aboutsummaryrefslogtreecommitdiffstats
path: root/app/controllers
diff options
context:
space:
mode:
Diffstat (limited to 'app/controllers')
-rw-r--r--app/controllers/admin_controller.rb47
-rw-r--r--app/controllers/admin_user_controller.rb3
-rw-r--r--app/controllers/application_controller.rb26
-rw-r--r--app/controllers/request_controller.rb19
-rw-r--r--app/controllers/track_controller.rb26
-rw-r--r--app/controllers/user_controller.rb2
6 files changed, 82 insertions, 41 deletions
diff --git a/app/controllers/admin_controller.rb b/app/controllers/admin_controller.rb
index adb506b91..884d7e540 100644
--- a/app/controllers/admin_controller.rb
+++ b/app/controllers/admin_controller.rb
@@ -36,6 +36,8 @@ class AdminController < ApplicationController
# also force a search reindexing (so changed text reflected in search)
info_request.reindex_request_events
+ # and remove from varnsi
+ info_request.purge_in_cache
end
# Expire cached attachment files for a user
@@ -44,23 +46,40 @@ class AdminController < ApplicationController
expire_for_request(info_request)
end
end
- private
- def authenticate
- config_username = MySociety::Config.get('ADMIN_USERNAME', '')
- config_password = MySociety::Config.get('ADMIN_PASSWORD', '')
- if !config_username.empty? && !config_password.empty?
- authenticate_or_request_with_http_basic do |user_name, password|
- if user_name == config_username && password == config_password
- session[:using_admin] = 1
- request.env['REMOTE_USER'] = user_name
- else
- request_http_basic_authentication
+ private
+
+ def authenticate
+ if MySociety::Config.get('SKIP_ADMIN_AUTH', false)
+ session[:using_admin] = 1
+ return
+ else
+ if session[:using_admin].nil?
+ if params[:emergency].nil?
+ if authenticated?(
+ :web => _("To log into the administrative interface"),
+ :email => _("Then you can log into the administrative interface"),
+ :email_subject => _("Log into the admin interface"),
+ :user_name => "a superuser")
+ if !@user.nil? && @user.admin_level == "super"
+ session[:using_admin] = 1
+ request.env['REMOTE_USER'] = @user.url_name
+ end
+ end
+ else
+ config_username = MySociety::Config.get('ADMIN_USERNAME', '')
+ config_password = MySociety::Config.get('ADMIN_PASSWORD', '')
+ authenticate_or_request_with_http_basic do |user_name, password|
+ if user_name == config_username && password == config_password
+ session[:using_admin] = 1
+ request.env['REMOTE_USER'] = user_name
+ else
+ request_http_basic_authentication
+ end
end
end
- else
- session[:using_admin] = 1
end
- end
+ end
+ end
end
diff --git a/app/controllers/admin_user_controller.rb b/app/controllers/admin_user_controller.rb
index b2c084739..249030537 100644
--- a/app/controllers/admin_user_controller.rb
+++ b/app/controllers/admin_user_controller.rb
@@ -74,10 +74,9 @@ class AdminUserController < AdminController
def login_as
@admin_user = User.find(params[:id]) # check user does exist
- post_redirect = PostRedirect.new( :uri => main_url(user_url(@admin_user)), :user_id => @admin_user.id)
+ post_redirect = PostRedirect.new( :uri => main_url(user_url(@admin_user)), :user_id => @admin_user.id, :circumstance => "login_as" )
post_redirect.save!
