diff options
Diffstat (limited to 'config')
| -rw-r--r-- | config/brakeman.ignore | 63 | ||||
| -rw-r--r-- | config/brakeman.yml | 4 | ||||
| -rw-r--r-- | config/httpd.conf-example | 7 | ||||
| -rw-r--r-- | config/initializers/alaveteli.rb | 1 | ||||
| -rw-r--r-- | config/initializers/secure_headers.rb | 24 | ||||
| -rw-r--r-- | config/locales/rw.yml | 212 | ||||
| -rw-r--r-- | config/routes.rb | 174 |
7 files changed, 308 insertions, 177 deletions
diff --git a/config/brakeman.ignore b/config/brakeman.ignore new file mode 100644 index 000000000..391013a5a --- /dev/null +++ b/config/brakeman.ignore @@ -0,0 +1,63 @@ +{ + "ignored_warnings": [ + { + "location": { + "type": "method", + "method": "list_all_csv", + "class": "PublicBodyController" + }, + "file": "app/controllers/public_body_controller.rb", + "warning_code": 16, + "render_path": null, + "link": "http://brakemanscanner.org/docs/warning_types/file_access/", + "warning_type": "File Access", + "code": "File.open(Tempfile.new(\"all-authorities.csv\", File.join(InfoRequest.download_zip_dir, \"download\")).path, \"w\")", + "line": 211, + "confidence": "Weak", + "user_input": "InfoRequest.download_zip_dir", + "message": "Model attribute used in file name", + "fingerprint": "00ce9cdd1d2c3f220bae94cb854393b5072ee1da064ca7a3af693fe2867d51c8", + "note": "InfoRequest.download_zip_dir does not contain user input" + }, + { + "location": { + "type": "method", + "method": "list_all_csv", + "class": "PublicBodyController" + }, + "file": "app/controllers/public_body_controller.rb", + "warning_code": 16, + "render_path": null, + "link": "http://brakemanscanner.org/docs/warning_types/file_access/", + "warning_type": "File Access", + "code": "File.rename(Tempfile.new(\"all-authorities.csv\", File.join(InfoRequest.download_zip_dir, \"download\")).path, File.join(File.join(InfoRequest.download_zip_dir, \"download\"), \"all-authorities.csv\"))", + "line": 213, + "confidence": "Weak", + "user_input": "InfoRequest.download_zip_dir", + "message": "Model attribute used in file name", + "fingerprint": "6078628aa47451d597e211629d80dcea0fdc7600dc066cabf2c0a4b9e07a75cc", + "note": "InfoRequest.download_zip_dir does not contain user input" + }, + { + "location": { + "type": "method", + "method": "list_all_csv", + "class": "PublicBodyController" + }, + "file": "app/controllers/public_body_controller.rb", + "warning_code": 16, + "render_path": null, + "link": "http://brakemanscanner.org/docs/warning_types/file_access/", + "warning_type": "File Access", + "code": "FileUtils.mkdir_p(File.join(InfoRequest.download_zip_dir, \"download\"))", + "line": 194, + "confidence": "Weak", + "user_input": "InfoRequest.download_zip_dir", + "message": "Model attribute used in file name", + "fingerprint": "5ed20f867c17c814cfe117906161a26f37b986d694996c9fd0089d4f971dc1d0", + "note": "InfoRequest.download_zip_dir does not contain user input" + } + ], + "updated": "Thu Oct 02 10:43:19 +0000 2014", + "brakeman_version": "2.6.2" +} diff --git a/config/brakeman.yml b/config/brakeman.yml new file mode 100644 index 000000000..1f95903fd --- /dev/null +++ b/config/brakeman.yml @@ -0,0 +1,4 @@ +--- +:output_files: +- tmp/brakeman.html +- tmp/brakeman.json diff --git a/config/httpd.conf-example b/config/httpd.conf-example index e010ac22f..00722fbdf 100644 --- a/config/httpd.conf-example +++ b/config/httpd.conf-example @@ -34,7 +34,7 @@ # Passenger's default MaxPoolSize is 6. At the time of writing # normal instances of Alaveteli seem to take 150-200MB per # process, so we've set this