'request/hidden', :status => 410 # gone + if request.path =~ /\/$/ + raise PermissionDenied.new("Directory listing not allowed") + else + incoming_message = IncomingMessage.find(params[:incoming_message_id]) + if !incoming_message.info_request.user_can_view?(authenticated_user) + render :template => 'request/hidden', :status => 410 # gone + end end end |