url = main_url(confirm_url(:email_token => post_redirect.email_token, :only_path => true))
- session[:user_id] = nil # Log out current (usually admin) user, so we get logged in as the other user
redirect_to url
end
diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
index b681f455d..0d0cca3e4 100644
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -1,3 +1,4 @@
+# -*- coding: utf-8 -*-
# controllers/application.rb:
# Parent class of all controllers in FOI site. Filters added to this controller
# apply to all controllers in the application. Likewise, all the methods added
@@ -151,8 +152,8 @@ class ApplicationController < ActionController::Base
false
end
- # Called from test code, is a mimic of User.confirm, for use in following email
- # links when in controller tests (since we don't have full integration tests that
+ # Called from test code, is a mimic of UserController.confirm, for use in following email
+ # links when in controller tests (though we also have full integration tests that
# can work over multiple controllers)
def test_code_redirect_by_email_token(token, controller_example_group)
post_redirect = PostRedirect.find_by_email_token(token)
@@ -178,7 +179,7 @@ class ApplicationController < ActionController::Base
end
def foi_fragment_cache_path(param)
- path = File.join(RAILS_ROOT, 'cache', 'views', foi_fragment_cache_part_path(param))
+ path = File.join(Rails.root, 'cache', 'views', foi_fragment_cache_part_path(param))
max_file_length = 255 - 35 # we subtract 35 because tempfile
# adds on a variable number of
# characters
@@ -224,15 +225,15 @@ class ApplicationController < ActionController::Base
post_redirect = PostRedirect.new(:uri => request.request_uri, :post_params => params,
:reason_params => reason_params)
post_redirect.save!
- # 'modal' controls whether the sign-in form will be displayed in the typical full-blown
- # page or on its own, useful for pop-ups
+ # 'modal' controls whether the sign-in form will be displayed in the typical full-blown
+ # page or on its own, useful for pop-ups
redirect_to signin_url(:token => post_redirect.token, :modal => params[:modal])
return false
end
return true
end
- def authenticated_as_user?(user, reason_params)
+ def authenticated_as_user?(user, reason_params)
reason_params[:user_name] = user.name
reason_params[:user_url] = show_user_url(:url_name => user.url_name)
if session[:user_id]
@@ -274,6 +275,8 @@ class ApplicationController < ActionController::Base
# XXX what is the built in Ruby URI munging function that can do this
# choice of & vs. ? more elegantly than this dumb if statement?
if uri.include?("?")
+ # XXX This looks odd. What would a fragment identifier be doing server-side?
+ # But it also looks harmless, so I’ll leave it just in case.
if uri.include?("#")
uri.sub!("#", "&post_redirect=1#")
else
@@ -294,6 +297,7 @@ class ApplicationController < ActionController::Base
if params[:post_redirect] and session[:post_redirect_token]
post_redirect = PostRedirect.find_by_token(session[:post_redirect_token])
params.update(post_redirect.post_params)
+ params[:post_redirect_user] = post_redirect.user
end
end
@@ -540,16 +544,6 @@ class ApplicationController < ActionController::Base
return country
end
- def quietly_try_to_open(url)
- begin
- result = open(url).read.strip
- rescue OpenURI::HTTPError, SocketError, Errno::ETIMEDOUT, Errno::ECONNREFUSED, Errno::EHOSTUNREACH
- logger.warn("Unable to open third-party URL #{url}")
- result = ""
- end
- return result
- end
-
# URL generating functions are needed by all controllers (for redirects),
# views (for links) and mailers (for use in emails), so include them into
# all of all.
diff --git a/app/controllers/request_controller.rb b/app/controllers/request_controller.rb
index 313a57d7d..36edab9fa 100644
--- a/app/controllers/request_controller.rb
+++ b/app/controllers/request_controller.rb
@@ -1,3 +1,4 @@
+# -*- coding: utf-8 -*-
# app/controllers/request_controller.rb:
# Show information about one particular request.
#
@@ -137,6 +138,8 @@ class RequestController < ApplicationController
@per_page = 25
@page = (params[:page] || "1").to_i
@info_request = InfoRequest.find_by_url_title(params[:url_title])
+ raise ActiveRecord::RecordNotFound.new("Request not found") if @info_request.nil?
