6 files changed, 128 insertions, 17 deletions

diff --git a/app/controllers/admin_holiday_imports_controller.rb b/app/controllers/admin_holiday_imports_controller.rb
new file mode 100644
index 000000000..8596936f0
--- /dev/null
+++ b/app/controllers/admin_holiday_imports_controller.rb
@@ -0,0 +1,28 @@
+class AdminHolidayImportsController < AdminController
+
+    def new
+        @holiday_import = HolidayImport.new(holiday_import_params)
+        @holiday_import.populate if @holiday_import.valid?
+    end
+
+    def create
+        @holiday_import = HolidayImport.new(holiday_import_params)
+        if @holiday_import.save
+            notice = "Holidays successfully imported"
+            redirect_to admin_holidays_path, :notice => notice
+        else
+            render :new
+        end
+    end
+
+    private
+
+    def holiday_import_params(key = :holiday_import)
+        if params[key]
+            params[key].slice(:holidays_attributes, :start_year, :end_year, :source, :ical_feed_url)
+        else
+            {}
+        end
+    end
+
+end
diff --git a/app/controllers/admin_holidays_controller.rb b/app/controllers/admin_holidays_controller.rb
new file mode 100644
index 000000000..9177ebd44
--- /dev/null
+++ b/app/controllers/admin_holidays_controller.rb
@@ -0,0 +1,67 @@
+class AdminHolidaysController < AdminController
+
+    def index
+        get_all_holidays
+    end
+
+    def new
+        @holiday = Holiday.new
+        if request.xhr?
+            render :partial => 'new_form', :locals => { :holiday => @holiday }
+        else
+            render :action => 'new'
+        end
+    end
+
+    def create
+        @holiday = Holiday.new(holiday_params)
+        if @holiday.save
+            notice = "Holiday successfully created."
+            redirect_to admin_holidays_path, :notice => notice
+        else
+            render :new
+        end
+    end
+
+    def edit
+        @holiday = Holiday.find(params[:id])
+        if request.xhr?
+            render :partial => 'edit_form'
+        else
+            render :action => 'edit'
+        end
+    end
+
+    def update
+        @holiday = Holiday.find(params[:id])
+        if @holiday.update_attributes(holiday_params)
+            flash[:notice] = 'Holiday successfully updated.'
+            redirect_to admin_holidays_path
+        else
+            render :edit
+        end
+    end
+
+    def destroy
+        @holiday = Holiday.find(params[:id])
+        @holiday.destroy
+        notice = "Holiday successfully destroyed"
+        redirect_to admin_holidays_path, :notice => notice
+    end
+
+    private
+
+    def get_all_holidays
+        @holidays_by_year = Holiday.all.group_by { |holiday| holiday.day.year }
+        @years = @holidays_by_year.keys.sort.reverse
+    end
+
+    def holiday_params(key = :holiday)
+        if params[key]
+            params[key].slice(:description, 'day(1i)', 'day(2i)', 'day(3i)')
+        else
+            {}
+        end
+    end
+
+end
diff --git a/app/controllers/admin_request_controller.rb b/app/controllers/admin_request_controller.rb
index e63d5e80a..cbf7b9f4f 100644
--- a/app/controllers/admin_request_controller.rb
+++ b/app/controllers/admin_request_controller.rb
@@ -4,9 +4,8 @@
 # Copyright (c) 2007 UK Citizens Online Democracy. All rights reserved.
 # Email: hello@mysociety.org; WWW: http://www.mysociety.org/
 
-require 'ostruct'
-
 class AdminRequestController < AdminController
+
     def index
         @query = params[:query]
         if @query
diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
index 1ccf7e5db..a06fa7098 100644
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -30,6 +30,8 @@ class ApplicationController < ActionController::Base
     before_filter :check_in_post_redirect
     before_filter :session_remember_me
     before_filter :set_vary_header
+    before_filter :validate_session_timestamp
+    after_filter  :persist_session_timestamp
 
     def set_vary_header
         response.headers['Vary'] = 'Cookie'
@@ -121,6 +123,29 @@ class ApplicationController < ActionController::Base
         end
     end
 
+    # Set a TTL for non "remember me" sessions so that the cookie
+    # is not replayable forever
+    SESSION_TTL = 3.hours
+    def validate_session_timestamp
+        if session[:user_id] && session.key?(:ttl) && session[:ttl] < SESSION_TTL.ago
+            clear_session_credentials
+            redirect_to signin_path
+        end
+    end
+
+    def persist_session_timestamp
+        session[:ttl] = Time.now if session[:user_id] && !session[:remember_me]
+    end
+
+    # Logout form
+    def clear_session_credentials
+        session[:user_id] = nil
+        session[:user_circumstance] = nil
+        session[:remember_me] = false
+        session[:using_admin] = nil
+        session[:admin_name] = nil
+    end
+
     def render_exception(exception)
         # In development or the admin interface let Rails handle the exception
         # with its stack trace templates
diff --git a/app/controllers/request_controller.rb b/app/controllers/request_controller.rb
index 346aaf384..d529f8dbb 100644
--- a/app/controllers/request_controller.rb
+++ b/app/controllers/request_controller.rb
@@ -770,13 +770,14 @@ class RequestController < ApplicationController
         get_attachment_internal(false)
         return unless @attachment
 
-        # Prevent spam to magic request address. Note that the binary
-        # subsitution method used depends on the content type
-        @incoming_message.binary_mask_stuff!(@attachment.body, @attachment.content_type)
 
         # we don't use @attachment.content_type here, as we want same mime type when cached in cache_attachments above
         response.content_type = AlaveteliFileTypes.filename_to_mimetype(params[:file_name]) || 'application/octet-stream'
 
+        # Prevent spam to magic request address. Note that the binary
+        # subsitution method used depends on the content type
+        @incoming_message.apply_masks!(@attachment.body, @attachment.content_type)
+
         render :text => @attachment.body
     end
 
@@ -804,10 +805,9 @@ class RequestController < ApplicationController
                 :body_prefix => render_to_string(:partial => "request/view_html_prefix")
             }
         )
-
-        @incoming_message.html_mask_stuff!(html)
-
         response.content_type = 'text/html'
+        @incoming_message.apply_masks!(html, response.content_type)
+
         render :text => html
     end
 
diff --git a/app/controllers/user_controller.rb b/app/controllers/user_controller.rb
index baeaab18a..9798ff8e2 100644
--- a/app/controllers/user_controller.rb
+++ b/app/controllers/user_controller.rb
@@ -260,16 +260,8 @@ class UserController < ApplicationController
         do_post_redirect post_redirect
     end
 
-    # Logout form
-    def _do_signout
-        session[:user_id] = nil
-        session[:user_circumstance] = nil
-        session[:remember_me] = false
-        session[:using_admin] = nil
-        session[:admin_name] = nil
-    end
     def signout
-        self._do_signout
+        clear_session_credentials
         if params[:r]
             redirect_to params[:r]
         else