diff options
Diffstat (limited to 'app')
| -rw-r--r-- | app/controllers/admin_controller.rb | 6 | ||||
| -rw-r--r-- | app/controllers/application_controller.rb | 2 | ||||
| -rw-r--r-- | app/controllers/comment_controller.rb | 1 | ||||
| -rw-r--r-- | app/controllers/request_controller.rb | 3 | ||||
| -rw-r--r-- | app/controllers/track_controller.rb | 8 | ||||
| -rw-r--r-- | app/controllers/user_controller.rb | 35 | ||||
| -rw-r--r-- | app/models/about_me_validator.rb | 2 | ||||
| -rw-r--r-- | app/models/change_email_validator.rb | 22 | ||||
| -rw-r--r-- | app/models/comment.rb | 4 | ||||
| -rw-r--r-- | app/models/contact_validator.rb | 18 | ||||
| -rw-r--r-- | app/models/info_request.rb | 10 | ||||
| -rw-r--r-- | app/models/outgoing_message.rb | 12 | ||||
| -rw-r--r-- | app/models/profile_photo.rb | 8 | ||||
| -rw-r--r-- | app/models/public_body.rb | 10 | ||||
| -rw-r--r-- | app/models/user.rb | 14 |
15 files changed, 87 insertions, 68 deletions
diff --git a/app/controllers/admin_controller.rb b/app/controllers/admin_controller.rb index 4734146a8..004d460c5 100644 --- a/app/controllers/admin_controller.rb +++ b/app/controllers/admin_controller.rb @@ -11,6 +11,12 @@ require 'fileutils' class AdminController < ApplicationController layout "admin" before_filter :assign_http_auth_user + protect_from_forgery # See ActionController::RequestForgeryProtection for details + + # action to take if expecting an authenticity token and one isn't received + def handle_unverified_request + raise(ActionController::InvalidAuthenticityToken) + end # Always give full stack trace for admin interface def local_request? diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb index 5420499f6..9382e077f 100644 --- a/app/controllers/application_controller.rb +++ b/app/controllers/application_controller.rb @@ -12,6 +12,8 @@ class ApplicationController < ActionController::Base # Standard headers, footers and navigation for whole site layout "default" + # set locale + before_filter :set_gettext_locale # scrub sensitive parameters from the logs filter_parameter_logging :password diff --git a/app/controllers/comment_controller.rb b/app/controllers/comment_controller.rb index d5f8f89fb..4a0661f34 100644 --- a/app/controllers/comment_controller.rb +++ b/app/controllers/comment_controller.rb @@ -8,6 +8,7 @@ class CommentController < ApplicationController before_filter :check_read_only, :only => [ :new ] + protect_from_forgery :only => [ :new ] def new if params[:type] == 'request' diff --git a/app/controllers/request_controller.rb b/app/controllers/request_controller.rb index 545a40cfe..36fbc2b11 100644 --- a/app/controllers/request_controller.rb +++ b/app/controllers/request_controller.rb @@ -7,7 +7,8 @@ # $Id: request_controller.rb,v 1.192 2009-10-19 19:26:40 francis Exp $ class RequestController < ApplicationController - before_filter :check_read_only, :only => [ :new, :show_response, :describe_state ] + before_filter :check_read_only, :only => [ :new, :show_response, :describe_state, :upload_response ] + protect_from_forgery :only => [ :new, :show_response, :describe_state, :upload_response ] # See ActionController::RequestForgeryProtection for details def show # Look up by old style numeric identifiers diff --git a/app/controllers/track_controller.rb b/app/controllers/track_controller.rb index 89fc74706..e262db099 100644 --- a/app/controllers/track_controller.rb +++ b/app/controllers/track_controller.rb @@ -9,6 +9,8 @@ class TrackController < ApplicationController + protect_from_forgery # See ActionController::RequestForgeryProtection for details + # Track all updates to a particular request def track_request @info_request = InfoRequest.find_by_url_title(params[:url_title]) @@ -106,7 +108,7 @@ class TrackController < ApplicationController flash[:notice] = "You will now be emailed updates about " + @track_thing.params[:list_description] return true - end + end # Old-Style atom track. We're phasing this out, so for now issue a # 301 Redirect. Most aggregators should honour this, but we should @@ -122,7 +124,7 @@ class TrackController < ApplicationController end def atom_feed_internal - @xapian_object = perform_search([InfoRequestEvent], @track_thing.track_query, @track_thing.params[:feed_sortby], nil, 25, 1) + @xapian_object = perform_search([InfoRequestEvent], @track_thing.track_query, @track_thing.params[:feed_sortby], nil, 