+
if !@info_request.user_can_view?(authenticated_user)
render :template => 'request/hidden', :status => 410 # gone
return
@@ -146,7 +149,7 @@ class RequestController < ApplicationController
if (@page > 1)
@page_desc = " (page " + @page.to_s + ")"
- else
+ else
@page_desc = ""
end
end
@@ -168,7 +171,7 @@ class RequestController < ApplicationController
query = make_query_from_params
@title = _("View and search requests")
sortby = "newest"
- @cache_tag = Digest::MD5.hexdigest(query + @page.to_s)
+ @cache_tag = Digest::MD5.hexdigest(query + @page.to_s + I18n.locale.to_s)
behavior_cache :tag => [@cache_tag] do
xapian_object = perform_search([InfoRequestEvent], query, sortby, 'request_collapse')
@list_results = xapian_object.results.map { |r| r[:model] }
@@ -344,7 +347,13 @@ class RequestController < ApplicationController
return
end
- @info_request.user = authenticated_user
+ if params[:post_redirect_user]
+ # If an admin has clicked the confirmation link on a users behalf,
+ # we don’t want to reassign the request to the administrator.
+ @info_request.user = params[:post_redirect_user]
+ else
+ @info_request.user = authenticated_user
+ end
# This automatically saves dependent objects, such as @outgoing_message, in the same transaction
@info_request.save!
# XXX send_message needs the database id, so we send after saving, which isn't ideal if the request broke here.
@@ -682,7 +691,7 @@ class RequestController < ApplicationController
# we don't use @attachment.content_type here, as we want same mime type when cached in cache_attachments above
response.content_type = AlaveteliFileTypes.filename_to_mimetype(params[:file_name].join("/")) || 'application/octet-stream'
-
+ headers["Content-Disposition"] = "attachment; filename=#{params[:file_name]}"
render :text => @attachment.body
end
@@ -837,7 +846,7 @@ class RequestController < ApplicationController
logger.error("Could not convert info request #{info_request.id} to PDF with command '#{convert_command} #{url} #{tempfile.path}'")
end
tempfile.close
- else
+ else
logger.warn("No HTML -> PDF converter found at #{convert_command}")
end
if !done
diff --git a/app/controllers/track_controller.rb b/app/controllers/track_controller.rb
index d858ab233..312cedc6c 100644
--- a/app/controllers/track_controller.rb
+++ b/app/controllers/track_controller.rb
@@ -50,11 +50,15 @@ class TrackController < ApplicationController
raise ActiveRecord::RecordNotFound.new("None found") if @public_body.nil?
# If found by historic name, or alternate locale name, redirect to new name
if @public_body.url_name != params[:url_name]
- redirect_to track_public_body_url(:url_name => @public_body.url_name, :feed => params[:feed])
+ redirect_to track_public_body_url(:url_name => @public_body.url_name, :feed => params[:feed], :event_type => params[:event_type])
return
end
- @track_thing = TrackThing.create_track_for_public_body(@public_body)
+ if params[:event_type]
+ @track_thing = TrackThing.create_track_for_public_body(@public_body, params[:event_type])
+ else
+ @track_thing = TrackThing.create_track_for_public_body(@public_body)
+ end
return atom_feed_internal if params[:feed] == 'feed'
@@ -94,7 +98,23 @@ class TrackController < ApplicationController
return atom_feed_internal if params[:feed] == 'feed'
if self.track_set
- redirect_to search_url(@query)
+ if @query.scan("variety").length == 1
+ # we're making a track for a simple filter, for which
+ # there's an expression in the UI (rather than relying
+ # on index:value strings in the query)
+ if @query =~ /variety:user/
+ postfix = "users"
+ @query.sub!("variety:user", "")
+ elsif @query =~ /variety:authority/
+ postfix = "bodies"
+ @query.sub!("variety:authority", "")
+ elsif @query =~ /variety:sent/
+ postfix = "requests"
+ @query.sub!("variety:sent", "")
+ end
+ @query.strip!
+ end
+ redirect_to search_url([@query, postfix])
end
end
diff --git a/app/controllers/user_controller.rb b/app/controllers/user_controller.rb
index 403cb9684..08726183e 100644
--- a/app/controllers/user_controller.rb
+++ b/app/controllers/user_controller.rb
@@ -182,7 +182,7 @@ class UserController < ApplicationController
return
end
- if !User.stay_logged_in_on_redirect?(@user)
+ if !User.stay_logged_in_on_redirect?(@user) || post_redirect.circumstance == "login_as"
@user = post_redirect.user
@user.email_confirmed = true
@user.save!
generated by cgit v1.2.3 (git 2.25.1) at 2025-07-22 03:32:16 +0000