aboutsummaryrefslogtreecommitdiffstats
path: root/config
diff options
context:
space:
mode:
Diffstat (limited to 'config')
-rw-r--r--config/application.rb4
-rw-r--r--config/general.yml-example7
-rw-r--r--config/initializers/alaveteli.rb3
-rw-r--r--config/initializers/secure_headers.rb24
-rw-r--r--config/routes.rb161
5 files changed, 141 insertions, 58 deletions
diff --git a/config/application.rb b/config/application.rb
index ed4f07819..ff72df015 100644
--- a/config/application.rb
+++ b/config/application.rb
@@ -74,6 +74,10 @@ module Alaveteli
ENV['RECAPTCHA_PUBLIC_KEY'] = ::AlaveteliConfiguration::recaptcha_public_key
ENV['RECAPTCHA_PRIVATE_KEY'] = ::AlaveteliConfiguration::recaptcha_private_key
+ if RUBY_VERSION.to_f >= 1.9
+ config.middleware.insert 0, Rack::UTF8Sanitizer
+ end
+
# Insert a bit of middleware code to prevent uneeded cookie setting.
require "#{Rails.root}/lib/whatdotheyknow/strip_empty_sessions"
config.middleware.insert_before ::ActionDispatch::Cookies, WhatDoTheyKnow::StripEmptySessions, :key => '_wdtk_cookie_session', :path => "/", :httponly => true
diff --git a/config/general.yml-example b/config/general.yml-example
index ac96b5e50..5be62ee21 100644
--- a/config/general.yml-example
+++ b/config/general.yml-example
@@ -174,7 +174,7 @@ REPLY_LATE_AFTER_DAYS: 20
REPLY_VERY_LATE_AFTER_DAYS: 40
SPECIAL_REPLY_VERY_LATE_AFTER_DAYS: 60
-# The WORKING_OR_CALENDAR_DAYS setting can be either "working" (the default) or
+# The WORKING_OR_CALENDAR_DAYS setting can be either "working" (the default) or
# "calendar", and determines which days are counted when calculating whether a
# request is officially late.
#
@@ -195,7 +195,7 @@ WORKING_OR_CALENDAR_DAYS: working
# *Warning:* this is slow — don't use in production!
#
# FRONTPAGE_PUBLICBODY_EXAMPLES - String semicolon-separated list of public
-# bodies (default: nil)
+# bodies (default: nil)
#
# Examples:
#
@@ -571,6 +571,7 @@ GA_CODE: ''
# body go to you, use this setting. This is useful for a staging server, so you
# can play with the whole process of sending requests without inadvertently
# sending an email to a real authority.
+# Leave blank ('') to send requests to the real authority emails.
#
# OVERRIDE_ALL_PUBLIC_BODY_REQUEST_EMAILS - String (default: nil)
#
@@ -579,7 +580,7 @@ GA_CODE: ''
# OVERRIDE_ALL_PUBLIC_BODY_REQUEST_EMAILS: test-email@example.com
#
# ---
-# OVERRIDE_ALL_PUBLIC_BODY_REQUEST_EMAILS: test-email@example.com
+OVERRIDE_ALL_PUBLIC_BODY_REQUEST_EMAILS: ''
# Search path for external commandline utilities (such as pdftohtml, pdftk,
# unrtf)
diff --git a/config/initializers/alaveteli.rb b/config/initializers/alaveteli.rb
index 3a1220326..128f6bc5a 100644
--- a/config/initializers/alaveteli.rb
+++ b/config/initializers/alaveteli.rb
@@ -10,7 +10,7 @@ load "debug_helpers.rb"
load "util.rb"
# Application version
-ALAVETELI_VERSION = '0.19'
+ALAVETELI_VERSION = '0.20.0.0'
# Add new inflection rules using the following format
# (all these examples are active by default):
@@ -56,6 +56,7 @@ require 'public_body_csv'
require 'category_and_heading_migrator'
require 'public_body_categories'
require 'routing_filters'
+require 'alaveteli_text_masker'
AlaveteliLocalization.set_locales(AlaveteliConfiguration::available_locales,
AlaveteliConfiguration::default_locale)
diff --git a/config/initializers/secure_headers.rb b/config/initializers/secure_headers.rb
