7 files changed, 80 insertions, 46 deletions

diff --git a/app/controllers/admin_user_controller.rb b/app/controllers/admin_user_controller.rb
index 940a5fe8f..a6438e151 100644
--- a/app/controllers/admin_user_controller.rb
+++ b/app/controllers/admin_user_controller.rb
@@ -99,6 +99,12 @@ class AdminUserController < AdminController
         redirect_to admin_user_show_url(@admin_user)
     end
 
+    def modify_comment_visibility
+        @visibility_value = params.key?(:hide_selected) ? false : true
+        Comment.update_all(["visible=?", @visibility_value], :id => params[:comment_ids])
+        redirect_to :back
+    end
+
     private
 
 end
diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
index 370e8e15c..410778d9a 100644
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -131,6 +131,7 @@ class ApplicationController < ActionController::Base
         case exception
         when ActiveRecord::RecordNotFound, RouteNotFound
             @status = 404
+            sanitize_path(params)
         when PermissionDenied
             @status = 403
         else
@@ -441,6 +442,15 @@ class ApplicationController < ActionController::Base
       `git log -1 --format="%H"`.strip
     end
 
+    # URL Encode the path parameter for use in render_exception
+    #
+    # params - the params Hash
+    #
+    # Returns a Hash
+    def sanitize_path(params)
+        params.merge!(:path => Rack::Utils.escape(params[:path])) if params.key?(:path)
+    end
+
     # URL generating functions are needed by all controllers (for redirects),
     # views (for links) and mailers (for use in emails), so include them into
     # all of all.
diff --git a/app/controllers/comment_controller.rb b/app/controllers/comment_controller.rb
index cda56a211..5e39c3a2c 100644
--- a/app/controllers/comment_controller.rb
+++ b/app/controllers/comment_controller.rb
@@ -6,34 +6,18 @@
 
 class CommentController < ApplicationController
     before_filter :check_read_only, :only => [ :new ]
+    before_filter :find_info_request, :only => [ :new ]
+    before_filter :create_track_thing, :only => [ :new ]
+    before_filter :reject_unless_comments_allowed, :only => [ :new ]
+    before_filter :reject_if_user_banned, :only => [ :new ]
     protect_from_forgery :only => [ :new ]
 
     def new
-        if params[:type] == 'request'
-            @info_request = InfoRequest.find_by_url_title!(params[:url_title])
-            @track_thing = TrackThing.create_track_for_request(@info_request)
-            if params[:comment]
-                @comment = Comment.new(params[:comment].merge({
-                    :comment_type => 'request',
-                    :user => @user
-                }))
-            end
-        else
-            raise "Unknown type " + params[:type]
-        end
-        
-        # Are comments disabled on this request?
-        #
-        # There is no “add comment” link when comments are disabled, so users should
-        # not usually hit this unless they are explicitly attempting to avoid the comment
-        # block, so we just raise an exception.
-        raise "Comments are not allowed on this request" if !@info_request.comments_allowed?
-
-        # Banned from adding comments?
-        if !authenticated_user.nil? && !authenticated_user.can_make_comments?
-            @details = authenticated_user.can_fail_html
-            render :template => 'user/banned'
-            return
+        if params[:comment]
+            @comment = Comment.new(params[:comment].merge({
+                :comment_type => 'request',
+                :user => @user
+            }))
         end
 
         if params[:comment]
@@ -92,5 +76,36 @@ class CommentController < ApplicationController
         end
     end
 
-end
+    private
 
+    def find_info_request
+        if params[:type] == 'request'
+            @info_request = InfoRequest.find_by_url_title!(params[:url_title])
+        else
+            raise "Unknown type #{ params[:type] }"
+        end
+    end
+
+    def create_track_thing
+        @track_thing = TrackThing.create_track_for_request(@info_request)
+    end
+
+    # Are comments disabled on this request?
+    #
+    # There is no “add comment” link when comments are disabled, so users should
+    # not usually hit this unless they are explicitly attempting to avoid the comment block
+    def reject_unless_comments_allowed
+        unless @info_request.comments_allowed?
+            redirect_to request_url(@info_request), :notice => "Comments are not allowed on this request"
+        end
+    end
+
+    # Banned from adding comments?
+    def reject_if_user_banned
+        if authenticated_user && !authenticated_user.can_make_comments?
+            @details = authenticated_user.can_fail_html
+            render :template => 'user/banned'
+        end
+    end
+
+end
diff --git a/app/controllers/help_controller.rb b/app/controllers/help_controller.rb
index 9959df6d8..9033198a0 100644
--- a/app/controllers/help_controller.rb
+++ b/app/controllers/help_controller.rb
@@ -9,6 +9,7 @@ class HelpController < ApplicationController
     # we don't even have a control subroutine for most help pages, just see their templates
 
     before_filter :long_cache
+    before_filter :catch_spam, :only => [:contact]
 
     def unhappy
         @info_request = nil
@@ -69,4 +70,12 @@ class HelpController < ApplicationController
 
