2 files changed, 14 insertions, 8 deletions

diff --git a/app/controllers/request_controller.rb b/app/controllers/request_controller.rb
index c732a4b32..2c95114e6 100644
--- a/app/controllers/request_controller.rb
+++ b/app/controllers/request_controller.rb
@@ -743,6 +743,12 @@ class RequestController < ApplicationController
     end
 
     def get_attachment_as_html
+
+        # The conversion process can generate files in the cache directory that can be served up
+        # directly by the webserver according to httpd.conf, so don't allow it unless that's OK.
+        if @files_can_be_cached != true
+            raise ActiveRecord::RecordNotFound.new("Attachment HTML not found.")
+        end
         get_attachment_internal(true)
 
         # images made during conversion (e.g. images in PDF files) are put in the cache directory, so
diff --git a/app/views/request/_bubble.rhtml b/app/views/request/_bubble.rhtml
index 331c2163e..747e2aa1f 100644
--- a/app/views/request/_bubble.rhtml
+++ b/app/views/request/_bubble.rhtml
@@ -1,16 +1,16 @@
     <div class="correspondence_text">
         <%  if not attachments.nil? and attachments.size > 0 %>
-            <div class="attachments"> 
+            <div class="attachments">
                 <hr class="top">
                 <% attachments.each do |a| %>
                     <p class="attachment">
-                        <% 
+                        <%
                             attachment_url = get_attachment_url(:id => incoming_message.info_request_id,
-                                    :incoming_message_id => incoming_message.id, :part => a.url_part_number, 
-                                    :file_name => a.display_filename) 
+                                    :incoming_message_id => incoming_message.id, :part => a.url_part_number,
+                                    :file_name => a.display_filename)
                             attachment_as_html_url = get_attachment_as_html_url(:id => incoming_message.info_request_id,
-                                    :incoming_message_id => incoming_message.id, :part => a.url_part_number, 
-                                    :file_name => a.display_filename + '.html') 
+                                    :incoming_message_id => incoming_message.id, :part => a.url_part_number,
+                                    :file_name => a.display_filename + '.html')
                         %>
                         <% img_filename = "icon_" + a.content_type.sub('/', '_') + "_large.png"
                         full_filename = File.expand_path(File.join(File.dirname(__FILE__), "../../../public/images", img_filename))
@@ -23,9 +23,9 @@
                         <br>
                         <%= a.display_size %>
                         <%= link_to "Download", attachment_url %>
-                        <% if a.has_body_as_html? %>
+                        <% if a.has_body_as_html? && incoming_message.info_request.all_can_view? %>
                             <%= link_to "View as HTML", attachment_as_html_url %>
-                        <% end %> 
+                        <% end %>
                         <!-- (<%= a.content_type %>) -->
                         <%= a.extra_note %>
                     </p>