new file mode 100644
index 000000000..99730e6b2
--- /dev/null
+++ b/config/initializers/secure_headers.rb
@@ -0,0 +1,24 @@
+::SecureHeaders::Configuration.configure do |config|
+
+ # https://tools.ietf.org/html/rfc6797
+ if AlaveteliConfiguration::force_ssl
+ config.hsts = { :max_age => 20.years.to_i, :include_subdomains => true }
+ else
+ config.hsts = false
+ end
+ # https://tools.ietf.org/html/draft-ietf-websec-x-frame-options-02
+ config.x_frame_options = "sameorigin"
+
+ # http://msdn.microsoft.com/en-us/library/ie/gg622941%28v=vs.85%29.aspx
+ config.x_content_type_options = "nosniff"
+
+ # http://msdn.microsoft.com/en-us/library/dd565647%28v=vs.85%29.aspx
+ config.x_xss_protection = { :value => 1 }
+
+ # https://w3c.github.io/webappsec/specs/content-security-policy/
+ config.csp = false
+
+ # https://www.nwebsec.com/HttpHeaders/SecurityHeaders/XDownloadOptions
+ config.x_download_options = false
+end
+
diff --git a/config/routes.rb b/config/routes.rb
index ff99e884c..c975d6007 100644
--- a/config/routes.rb
+++ b/config/routes.rb
@@ -155,6 +155,7 @@ Alaveteli::Application.routes.draw do
match '/help/api' => 'help#api', :as => :help_api
match '/help/credits' => 'help#credits', :as => :help_credits
match '/help/:action' => 'help#action', :as => :help_general
+ match '/help' => 'help#index'
####
#### Holiday controller
@@ -168,17 +169,15 @@ Alaveteli::Application.routes.draw do
####
#### AdminPublicBody controller
- match '/admin/missing_scheme' => 'admin_public_body#missing_scheme', :as => :admin_body_missing
- match '/admin/body' => 'admin_public_body#index', :as => :admin_body_index
- match '/admin/body/list' => 'admin_public_body#list', :as => :admin_body_list
- match '/admin/body/show/:id' => 'admin_public_body#show', :as => :admin_body_show
- match '/admin/body/new' => 'admin_public_body#new', :as => :admin_body_new
- match '/admin/body/edit/:id' => 'admin_public_body#edit', :as => :admin_body_edit
- match '/admin/body/update/:id' => 'admin_public_body#update', :as => :admin_body_update
- match '/admin/body/create' => 'admin_public_body#create', :as => :admin_body_create
- match '/admin/body/destroy/:id' => 'admin_public_body#destroy', :as => :admin_body_destroy
- match '/admin/body/import_csv' => 'admin_public_body#import_csv', :as => :admin_body_import_csv
- match '/admin/body/mass_tag_add' => 'admin_public_body#mass_tag_add', :as => :admin_body_mass_tag_add
+ scope '/admin', :as => 'admin' do
+ resources :bodies,
+ :controller => 'admin_public_body' do
+ get 'missing_scheme', :on => :collection
+ post 'mass_tag_add', :on => :collection
+ get 'import_csv', :on => :collection
+ post 'import_csv', :on => :collection
+ end
+ end
####
#### AdminPublicBodyCategory controller
@@ -199,9 +198,27 @@ Alaveteli::Application.routes.draw do
end
####
+ #### AdminHoliday controller
+ scope '/admin', :as => 'admin' do
+ resources :holidays,
+ :controller => 'admin_holidays'
+ end
+ ####
+
+ #### AdminHolidayImports controller
+ scope '/admin', :as => 'admin' do
+ resources :holiday_imports,
+ :controller => 'admin_holiday_imports',
+ :only => [:new, :create]
+ end
+ ####
+
#### AdminPublicBodyChangeRequest controller
- match '/admin/change_request/edit/:id' => 'admin_public_body_change_requests#edit', :as => :admin_change_request_edit