     end
 
+    private
+
+    def catch_spam
+        if request.post? && !params[:contact][:comment].empty?
+            redirect_to frontpage_url
+        end
+    end
+
 end
diff --git a/app/controllers/request_controller.rb b/app/controllers/request_controller.rb
index a94461758..6445dd685 100644
--- a/app/controllers/request_controller.rb
+++ b/app/controllers/request_controller.rb
@@ -447,9 +447,9 @@ class RequestController < ApplicationController
         flash[:notice] = case info_request.calculate_status
         when 'waiting_response'
             _("<p>Thank you! Hopefully your wait isn't too long.</p> <p>By law, you should get a response promptly, and normally before the end of <strong>
-{{date_response_required_by}}</strong>.</p>",:date_response_required_by=>simple_date(info_request.date_response_required_by))
+{{date_response_required_by}}</strong>.</p>",:date_response_required_by=>view_context.simple_date(info_request.date_response_required_by))
         when 'waiting_response_overdue'
-            _("<p>Thank you! Hope you don't have to wait much longer.</p> <p>By law, you should have got a response promptly, and normally before the end of <strong>{{date_response_required_by}}</strong>.</p>",:date_response_required_by=>simple_date(info_request.date_response_required_by))
+            _("<p>Thank you! Hope you don't have to wait much longer.</p> <p>By law, you should have got a response promptly, and normally before the end of <strong>{{date_response_required_by}}</strong>.</p>",:date_response_required_by=>view_context.simple_date(info_request.date_response_required_by))
         when 'waiting_response_very_overdue'
             _("<p>Thank you! Your request is long overdue, by more than {{very_late_number_of_days}} working days. Most requests should be answered within {{late_number_of_days}} working days. You might like to complain about this, see below.</p>", :very_late_number_of_days => AlaveteliConfiguration::reply_very_late_after_days, :late_number_of_days => AlaveteliConfiguration::reply_late_after_days)
         when 'not_held'
diff --git a/app/controllers/services_controller.rb b/app/controllers/services_controller.rb
index 78c494dba..97c47c448 100644
--- a/app/controllers/services_controller.rb
+++ b/app/controllers/services_controller.rb
@@ -17,8 +17,15 @@ class ServicesController < ApplicationController
                   text = _("Hello! You can make Freedom of Information requests within {{country_name}} at {{link_to_website}}",
                     :country_name => found_country[:country_name], :link_to_website => "<a href=\"#{found_country[:url]}\">#{found_country[:name]}</a>".html_safe)
               else
-                  current_country = WorldFOIWebsites.by_code(iso_country_code)[:country_name]
-                  text = _("Hello! We have an  <a href=\"/help/alaveteli?country_name=#{CGI.escape(current_country)}\">important message</a> for visitors outside {{country_name}}", :country_name => current_country)
+                  country_data = WorldFOIWebsites.by_code(iso_country_code)
+                  if country_data
+                      text = _("Hello! We have an  <a href=\"{{url}}\">important message</a> for visitors outside {{country_name}}",
+                                :country_name => country_data[:country_name],
+                                :url => "/help/alaveteli?country_name=#{CGI.escape(country_data[:country_name])}")
+                  else
+                      text = _("Hello! We have an <a href=\"{{url}}\">important message</a> for visitors in other countries",
+                                :url => "/help/alaveteli")
+                  end
               end
             ensure
               FastGettext.locale = old_fgt_locale
diff --git a/app/controllers/track_controller.rb b/app/controllers/track_controller.rb
index 83e05ebbc..dccc52efc 100644
--- a/app/controllers/track_controller.rb
+++ b/app/controllers/track_controller.rb
@@ -118,7 +118,7 @@ class TrackController < ApplicationController
         if @user
             @existing_track = TrackThing.find_existing(@user, @track_thing)
             if @existing_track
-                flash[:notice] = _("You are already following updates about {{track_description}}", :track_description => @track_thing.params[:list_description])
+                flash[:notice] = view_context.already_subscribed_notice(@track_thing)
                 return true
             end
         end
@@ -130,11 +130,7 @@ class TrackController < ApplicationController
         @track_thing.track_medium = 'email_daily'
         @track_thing.tracking_user_id = @user.id
         @track_thing.save!
-        if @user.receive_email_alerts
-            flash[:notice] = _('You will now be emailed updates about {{track_description}}. <a href="{{change_email_alerts_url}}">Prefer not to receive emails?</a>', :track_description =>  @track_thing.params[:list_description], :change_email_alerts_url => url_for(:controller => "user", :action => "wall", :url_name => @user.url_name))
-        else
-            flash[:notice] = _('You are now <a href="{{wall_url_user}}">following</a> updates about {{track_description}}', :track_description => @track_thing.params[:list_description], :wall_url_user => url_for(:controller => "user", :action => "wall", :url_name => @user.url_name))
-        end
+        flash[:notice] = render_to_string(:partial => 'track_set').html_safe
         return true
     end
 
@@ -183,16 +179,8 @@ class TrackController < ApplicationController
         new_medium = params[:track_medium]
         if new_medium == 'delete'
             track_thing.destroy
-            flash[:notice] = _("You are no longer following {{track_description}}.", :track_description => track_thing.params[:list_description])
+            flash[:notice] = view_context.unsubscribe_notice(track_thing)
             redirect_to URI.parse(params[:r]).path
-
-        # Reuse code like this if we let medium change again.
-        #elsif new_medium == 'email_daily'
-        #    track_thing.track_medium = new_medium
-        #    track_thing.created_at = Time.now() # as created_at is used to limit the alerts to start with
-        #    track_thing.save!
-        #    flash[:notice] = "You are now tracking " + track_thing.params[:list_description] + " by email daily"
-        #    redirect_to user_url(track_thing.tracking_user)
         else
             raise "new medium not handled " + new_medium
         end
@@ -217,7 +205,6 @@ class TrackController < ApplicationController
         for track_thing in TrackThing.find(:all, :conditions => [ "track_type = ? and tracking_user_id = ?", track_type, user_id ])
             track_thing.destroy
         end
-        flash[:notice] += "</ul>"
 
         redirect_to params[:r]
     end