7 files changed, 36 insertions, 11 deletions

diff --git a/app/controllers/admin_user_controller.rb b/app/controllers/admin_user_controller.rb
index 12b4e553f..b2c084739 100644
--- a/app/controllers/admin_user_controller.rb
+++ b/app/controllers/admin_user_controller.rb
@@ -77,6 +77,7 @@ class AdminUserController < AdminController
         post_redirect = PostRedirect.new( :uri => main_url(user_url(@admin_user)), :user_id => @admin_user.id)
         post_redirect.save!
         url = main_url(confirm_url(:email_token => post_redirect.email_token, :only_path => true))
+        session[:user_id] = nil # Log out current (usually admin) user, so we get logged in as the other user
 
         redirect_to url
     end
diff --git a/app/controllers/request_controller.rb b/app/controllers/request_controller.rb
index 2295d6718..313a57d7d 100644
--- a/app/controllers/request_controller.rb
+++ b/app/controllers/request_controller.rb
@@ -220,6 +220,8 @@ class RequestController < ApplicationController
                 render :template => 'user/banned'
                 return
             end
+            # User did exceed limit
+            @next_request_permitted_at = authenticated_user.next_request_permitted_at
         end
 
         # First time we get to the page, just display it
diff --git a/app/controllers/track_controller.rb b/app/controllers/track_controller.rb
index e39a0489d..d858ab233 100644
--- a/app/controllers/track_controller.rb
+++ b/app/controllers/track_controller.rb
@@ -66,6 +66,7 @@ class TrackController < ApplicationController
     # Track a user
     def track_user
         @track_user = User.find_by_url_name(params[:url_name])
+        raise ActiveRecord::RecordNotFound.new("No such user") if @track_user.nil?
         @track_thing = TrackThing.create_track_for_user(@track_user)
 
         return atom_feed_internal if params[:feed] == 'feed'
diff --git a/app/controllers/user_controller.rb b/app/controllers/user_controller.rb
index f49fc9165..403cb9684 100644
--- a/app/controllers/user_controller.rb
+++ b/app/controllers/user_controller.rb
@@ -182,9 +182,11 @@ class UserController < ApplicationController
             return
         end
 
-        @user = post_redirect.user
-        @user.email_confirmed = true
-        @user.save!
+        if !User.stay_logged_in_on_redirect?(@user)
+            @user = post_redirect.user
+            @user.email_confirmed = true
+            @user.save!
+        end
 
         session[:user_id] = @user.id
         session[:user_circumstance] = post_redirect.circumstance
diff --git a/app/models/incoming_message.rb b/app/models/incoming_message.rb
index 131970ba6..cbbcf5aa6 100644
--- a/app/models/incoming_message.rb
+++ b/app/models/incoming_message.rb
@@ -57,7 +57,7 @@ class IncomingMessage < ActiveRecord::Base
     validates_presence_of :raw_email
 
     has_many :outgoing_message_followups, :foreign_key => 'incoming_message_followup_id', :class_name => 'OutgoingMessage'
-    has_many :foi_attachments
+    has_many :foi_attachments, :order => 'id'
     has_many :info_request_events # never really has many, but could in theory
 
     belongs_to :raw_email
@@ -773,12 +773,12 @@ class IncomingMessage < ActiveRecord::Base
         # which is really messy.
         ensure_parts_counted
         attachments = []
-        for leaf in leaves            
+        for leaf in leaves
             body = leaf.body
             # As leaf.body causes MIME decoding which uses lots of RAM, do garbage collection here
             # to prevent excess memory use. XXX not really sure if this helps reduce
             # peak RAM use overall. Anyway, maybe there is something better to do than this.
-            GC.start             
+            GC.start
             if leaf.within_rfc822_attachment
                 within_rfc822_subject = leaf.within_rfc822_attachment.subject
                 # Test to see if we are in the first part of the attached
diff --git a/app/models/user.rb b/app/models/user.rb
index 8c4b35fe6..59a84b7aa 100644
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -61,7 +61,8 @@ class User < ActiveRecord::Base
         :values => [ 
              [ :created_at_numeric, 1, "created_at", :number ] # for sorting
         ],
-        :terms => [ [ :variety, 'V', "variety" ] ]
+        :terms => [ [ :variety, 'V', "variety" ] ],
+        :if => :indexed_by_search?
     def created_at_numeric
         # format it here as no datetime support in Xapian's value ranges
         return self.created_at.strftime("%Y%m%d%H%M%S") 
@@ -264,6 +265,12 @@ class User < ActiveRecord::Base
     def User.view_hidden_requests?(user)
       !user.nil? && user.admin_level == 'super'
     end
+
+    # Should the user be kept logged into their own account
+    # if they follow a /c/ redirect link belonging to another user?
+    def User.stay_logged_in_on_redirect?(user)
+      !user.nil? && user.admin_level == 'super'
+    end
      
     # Does the user get "(admin)" links on each page on the main site?
     def admin_page_links?
@@ -288,6 +295,16 @@ class User < ActiveRecord::Base
         
         return (recent_requests >= daily_limit)
     end
+    def next_request_permitted_at
+        return nil if self.no_limit
+        
+        daily_limit = MySociety::Config.get("MAX_REQUESTS_PER_USER_PER_DAY")
+        n_most_recent_requests = InfoRequest.all(:conditions => ["user_id = ? and created_at > now() - '1 day'::interval", self.id], :order => "created_at DESC", :limit => daily_limit)
+        return nil if n_most_recent_requests.size < daily_limit
+        
+        nth_most_recent_request = n_most_recent_requests[-1]
+        return nth_most_recent_request.created_at + 1.day
+    end
     def can_make_followup?
         self.ban_text.empty?
     end
@@ -378,6 +395,10 @@ class User < ActiveRecord::Base
     def should_be_emailed?
         return (self.email_confirmed && self.email_bounced_at.nil?)
     end
+    
+    def indexed_by_search?
+        return self.email_confirmed
+    end
 
     ## Private instance methods
     private
diff --git a/app/views/user/rate_limited.rhtml b/app/views/user/rate_limited.rhtml
index c1e8f360e..2a770d62e 100644
--- a/app/views/user/rate_limited.rhtml
+++ b/app/views/user/rate_limited.rhtml
@@ -2,11 +2,9 @@
 
 <h1><%=@title%></h1>
 
-<p><%= _("There is a limit on the number of requests that you can make in any one day. You can make more requests tomorrow.")%></p>
+<p><%= _("You have hit the rate limit on new requests. Users are ordinarily limited to {{max_requests_per_user_per_day}} requests in any rolling 24-hour period. You will be able to make another request in {{can_make_another_request}}.", :max_requests_per_user_per_day => MySociety::Config.get("MAX_REQUESTS_PER_USER_PER_DAY"), :can_make_another_request => distance_of_time_in_words(Time.now, @next_request_permitted_at))%></p>
 
-<!-- Insert explanation of why we have a limit -->
-
-<p><%= _("If you need to make more requests than this, <a href='%s'>get in touch</a> and we’ll consider it.") % [help_contact_path] %></p>
+<p><%= _("There is a limit on the number of requests you can make in a day, because we don’t want public authorities to be bombarded with large numbers of inappropriate requests. If you feel you have a good reason to ask for the limit to be lifted in your case, please <a href='{{help_contact_path}}'>get in touch</a>.", :help_contact_path => help_contact_path) %></p>
 
 <% if @info_request %>
     <p><%= _("Here is the message you wrote, in case you would like to copy the text and save it for later.") %></p>