25, 1) respond_to do |format| format.atom { render :template => 'track/atom_feed' } format.json { render :json => @xapian_object.results.map { |r| r[:model].json_for_api(true, @@ -187,4 +189,4 @@ class TrackController < ApplicationController end - + diff --git a/app/controllers/user_controller.rb b/app/controllers/user_controller.rb index 87152b7ca..49e46b6fa 100644 --- a/app/controllers/user_controller.rb +++ b/app/controllers/user_controller.rb @@ -7,10 +7,17 @@ # $Id: user_controller.rb,v 1.71 2009-09-17 07:51:47 francis Exp $ class UserController < ApplicationController + + protect_from_forgery :only => [ :contact, + :set_profile_photo, + :signchangeemail, + :clear_profile_photo, + :set_profile_about_me ] # See ActionController::RequestForgeryProtection for details + # Show page about a user def show if MySociety::Format.simplify_url_part(params[:url_name], 'user', 32) != params[:url_name] - redirect_to :url_name => MySociety::Format.simplify_url_part(params[:url_name], 'user', 32), :status => :moved_permanently + redirect_to :url_name => MySociety::Format.simplify_url_part(params[:url_name], 'user', 32), :status => :moved_permanently return end @@ -29,8 +36,8 @@ class UserController < ApplicationController @xapian_comments = perform_search([InfoRequestEvent], 'commented_by:' + @display_user.url_name, 'newest', nil) if (@page > 1) - @page_desc = " (page " + @page.to_s + ")" - else + @page_desc = " (page " + @page.to_s + ")" + else @page_desc = "" end rescue @@ -50,7 +57,7 @@ class UserController < ApplicationController # Requests you need to describe if @is_you - @undescribed_requests = @display_user.get_undescribed_requests + @undescribed_requests = @display_user.get_undescribed_requests end respond_to do |format| @@ -81,16 +88,16 @@ class UserController < ApplicationController redirect_to signin_url(:r => params[:r], :again => nil) return end - - if not params[:user_signin] + + if not params[:user_signin] # First time page is shown - render :action => 'sign' + render :action => 'sign' return else @user_signin = User.authenticate_from_form(params[:user_signin], @post_redirect.reason_params[:user_name] ? true : false) if @user_signin.errors.size > 0 # Failed to authenticate - render :action => 'sign' + render :action => 'sign' return else # Successful login @@ -121,7 +128,7 @@ class UserController < ApplicationController if user_alreadyexists already_registered_mail user_alreadyexists return - else + else # New unconfirmed user @user_signup.email_confirmed = false @user_signup.save! @@ -224,7 +231,7 @@ class UserController < ApplicationController if params[:pretoken] and not params[:pretoken].empty? post_redirect = PostRedirect.find_by_token(params[:pretoken]) do_post_redirect post_redirect - else + else redirect_to user_url(@user) end end @@ -338,7 +345,7 @@ class UserController < ApplicationController { :message => "" + @recipient_user.name + ",\n\n\n\nYours,\n\n" + @user.name } ) end - + end # River of News: What's happening with your tracked things @@ -388,11 +395,11 @@ class UserController < ApplicationController elsif !params[:submitted_crop_profile_photo].nil? # crop the draft photo according to jquery parameters and set it as the users photo draft_profile_photo = ProfilePhoto.find(params[:draft_profile_photo_id]) - @profile_photo = ProfilePhoto.new(:data => draft_profile_photo.data, :draft => false, + @profile_photo = ProfilePhoto.new(:data => draft_profile_photo.data, :draft => false, :x => params[:x], :y => params[:y], :w => params[:w], :h => params[:h]) @user.set_profile_photo(@profile_photo) draft_profile_photo.destroy - + if !@user.get_about_me_for_html_display.empty? flash[:notice] = "Thank you for updating your profile photo" redirect_to user_url(@user) @@ -487,7 +494,7 @@ class UserController < ApplicationController def work_out_post_redirect # Redirect to front page later if nothing else specified if not params[:r] and not params[:token] - params[:r] = "/" + params[:r] = "/" end # The explicit "signin" link uses this to specify where to go back to if params[:r] diff --git a/app/models/about_me_validator.rb b/app/models/about_me_validator.rb index 7b59c1fcb..f7b88f7dd 100644 --- a/app/models/about_me_validator.rb +++ b/app/models/about_me_validator.rb @@ -21,7 +21,7 @@ class AboutMeValidator < ActiveRecord::BaseWithoutTable