- match '/admin/change_request/update/:id' => 'admin_public_body_change_requests#update', :as => :admin_change_request_update
+ scope '/admin', :as => 'admin' do
+ resources :change_requests,
+ :controller => 'admin_public_body_change_requests',
+ :only => [:edit, :update]
+ end
####
#### AdminGeneral controller
@@ -212,62 +229,98 @@ Alaveteli::Application.routes.draw do
####
#### AdminRequest controller
- match '/admin/request' => 'admin_request#index', :as => :admin_request_index
- match '/admin/request/list' => 'admin_request#list', :as => :admin_request_list
- match '/admin/request/show/:id' => 'admin_request#show', :as => :admin_request_show
- match '/admin/request/resend' => 'admin_request#resend', :as => :admin_request_resend
- match '/admin/request/edit/:id' => 'admin_request#edit', :as => :admin_request_edit
- match '/admin/request/update/:id' => 'admin_request#update', :as => :admin_request_update
- match '/admin/request/destroy/:id' => 'admin_request#fully_destroy', :as => :admin_request_destroy
- match '/admin/request/edit_comment/:id' => 'admin_request#edit_comment', :as => :admin_request_edit_comment
- match '/admin/request/update_comment/:id' => 'admin_request#update_comment', :as => :admin_request_update_comment
- match '/admin/request/move_request' => 'admin_request#move_request', :as => :admin_request_move_request
- match '/admin/request/generate_upload_url/:id' => 'admin_request#generate_upload_url', :as => :admin_request_generate_upload_url
- match '/admin/request/show_raw_email/:id' => 'admin_request#show_raw_email', :as => :admin_request_show_raw_email
- match '/admin/request/download_raw_email/:id' => 'admin_request#download_raw_email', :as => :admin_request_download_raw_email
- match '/admin/request/mark_event_as_clarification' => 'admin_request#mark_event_as_clarification', :as => :admin_request_clarification
- match '/admin/request/hide/:id' => 'admin_request#hide_request', :as => :admin_request_hide
+ scope '/admin', :as => 'admin' do
+ resources :requests,
+ :controller => 'admin_request',
+ :except => [:new, :create] do
+ post 'move', :on => :member
+ post 'generate_upload_url', :on => :member
+ post 'hide', :on => :member
+ resources :censor_rules,
+ :controller => 'admin_censor_rule',
+ :only => [:new, :create],
+ :name_prefix => 'request_'
+
+ end
+ end
+ ####
+
+ #### AdminComment controller
+ scope '/admin', :as => 'admin' do
+ resources :comments,
+ :controller => 'admin_comment',
+ :only => [:edit, :update]
+ end
####
+ #### AdminRawEmail controller
+ scope '/admin', :as => 'admin' do
+ resources :raw_emails,
+ :controller => 'admin_raw_email',
+ :only => [:show]
+ end
+ ####
+
+ #### AdminInfoRequestEvent controller
+ scope '/admin', :as => 'admin' do
+ resources :info_request_events,
+ :controller => 'admin_info_request_event',
+ :only => [:update]
+ end
+
#### AdminIncomingMessage controller
- match '/admin/incoming/destroy' => 'admin_incoming_message#destroy', :as => :admin_incoming_destroy
- match '/admin/incoming/redeliver' => 'admin_incoming_message#redeliver', :as => :admin_incoming_redeliver
- match '/admin/incoming/edit/:id' => 'admin_incoming_message#edit', :as => :admin_incoming_edit
- match '/admin/incoming/update/:id' => 'admin_incoming_message#update', :as => :admin_incoming_update
+ scope '/admin', :as => 'admin' do
+ resources :incoming_messages,
