4 files changed, 48 insertions, 21 deletions

diff --git a/app/controllers/admin_request_controller.rb b/app/controllers/admin_request_controller.rb
index 8f023bf12..7d2ac2f35 100644
--- a/app/controllers/admin_request_controller.rb
+++ b/app/controllers/admin_request_controller.rb
@@ -4,9 +4,8 @@
 # Copyright (c) 2007 UK Citizens Online Democracy. All rights reserved.
 # Email: hello@mysociety.org; WWW: http://www.mysociety.org/
 
-require 'ostruct'
-
 class AdminRequestController < AdminController
+
     def index
         list
         render :action => 'list'
diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
index 4d3f40d40..a06fa7098 100644
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -17,6 +17,9 @@ class ApplicationController < ActionController::Base
     # assign our own handler method for non-local exceptions
     rescue_from Exception, :with => :render_exception
 
+    # Add some security-related headers (see config/initializers/secure_headers.rb)
+    ensure_security_headers
+
     # Standard headers, footers and navigation for whole site
     layout "default"
     include FastGettext::Translation # make functions like _, n_, N_ etc available)
@@ -27,6 +30,8 @@ class ApplicationController < ActionController::Base
     before_filter :check_in_post_redirect
     before_filter :session_remember_me
     before_filter :set_vary_header
+    before_filter :validate_session_timestamp
+    after_filter  :persist_session_timestamp
 
     def set_vary_header
         response.headers['Vary'] = 'Cookie'
@@ -118,6 +123,29 @@ class ApplicationController < ActionController::Base
         end
     end
 
+    # Set a TTL for non "remember me" sessions so that the cookie
+    # is not replayable forever
+    SESSION_TTL = 3.hours
+    def validate_session_timestamp
+        if session[:user_id] && session.key?(:ttl) && session[:ttl] < SESSION_TTL.ago
+            clear_session_credentials
+            redirect_to signin_path
+        end
+    end
+
+    def persist_session_timestamp
+        session[:ttl] = Time.now if session[:user_id] && !session[:remember_me]
+    end
+
+    # Logout form
+    def clear_session_credentials
+        session[:user_id] = nil
+        session[:user_circumstance] = nil
+        session[:remember_me] = false
+        session[:using_admin] = nil
+        session[:admin_name] = nil
+    end
+
     def render_exception(exception)
         # In development or the admin interface let Rails handle the exception
         # with its stack trace templates
diff --git a/app/controllers/request_controller.rb b/app/controllers/request_controller.rb
index 9e2c291dc..d529f8dbb 100644
--- a/app/controllers/request_controller.rb
+++ b/app/controllers/request_controller.rb
@@ -770,13 +770,14 @@ class RequestController < ApplicationController
         get_attachment_internal(false)
         return unless @attachment
 
-        # Prevent spam to magic request address. Note that the binary
-        # subsitution method used depends on the content type
-        @incoming_message.binary_mask_stuff!(@attachment.body, @attachment.content_type)
 
         # we don't use @attachment.content_type here, as we want same mime type when cached in cache_attachments above
         response.content_type = AlaveteliFileTypes.filename_to_mimetype(params[:file_name]) || 'application/octet-stream'
 
+        # Prevent spam to magic request address. Note that the binary
+        # subsitution method used depends on the content type
+        @incoming_message.apply_masks!(@attachment.body, @attachment.content_type)
+
         render :text => @attachment.body
     end
 
@@ -804,10 +805,9 @@ class RequestController < ApplicationController
                 :body_prefix => render_to_string(:partial => "request/view_html_prefix")
             }
         )
-
-        @incoming_message.html_mask_stuff!(html)
-
         response.content_type = 'text/html'
+        @incoming_message.apply_masks!(html, response.content_type)
+
         render :text => html
     end
 
@@ -900,10 +900,18 @@ class RequestController < ApplicationController
 
     # Type ahead search
     def search_typeahead
-        # Since acts_as_xapian doesn't support the Partial match flag, we work around it
-        # by making the last work a wildcard, which is quite the same
-        query = params[:q]
-        @xapian_requests = perform_search_typeahead(query, InfoRequestEvent)
+        # Since acts_as_xapian doesn't support the Partial match flag, we work
+        # around it by making the last word a wildcard, which is quite the same
+        @query = ''
+
+        if params.key?(:requested_from)
+            @query << "requested_from:#{ params[:requested_from] } "
+        end
+
+        @per_page = (params.fetch(:per_page) { 25 }).to_i
+
+        @query << params[:q]
+        @xapian_requests = perform_search_typeahead(@query, InfoRequestEvent, @per_page)
         render :partial => "request/search_ahead"
     end
 
diff --git a/app/controllers/user_controller.rb b/app/controllers/user_controller.rb
index baeaab18a..9798ff8e2 100644
--- a/app/controllers/user_controller.rb
+++ b/app/controllers/user_controller.rb
@@ -260,16 +260,8 @@ class UserController < ApplicationController
         do_post_redirect post_redirect
     end
 
-    # Logout form
-    def _do_signout
-        session[:user_id] = nil
-        session[:user_circumstance] = nil
-        session[:remember_me] = false
-        session[:using_admin] = nil
-        session[:admin_name] = nil
-    end
     def signout
-        self._do_signout
+        clear_session_credentials
         if params[:r]
             redirect_to params[:r]
         else