conservatively at 3. Read the guides - # above to tune this for your system + # above to tune this for your system PassengerMaxPoolSize 3 # The RAILS_ENV that the app is running in. This can be any of @@ -97,6 +97,11 @@ # # The condition means that the rule will fire only if the cached # file exists. + # + # The second condition-rule pair handles the same transformation for + # files served from a non-default locale, 'cy'. You will need one + # set of rules for each non-default locale. + RewriteMap escape int:escape RewriteCond %{DOCUMENT_ROOT}/views_cache/request/$2/$1/${escape:$3} -f RewriteRule ^/request/((\d{1,3})\d*)/(response/\d+/attach/(html/)?\d+/.+) /views_cache/request/$2/$1/${escape:$3} [L] diff --git a/config/initializers/alaveteli.rb b/config/initializers/alaveteli.rb index 0db7155d7..9493d4a1e 100644 --- a/config/initializers/alaveteli.rb +++ b/config/initializers/alaveteli.rb @@ -56,6 +56,7 @@ require 'public_body_csv' require 'category_and_heading_migrator' require 'public_body_categories' require 'routing_filters' +require 'alaveteli_text_masker' AlaveteliLocalization.set_locales(AlaveteliConfiguration::available_locales, AlaveteliConfiguration::default_locale) diff --git a/config/initializers/secure_headers.rb b/config/initializers/secure_headers.rb new file mode 100644 index 000000000..99730e6b2 --- /dev/null +++ b/config/initializers/secure_headers.rb @@ -0,0 +1,24 @@ +::SecureHeaders::Configuration.configure do |config| + + # https://tools.ietf.org/html/rfc6797 + if AlaveteliConfiguration::force_ssl + config.hsts = { :max_age => 20.years.to_i, :include_subdomains => true } + else + config.hsts = false + end + # https://tools.ietf.org/html/draft-ietf-websec-x-frame-options-02 + config.x_frame_options = "sameorigin" + + # http://msdn.microsoft.com/en-us/library/ie/gg622941%28v=vs.85%29.aspx + config.x_content_type_options = "nosniff" + + # http://msdn.microsoft.com/en-us/library/dd565647%28v=vs.85%29.aspx + config.x_xss_protection = { :value => 1 } + + # https://w3c.github.io/webappsec/specs/content-security-policy/ + config.csp = false + + # https://www.nwebsec.com/HttpHeaders/SecurityHeaders/XDownloadOptions + config.x_download_options = false +end + diff --git a/config/locales/rw.yml b/config/locales/rw.yml index 58422f264..caf72b604 100644 --- a/config/locales/rw.yml +++ b/config/locales/rw.yml @@ -10,138 +10,138 @@ rw: - Sat abbr_month_names: - - - Jan - - Feb - - Mar - - Apr - - May - - Jun - - Jul - - Aug - - Sep - - Oct - - Nov - - Dec + - Mutarama + - Gashyantare + - Werurwe + - Mata + - Gicurasi + - Kamena + - Nyakanga + - Kanama + - Nzeri + - Ukwakira + - Ugushyingo + - Ukuboza day_names: - - Sunday - - Monday - - Tuesday - - Wednesday - - Thursday - - Friday - - Saturday + - Ku cyumweru + - Kuwa mbere + - Kuwa kabiri + - Kuwa gatatu + - Kuwa kane + - Kuwa gatanu + - Kuwa gatandatu formats: default: ! '%Y-%m-%d' long: ! '%B %d, %Y' short: ! '%b %d' month_names: - - - January - - February - - March - - April - - May - - June - - July - - August - - September - - October - - November - - December + - Mutarama + - Gashyantare + - Werurwe + - Mata + - Gicurasi + - Kamena + - Nyakanga + - Kanama + - Nzeri + - Ukwakira + - Ugushyingo + - Ukuboza order: - - :year - - :month - - :day + - :umwaka + - :ukwezi + - :umunsi datetime: distance_in_words: about_x_hours: - one: about 1 hour - other: about %{count} hours + one: isaha ugereranyije + other: amasaha %{count} about_x_months: - one: about 1 month - other: about %{count} months + one: ukwezi ugereranyije + other: amezi %{count} about_x_years: - one: about 1 year - other: about %{count} years + one: umwaka ugereranyije + other: imyaka %{count} almost_x_years: - one: almost 1 year - other: almost %{count} years - half_a_minute: half a minute + one: umwaka ugereranyije + other: hafi y'imyaka %{count} + half_a_minute: igice cy'umunota less_than_x_minutes: - one: less than a minute - other: less than %{count} minutes + one: munsi y'umunota + other: munsi y'iminota %{count} less_than_x_seconds: - one: less than 1 second - other: less than %{count} seconds + one: munsi y'isegonda + other: munsi y'amasegonda %{count} over_x_years: - one: over 1 year - other: over %{count} years + one: hafi umwaka + other: imyaka %{count} x_days: - one: 1 day - other: ! '%{count} days' + one: umunsi umwe + other: ! 'iminsi %{count}' x_minutes: - one: 1 minute - other: ! '%{count} minutes' + one: umunota umwe + other: ! 'iminote %{count}' x_months: - one: 1 month - other: ! '%{count} months' + one: ukwezi kumwe + other: ! 'amazi %{count}' x_seconds: - one: 1 second - other: ! '%{count} seconds' + one: isegonda rimwe + other: ! 'amasegonda %{count}' prompts: - day: Day - hour: Hour - minute: Minute - month: Month - second: Seconds - year: Year + day: Umunsi + hour: Isaha + minute: Umunota + month: Ukwezi + second: Isegonda + year: Umwaka errors: format: ! '%{attribute} %{message}' messages: - accepted: must be accepted - blank: can't be blank - present: must be blank - confirmation: ! "doesn't match %{attribute}" - empty: can't be empty - equal_to: must be equal to %{count} - even: must be even + accepted: bigomba kwemerwa + blank: hagomba kuzuzwa + present: ntuhuzuze + confirmation: ! "ntibihura na %{attribute}" + empty: hagomba kuzuzwa + equal_to: bigomba kungana na%{count} + even: umubare ugomba kugabanyika na kabiri exclusion: is reserved - greater_than: must be greater than %{count} - greater_than_or_equal_to: must be greater than or equal to %{count} - inclusion: is not included in the list - invalid: is invalid - less_than: must be less than %{count} - less_than_or_equal_to: must be less than or equal to %{count} - not_a_number: is not a number - not_an_integer: must be an integer - odd: must be odd - record_invalid: ! 'Validation failed: %{errors}' + greater_than: bigomba kurenga %{count} + greater_than_or_equal_to: bigomba kurenga cyangwa kungana na %{count} + inclusion: ntibiri ku rutonde + invalid: sibyo + less_than: ntibirenge %{count} + less_than_or_equal_to: munsi cyangwa bingana na %{count} + not_a_number: si umubare + not_an_integer: hagomba kuba umubare + odd: hagomba kuba igiharwe + record_invalid: ! 'Kwemezwa byanze: %{errors}' restrict_dependent_destroy: - one: "Cannot delete record because a dependent %{record} exists" - many: "Cannot delete record because dependent %{record} exist" - taken: has already been taken + one: "Ntibyasibama kubera hari %{record} uwabyanditse" + many: "Ntibyasibama kubera hari %{record} uwabyanditse" + taken: byamaze gufatwa too_long: - one: is too long (maximum is 1 character) - other: is too long (maximum is %{count} characters) + one: Nturenze inyuguti imwe + other: Nturenze %{count} inyuguti too_short: - one: is too short (minimum is 1 character) - other: is too short (minimum is %{count} characters) + one: Byibura inyuguti imwe + other: Byibura %{count} inyuguti wrong_length: - one: is the wrong length (should be 1 character) - other: is the wrong length (should be %{count} characters) - other_than: "must be other than %{count}" + one: warengeje, inyuguti imwe gusa + other: warengeje, inyuguti %{count} gusa + other_than: "bitandukane na %{count}" template: - body: ! 