def validate if !self.about_me.blank? && self.about_me.size > 500 - errors.add(:about_me, "^Please keep it shorter than 500 characters") + errors.add(:about_me, N_("Please keep it shorter than 500 characters")) end end diff --git a/app/models/change_email_validator.rb b/app/models/change_email_validator.rb index f11153e0d..15d2cb624 100644 --- a/app/models/change_email_validator.rb +++ b/app/models/change_email_validator.rb @@ -3,9 +3,9 @@ # # Table name: change_email_validators # -# old_email :string -# new_email :string -# password :string +# old_email :string +# new_email :string +# password :string # # models/changeemail_validator.rb: @@ -25,27 +25,27 @@ class ChangeEmailValidator < ActiveRecord::BaseWithoutTable attr_accessor :logged_in_user - validates_presence_of :old_email, :message => "^Please enter your old email address" - validates_presence_of :new_email, :message => "^Please enter your new email address" - validates_presence_of :password, :message => "^Please enter your password" + validates_presence_of :old_email, :message => N_("Please enter your old email address") + validates_presence_of :new_email, :message => N_("Please enter your new email address") + validates_presence_of :password, :message => N_("Please enter your password") def validate if !self.old_email.blank? && !MySociety::Validate.is_valid_email(self.old_email) - errors.add(:old_email, "doesn't look like a valid address") + errors.add(:old_email, "Old email doesn't look like a valid address") end - if !errors[:old_email] + if !errors[:old_email] if self.old_email.downcase != self.logged_in_user.email.downcase - errors.add(:old_email, "address isn't the same as the address of the account you are logged in with") + errors.add(:old_email, "Old email address isn't the same as the address of the account you are logged in with") elsif !self.logged_in_user.has_this_password?(self.password) if !errors[:password] - errors.add(:password, "is not correct") + errors.add(:password, "Password is not correct") end end end if !self.new_email.blank? && !MySociety::Validate.is_valid_email(self.new_email) - errors.add(:new_email, "doesn't look like a valid address") + errors.add(:new_email, "New email doesn't look like a valid address") end end diff --git a/app/models/comment.rb b/app/models/comment.rb index 7aede1a48..3d69b1108 100644 --- a/app/models/comment.rb +++ b/app/models/comment.rb @@ -56,10 +56,10 @@ class Comment < ActiveRecord::Base # Check have edited comment def validate if self.body.empty? || self.body =~ /^\s+$/ - errors.add(:body, "^Please enter your annotation") + errors.add(:body, N_("Please enter your annotation")) end if !MySociety::Validate.uses_mixed_capitals(self.body) - errors.add(:body, '^Please write your annotation using a mixture of capital and lower case letters. This makes it easier for others to read.') + errors.add(:body, N_('Please write your annotation using a mixture of capital and lower case letters. This makes it easier for others to read.')) end end diff --git a/app/models/contact_validator.rb b/app/models/contact_validator.rb index 511fa1140..9d8c54095 100644 --- a/app/models/contact_validator.rb +++ b/app/models/contact_validator.rb @@ -3,10 +3,10 @@ # # Table name: contact_validators # -# name :string -# email :string -# subject :text -# message :text +# name :string +# email :string +# subject :text +# message :text # # models/contact_validator.rb: @@ -25,13 +25,13 @@ class ContactValidator < ActiveRecord::BaseWithoutTable column :subject, :text column :message, :text - validates_presence_of :name, :message => "^Please enter your name" - validates_presence_of :email, :message => "^Please enter your email address" - validates_presence_of :subject, :message => "^Please enter a subject" - validates_presence_of :message, :message => "^Please enter the message you want to send" + validates_presence_of :name, :message => N_("Please enter your name") + validates_presence_of :email, :message => N_("Please enter your email address") + validates_presence_of :subject, :message => N_("Please enter a subject") + validates_presence_of :message, :message => N_("Please enter the message you want to send") def validate - errors.add(:email, "doesn't look like a valid address") unless MySociety::Validate.is_valid_email(self.email) + errors.add(:email, "Email doesn't look like a valid