+ :controller => 'admin_incoming_message',
+ :only => [:edit, :update, :destroy] do
+ post 'redeliver', :on => :member
+ end
+ end
####
#### AdminOutgoingMessage controller
- match '/admin/outgoing/edit/:id' => 'admin_outgoing_message#edit', :as => :admin_outgoing_edit
- match '/admin/outgoing/destroy/:id' => 'admin_outgoing_message#destroy', :as => :admin_outgoing_destroy
- match '/admin/outgoing/update/:id' => 'admin_outgoing_message#update', :as => :admin_outgoing_update
+ scope '/admin', :as => 'admin' do
+ resources :outgoing_messages,
+ :controller => 'admin_outgoing_message',
+ :only => [:edit, :update, :destroy] do
+ post 'resend', :on => :member
+ end
+ end
####
#### AdminUser controller
- match '/admin/user' => 'admin_user#index', :as => :admin_user_index
- match '/admin/user/list' => 'admin_user#list', :as => :admin_user_list
- match '/admin/user/banned' => 'admin_user#list_banned', :as => :admin_user_list_banned
- match '/admin/user/show/:id' => 'admin_user#show', :as => :admin_user_show
- match '/admin/user/edit/:id' => 'admin_user#edit', :as => :admin_user_edit
- match '/admin/user/show_bounce_message/:id' => 'admin_user#show_bounce_message', :as => :admin_user_show_bounce
- match '/admin/user/update/:id' => 'admin_user#update', :as => :admin_user_update
- match '/admin/user/clear_bounce/:id' => 'admin_user#clear_bounce', :as => :admin_user_clear_bounce
- match '/admin/user/destroy_track' => 'admin_user#destroy_track', :as => :admin_user_destroy_track
- match '/admin/user/login_as/:id' => 'admin_user#login_as', :as => :admin_user_login_as
- match '/admin/user/clear_profile_photo/:id' => 'admin_user#clear_profile_photo', :as => :admin_clear_profile_photo
- match '/admin/user/modify_comment_visibility/:id' => 'admin_user#modify_comment_visibility', :as => 'admin_user_modify_comment_visibility'
+ scope '/admin', :as => 'admin' do
+ resources :users,
+ :controller => 'admin_user',
+ :except => [:new, :create, :destroy] do
+ get 'banned', :on => :collection
+ get 'show_bounce_message', :on => :member
+ post 'clear_bounce', :on => :member
+ post 'login_as', :on => :member
+ post 'clear_profile_photo', :on => :member
+ post 'modify_comment_visibility', :on => :collection
+ resources :censor_rules,
+ :controller => 'admin_censor_rule',
+ :only => [:new, :create],
+ :name_prefix => 'user_'
+ end
+ end
####
#### AdminTrack controller
- match '/admin/track/list' => 'admin_track#list', :as => :admin_track_list
+ scope '/admin', :as => 'admin' do
+ resources :tracks,
+ :controller => 'admin_track',
+ :only => [:index, :destroy]
+ end
####
#### AdminCensorRule controller
- match '/admin/censor/new' => 'admin_censor_rule#new', :as => :admin_rule_new
- match '/admin/censor/create' => 'admin_censor_rule#create', :as => :admin_rule_create
- match '/admin/censor/edit/:id' => 'admin_censor_rule#edit', :as => :admin_rule_edit
- match '/admin/censor/update/:id' => 'admin_censor_rule#update', :as => :admin_rule_update
- match '/admin/censor/destroy/:censor_rule_id' => 'admin_censor_rule#destroy', :as => :admin_rule_destroy
- ####
+ scope '/admin', :as => 'admin' do
+ resources :censor_rules,
+ :controller => 'admin_censor_rule',
+ :except => [:index, :new, :create]
+ end
#### AdminSpamAddresses controller
scope '/admin', :as => 'admin' do
generated by cgit v1.2.3 (git 2.25.1) at 2025-07-25 12:34:35 +0000