'There were problems with the following fields:' + body: ! 'Havutse ibibazo kuri ibi bice:' header: - one: 1 error prohibited this %{model} from being saved - other: ! '%{count} errors prohibited this %{model} from being saved' + one: ikibazo kimwe cyatumye %{model} itinjizwa + other: ! 'ibibazo %{count} byatumye %{model} itinjizwa' helpers: select: - prompt: Please select + prompt: Hitamo submit: - create: Create %{model} - submit: Save %{model} - update: Update %{model} + create: Rema %{model} + submit: Bika %{model} + update: Hindura %{model} number: currency: format: @@ -162,10 +162,10 @@ rw: decimal_units: format: ! '%n %u' units: - billion: Billion - million: Million + billion: Tiriyari + million: Miriyoni quadrillion: Quadrillion - thousand: Thousand + thousand: ibihumbi trillion: Trillion unit: '' format: @@ -187,13 +187,13 @@ rw: format: delimiter: '' format: "%n%" - precision: - format: - delimiter: '' + precision: + format: + delimiter: '' support: array: - last_word_connector: ! ', and ' - two_words_connector: ! ' and ' + last_word_connector: ! ', na ' + two_words_connector: ! ' na ' words_connector: ! ', ' time: am: am @@ -201,4 +201,4 @@ rw: default: ! '%a, %d %b %Y %H:%M:%S %z' long: ! '%B %d, %Y %H:%M' short: ! '%d %b %H:%M' - pm: pm + pm: nyuma ya saa sita diff --git a/config/routes.rb b/config/routes.rb index 4b2eb5695..c975d6007 100644 --- a/config/routes.rb +++ b/config/routes.rb @@ -169,17 +169,15 @@ Alaveteli::Application.routes.draw do #### #### AdminPublicBody controller - match '/admin/missing_scheme' => 'admin_public_body#missing_scheme', :as => :admin_body_missing - match '/admin/body' => 'admin_public_body#index', :as => :admin_body_index - match '/admin/body/list' => 'admin_public_body#list', :as => :admin_body_list - match '/admin/body/show/:id' => 'admin_public_body#show', :as => :admin_body_show - match '/admin/body/new' => 'admin_public_body#new', :as => :admin_body_new - match '/admin/body/edit/:id' => 'admin_public_body#edit', :as => :admin_body_edit - match '/admin/body/update/:id' => 'admin_public_body#update', :as => :admin_body_update - match '/admin/body/create' => 'admin_public_body#create', :as => :admin_body_create - match '/admin/body/destroy/:id' => 'admin_public_body#destroy', :as => :admin_body_destroy - match '/admin/body/import_csv' => 'admin_public_body#import_csv', :as => :admin_body_import_csv - match '/admin/body/mass_tag_add' => 'admin_public_body#mass_tag_add', :as => :admin_body_mass_tag_add + scope '/admin', :as => 'admin' do + resources :bodies, + :controller => 'admin_public_body' do + get 'missing_scheme', :on => :collection + post 'mass_tag_add', :on => :collection + get 'import_csv', :on => :collection + post 'import_csv', :on => :collection + end + end #### #### AdminPublicBodyCategory controller @@ -200,9 +198,27 @@ Alaveteli::Application.routes.draw do end #### + #### AdminHoliday controller + scope '/admin', :as => 'admin' do + resources :holidays, + :controller => 'admin_holidays' + end + #### + + #### AdminHolidayImports controller + scope '/admin', :as => 'admin' do + resources :holiday_imports, + :controller => 'admin_holiday_imports', + :only => [:new, :create] + end + #### + #### AdminPublicBodyChangeRequest controller - match '/admin/change_request/edit/:id' => 'admin_public_body_change_requests#edit', :as => :admin_change_request_edit - match '/admin/change_request/update/:id' => 'admin_public_body_change_requests#update', :as => :admin_change_request_update + scope '/admin', :as => 'admin' do + resources :change_requests, + :controller => 'admin_public_body_change_requests', + :only => [:edit, :update] + end #### #### AdminGeneral controller @@ -213,81 +229,99 @@ Alaveteli::Application.routes.draw do #### #### AdminRequest controller - match '/admin/request' => 'admin_request#index', :as => :admin_request_index - match '/admin/request/list' => 'admin_request#list', :as => :admin_request_list - match '/admin/request/show/:id' => 'admin_request#show', :as => :admin_request_show - match '/admin/request/resend' => 'admin_request#resend', :as => :admin_request_resend - match '/admin/request/edit/:id' => 'admin_request#edit', :as => :admin_request_edit - match '/admin/request/update/:id' => 'admin_request#update', :as => :admin_request_update - match '/admin/request/destroy/:id' => 'admin_request#fully_destroy', :as => :admin_request_destroy - match '/admin/request/edit_comment/:id' => 'admin_request#edit_comment', :as => :admin_request_edit_comment - match '/admin/request/update_comment/:id' => 'admin_request#update_comment', :as => :admin_request_update_comment - match '/admin/request/move_request' => 'admin_request#move_request', :as => :admin_request_move_request - match '/admin/request/generate_upload_url/:id' => 'admin_request#generate_upload_url', :as => :admin_request_generate_upload_url - match '/admin/request/show_raw_email/:id' => 'admin_request#show_raw_email', :as => :admin_request_show_raw_email - match '/admin/request/download_raw_email/:id' => 'admin_request#download_raw_email', :as => :admin_request_download_raw_email - match '/admin/request/mark_event_as_clarification' => 'admin_request#mark_event_as_clarification', :as => :admin_request_clarification - match '/admin/request/hide/:id' => 'admin_request#hide_request', :as => :admin_request_hide - #### + scope '/admin', :as => 'admin' do + resources :requests, + :controller => 'admin_request', + :except => [:new, :create] do + post 'move', :on => :member + post 'generate_upload_url', :on => :member + post 'hide', :on => :member + resources :censor_rules, + :controller => 'admin_censor_rule', + :only => [:new, :create], + :name_prefix => 'request_' - #### AdminIncomingMessage controller - match '/admin/incoming/destroy' => 'admin_incoming_message#destroy', :as => :admin_incoming_destroy - match '/admin/incoming/redeliver' => 'admin_incoming_message#redeliver', :as => :admin_incoming_redeliver - match '/admin/incoming/edit/:id' => 'admin_incoming_message#edit', :as => :admin_incoming_edit - match '/admin/incoming/update/:id' => 'admin_incoming_message#update', :as => :admin_incoming_update + end + end #### - #### AdminOutgoingMessage controller - match '/admin/outgoing/edit/:id' => 'admin_outgoing_message#edit', :as => :admin_outgoing_edit - match '/admin/outgoing/destroy/:id' => 'admin_outgoing_message#destroy', :as => :admin_outgoing_destroy - match '/admin/outgoing/update/:id' => 'admin_outgoing_message#update', :as => :admin_outgoing_update + #### AdminComment controller + scope '/admin', :as => 'admin' do + resources :comments, + :controller => 'admin_comment', + :only => [:edit, :update] + end #### - #### AdminUser controller - match '/admin/user' => 'admin_user#index', :as => :admin_user_index - match '/admin/user/list' => 'admin_user#list', :as => :admin_user_list - match '/admin/user/banned' => 'admin_user#list_banned', :as => :admin_user_list_banned - match '/admin/user/show/:id' => 'admin_user#show', :as => :admin_user_show - match '/admin/user/edit/:id' => 'admin_user#edit', :as => :admin_user_edit - match '/admin/user/show_bounce_message/:id' => 'admin_user#show_bounce_message', :as => :admin_user_show_bounce - match '/admin/user/update/:id' => 'admin_user#update', :as => :admin_user_update - match '/admin/user/clear_bounce/:id' => 'admin_user#clear_bounce', :as => :admin_user_clear_bounce - match '/admin/user/destroy_track' => 'admin_user#destroy_track', :as => :admin_user_destroy_track - match '/admin/user/login_as/:id' => 'admin_user#login_as', :as => :admin_user_login_as - match '/admin/user/clear_profile_photo/:id' => 'admin_user#clear_profile_photo', :as => :admin_clear_profile_photo - match '/admin/user/modify_comment_visibility/:id' => 'admin_user#modify_comment_visibility', :as => 'admin_user_modify_comment_visibility' + #### AdminRawEmail controller + scope '/admin', :as => 'admin' do + resources :raw_emails, + :controller => 'admin_raw_email', + :only => [:show] + end #### - #### AdminTrack controller - match '/admin/track/list' => 'admin_track#list', :as => :admin_track_list - #### + #### AdminInfoRequestEvent controller + scope '/admin', :as => 'admin' do + resources :info_request_events, + :controller => 'admin_info_request_event', + :only => [:update] + end - #### AdminCensorRule controller - match '/admin/censor/new' => 'admin_censor_rule#new', :as => :admin_rule_new - match '/admin/censor/create' => 'admin_censor_rule#create', :as => :admin_rule_create - match '/admin/censor/edit/:id' => 'admin_censor_rule#edit', :as => :admin_rule_edit - match '/admin/censor/update/:id' => 'admin_censor_rule#update', :as => :admin_rule_update - match '/admin/censor/destroy/:censor_rule_id' => 'admin_censor_rule#destroy', :as => :admin_rule_destroy + #### AdminIncomingMessage controller + scope '/admin', :as => 'admin' do + resources :incoming_messages, + :controller => 'admin_incoming_message', + :only => [:edit, :update, :destroy] do + post 'redeliver', :on => :member + end + end + #### + #### AdminOutgoingMessage controller scope '/admin', :as => 'admin' do - resources :info_requests, :only => [] do - resources :censor_rules, - :controller => 'admin_censor_rule', - :only => [:new, :create], - :name_prefix => 'info_request_' + resources :outgoing_messages, + :controller => 'admin_outgoing_message', + :only => [:edit, :update, :destroy] do + post 'resend', :on => :member end end + #### + #### AdminUser controller scope '/admin', :as => 'admin' do - resources :users, :only => [] do - resources :censor_rules, - :controller => 'admin_censor_rule', - :only => [:new, :create], - :name_prefix => 'user_' + resources :users, + :controller => 'admin_user', + :except => [:new, :create, :destroy] do + get 'banned', :on => :collection + get 'show_bounce_message', :on => :member + post 'clear_bounce', :on => :member + post 'login_as', :on => :member + post 'clear_profile_photo', :on => :member + post 'modify_comment_visibility', :on => :collection + resources :censor_rules, + :controller => 'admin_censor_rule', + :only => [:new, :create], + :name_prefix => 'user_' end end #### + #### AdminTrack controller + scope '/admin', :as => 'admin' do + resources :tracks, + :controller => 'admin_track', + :only => [:index, :destroy] + end + #### + + #### AdminCensorRule controller + scope '/admin', :as => 'admin' do + resources :censor_rules, + :controller => 'admin_censor_rule', + :except => [:index, :new, :create] + end + #### AdminSpamAddresses controller scope '/admin', :as => 'admin' do resources :spam_addresses, |