address") unless MySociety::Validate.is_valid_email(self.email) end end diff --git a/app/models/info_request.rb b/app/models/info_request.rb index 23d7c78c3..3441a73f7 100644 --- a/app/models/info_request.rb +++ b/app/models/info_request.rb @@ -32,8 +32,8 @@ require File.join(File.dirname(__FILE__),'../../vendor/plugins/acts_as_xapian/li class InfoRequest < ActiveRecord::Base strip_attributes! - validates_presence_of :title, :message => "^Please enter a summary of your request" - validates_format_of :title, :with => /[a-zA-Z]/, :message => "^Please write a summary with some text in it", :if => Proc.new { |info_request| !info_request.title.nil? && !info_request.title.empty? } + validates_presence_of :title, :message => N_("Please enter a summary of your request") + validates_format_of :title, :with => /[a-zA-Z]/, :message => N_("Please write a summary with some text in it"), :if => Proc.new { |info_request| !info_request.title.nil? && !info_request.title.empty? } belongs_to :user #validates_presence_of :user_id # breaks during construction of new ones :( @@ -95,13 +95,13 @@ class InfoRequest < ActiveRecord::Base # only check on create, so existing models with mixed case are allowed def validate_on_create if !self.title.nil? && !MySociety::Validate.uses_mixed_capitals(self.title, 10) - errors.add(:title, '^Please write the summary using a mixture of capital and lower case letters. This makes it easier for others to read.') + errors.add(:title, N_('Please write the summary using a mixture of capital and lower case letters. This makes it easier for others to read.')) end if !self.title.nil? && title.size > 200 - errors.add(:title, '^Please keep the summary short, like in the subject of an email. You can use a phrase, rather than a full sentence.') + errors.add(:title, N_('Please keep the summary short, like in the subject of an email. You can use a phrase, rather than a full sentence.')) end if !self.title.nil? && self.title =~ /^(FOI|Freedom of Information)\s*requests?$/i - errors.add(:title, '^Please describe more what the request is about in the subject. There is no need to say it is an FOI request, we add that on anyway.') + errors.add(:title, N_('Please describe more what the request is about in the subject. There is no need to say it is an FOI request, we add that on anyway.')) end end diff --git a/app/models/outgoing_message.rb b/app/models/outgoing_message.rb index aa782df5a..220f4f0a7 100644 --- a/app/models/outgoing_message.rb +++ b/app/models/outgoing_message.rb @@ -142,24 +142,24 @@ class OutgoingMessage < ActiveRecord::Base if self.body.empty? || self.body =~ /\A#{get_salutation}\s+#{get_signoff}/ || self.body =~ /#{get_internal_review_insert_here_note}/ if self.message_type == 'followup' if self.what_doing == 'internal_review' - errors.add(:body, "^Please give details explaining why you want a review") + errors.add(:body, _("Please give details explaining why you want a review")) else - errors.add(:body, "^Please enter your follow up message") + errors.add(:body, _("Please enter your follow up message")) end elsif - errors.add(:body, "^Please enter your letter requesting information") + errors.add(:body, _("Please enter your letter requesting information")) else raise "Message id #{self.id} has type '#{self.message_type}' which validate can't handle" end end if self.body =~ /#{get_signoff}\s*\Z/ms - errors.add(:body, '^Please sign at the bottom with your name, or alter the "' + get_signoff + '" signature') + errors.add(:body, _("Please sign at the bottom with your name, or alter the \"%{signoff}\" signature" % { :signoff => get_signoff })) end if !MySociety::Validate.uses_mixed_capitals(self.body) - errors.add(:body, '^Please write your message using a mixture of capital and lower case letters. This makes it easier for others to read.') + errors.add(:body, _('Please write your message using a mixture of capital and lower case letters. This makes it easier for others to read.')) end if self.what_doing.nil? || !['new_information', 'internal_review', 'normal_sort'].include?(self.what_doing) - errors.add(:what_doing_dummy, '^Please choose what sort of reply you are making.') + errors.add(:what_doing_dummy, _('Please choose what sort of reply you are making.')) end end diff --git a/app/models/profile_photo.rb b/app/models/profile_photo.rb index 576bffc2c..b15e3e4f4 100644 --- a/app/models/profile_photo.rb +++ b/app/models/profile_photo.rb @@ -88,21 +88,21 @@ class ProfilePhoto < ActiveRecord::Base def validate if self.data.nil? - errors.add(:data, "^Please choose a file containing your photo.") + errors.add(:data, N_("Please choose a file containing your photo.")) return end if self.image.nil? - errors.add(:data, "^Couldn't understand the image file that you uploaded. PNG, JPEG, GIF and many other common image file formats are supported.") + errors.add(:data, N_("Couldn't understand the image file that you uploaded. PNG, JPEG, GIF and many other common image file formats are supported.")) return end if self.image.format != 'PNG' - errors.add(:data, "^Failed to convert image to a PNG") + errors.add(:data, N_("Failed to convert image to a PNG")) end if !self.draft && (self.image.columns != WIDTH || self.image.rows != HEIGHT) - errors.add(:data, "^Failed to convert image to the correct size: at #{self.image.columns}x#{self.image.rows}, need #{WIDTH}x#{HEIGHT}") + errors.add(:data, N_("Failed to convert image to the correct size: at %{cols}x%{rows}, need %{width}x%{height}" % { :cols => self.image.columns, :rows => self.image.rows, :width => WIDTH, :height => HEIGHT })) end if self.draft && self.user_id diff --git a/app/models/public_body.rb b/app/models/public_body.rb index de3ac3552..446ac2334 100644 --- a/app/models/public_body.rb +++ b/app/models/public_body.rb @@ -33,11 +33,11 @@ require 'set' class PublicBody < ActiveRecord::Base strip_attributes! - validates_presence_of :name - validates_presence_of :url_name + validates_presence_of :name, :message => N_("Name can't be blank") + validates_presence_of :url_name, :message => N_("URL name can't be blank") - validates_uniqueness_of :short_name, :if => Proc.new { |pb| pb.short_name != "" } - validates_uniqueness_of :name + validates_uniqueness_of :short_name, :message => N_("Short name is already taken"), :if => Proc.new { |pb| pb.short_name != "" } + validates_uniqueness_of :name, :message => N_("Name is already taken") has_many :info_requests, :order => 'created_at desc' has_many :track_things, :order => 'created_at desc' @@ -74,7 +74,7 @@ class PublicBody < ActiveRecord::Base # Request_email can be blank, meaning we don't have details if self.is_requestable? unless MySociety::Validate.is_valid_email(self.request_email) - errors.add(:request_email, "doesn't look like a valid email address") + errors.add(:request_email, "Request email doesn't look like a valid email address") end end end diff --git a/app/models/user.rb b/app/models/user.rb index 7f85a2c4f..2fd6d9dbe 100644 --- a/app/models/user.rb +++ b/app/models/user.rb @@ -31,11 +31,11 @@ require 'digest/sha1' class User < ActiveRecord::Base strip_attributes! - validates_presence_of :email, :message => "^Please enter your email address" + validates_presence_of :email, :message => N_("Please enter your email address") - validates_presence_of :name, :message => "^Please enter your name" + validates_presence_of :name, :message => N_("Please enter your name") - validates_presence_of :hashed_password, :message => "^Please enter a password" + validates_presence_of :hashed_password, :message => N_("Please enter a password") has_many :info_requests, :order => 'created_at desc' has_many :user_info_request_sent_alerts @@ -46,12 +46,12 @@ class User < ActiveRecord::Base has_many :censor_rules, :order => 'created_at desc' attr_accessor :password_confirmation, :no_xapian_reindex - validates_confirmation_of :password, :message =>"^Please enter the same password twice" + validates_confirmation_of :password, :message => N_("Please enter the same password twice") validates_inclusion_of :admin_level, :in => [ 'none', 'super', - ] + ], :message => N_('Admin level is not included in list') acts_as_xapian :texts => [ :name, :about_me ], :values => [ @@ -103,10 +103,10 @@ class User < ActiveRecord::Base def validate if self.email != "" && !MySociety::Validate.is_valid_email(self.email) - errors.add(:email, "^Please enter a valid email address") + errors.add(:email, N_("Please enter a valid email address")) end if MySociety::Validate.is_valid_email(self.name) - errors.add(:name, "^Please enter your name, not your email address, in the name field.") + errors.add(:name, N_("Please enter your name, not your email address, in the name field.")) end end |