aboutsummaryrefslogtreecommitdiffstats
path: root/config
diff options
context:
space:
mode:
Diffstat (limited to 'config')
-rw-r--r--config/application.rb3
-rw-r--r--config/brakeman.ignore63
-rw-r--r--config/brakeman.yml4
-rw-r--r--config/general.yml-example7
-rw-r--r--config/httpd.conf-example14
-rw-r--r--config/initializers/alaveteli.rb3
-rw-r--r--config/initializers/secure_headers.rb24
-rw-r--r--config/routes.rb161
8 files changed, 220 insertions, 59 deletions
diff --git a/config/application.rb b/config/application.rb
index ed4f07819..366077795 100644
--- a/config/application.rb
+++ b/config/application.rb
@@ -36,6 +36,9 @@ module Alaveteli
# JavaScript files you want as :defaults (application.js is always included).
# config.action_view.javascript_expansions[:defaults] = %w(jquery rails)
+ # Allow some extra tags to be whitelisted in the 'sanitize' helper method
+ config.action_view.sanitized_allowed_tags = 'html', 'head', 'body', 'table', 'tr', 'td', 'style'
+
# Configure the default encoding used in templates for Ruby 1.9.
config.encoding = "utf-8"
diff --git a/config/brakeman.ignore b/config/brakeman.ignore
new file mode 100644
index 000000000..391013a5a
--- /dev/null
+++ b/config/brakeman.ignore
@@ -0,0 +1,63 @@
+{
+ "ignored_warnings": [
+ {
+ "location": {
+ "type": "method",
+ "method": "list_all_csv",
+ "class": "PublicBodyController"
+ },
+ "file": "app/controllers/public_body_controller.rb",
+ "warning_code": 16,
+ "render_path": null,
+ "link": "http://brakemanscanner.org/docs/warning_types/file_access/",
+ "warning_type": "File Access",
+ "code": "File.open(Tempfile.new(\"all-authorities.csv\", File.join(InfoRequest.download_zip_dir, \"download\")).path, \"w\")",
+ "line": 211,
+ "confidence": "Weak",
+ "user_input": "InfoRequest.download_zip_dir",
+ "message": "Model attribute used in file name",
+ "fingerprint": "00ce9cdd1d2c3f220bae94cb854393b5072ee1da064ca7a3af693fe2867d51c8",
+ "note": "InfoRequest.download_zip_dir does not contain user input"
+ },
+ {
+ "location": {
+ "type": "method",
+ "method": "list_all_csv",
+ "class": "PublicBodyController"
+ },
+ "file": "app/controllers/public_body_controller.rb",
+ "warning_code": 16,
+ "render_path": null,
+ "link": "http://brakemanscanner.org/docs/warning_types/file_access/",
+ "warning_type": "File Access",
+ "code": "File.rename(Tempfile.new(\"all-authorities.csv\", File.join(InfoRequest.download_zip_dir, \"download\")).path, File.join(File.join(InfoRequest.download_zip_dir, \"download\"), \"all-authorities.csv\"))",
+ "line": 213,
+ "confidence": "Weak",
+ "user_input": "InfoRequest.download_zip_dir",
+ "message": "Model attribute used in file name",
+ "fingerprint": "6078628aa47451d597e211629d80dcea0fdc7600dc066cabf2c0a4b9e07a75cc",
+ "note": "InfoRequest.download_zip_dir does not contain user input"
+ },
+ {
+ "location": {
+ "type": "method",
+ "method": "list_all_csv",
+ "class": "PublicBodyController"
+ },
+ "file": "app/controllers/public_body_controller.rb",
+ "warning_code": 16,
+ "render_path": null,
+ "link": "http://brakemanscanner.org/docs/warning_types/file_access/",
+ "warning_type": "File Access",
+ "code": "FileUtils.mkdir_p(File.join(InfoRequest.download_zip_dir, \"download\"))",
+ "line": 194,
+ "confidence": "Weak",
+ "user_input": "InfoRequest.download_zip_dir",
+ "message": "Model attribute used in file name",
+ "fingerprint": "5ed20f867c17c814cfe117906161a26f37b986d694996c9fd0089d4f971dc1d0",
+ "note": "InfoRequest.download_zip_dir does not contain user input"
+ }
+ ],
+ "updated": "Thu Oct 02 10:43:19 +0000 2014",
+ "brakeman_version": "2.6.2"
+}
diff --git a/config/brakeman.yml b/config/brakeman.yml
new file mode 100644
index 000000000..1f95903fd
--- /dev/null
+++ b/config/brakeman.yml
@@ -0,0 +1,4 @@
+---
+:output_files:
+- tmp/brakeman.html
+- tmp/brakeman.json
diff --git a/config/general.yml-example b/config/general.yml-example
index ac96b5e50..5be62ee21 100644
--- a/config/general.yml-example
+++ b/config/general.yml-example
@@ -174,7 +174,7 @@ REPLY_LATE_AFTER_DAYS: 20
REPLY_VERY_LATE_AFTER_DAYS: 40
SPECIAL_REPLY_VERY_LATE_AFTER_DAYS: 60
-# The WORKING_OR_CALENDAR_DAYS setting can be either "working" (the default) or
+# The WORKING_OR_CALENDAR_DAYS setting can be either "working" (the default) or
# "calendar", and determines which days are counted when calculating whether a
# request is officially late.
#
@@ -195,7 +195,7 @@ WORKING_OR_CALENDAR_DAYS: working
# *Warning:* this is slow — don't use in production!
#
# FRONTPAGE_PUBLICBODY_EXAMPLES - String semicolon-separated list of public
-# bodies (default: nil)
+# bodies (default: nil)
#
# Examples:
#
@@ -571,6 +571,7 @@ GA_CODE: ''
# body go to you, use this setting. This is useful for a staging server, so you
# can play with the whole process of sending requests without inadvertently
# sending an email to a real authority.
+# Leave blank ('') to send requests to the real authority emails.
#
# OVERRIDE_ALL_PUBLIC_BODY_REQUEST_EMAILS - String (default: nil)
#
@@ -579,7 +580,7 @@ GA_CODE: ''
# OVERRIDE_ALL_PUBLIC_BODY_REQUEST_EMAILS: test-email@example.com
#
# ---
-# OVERRIDE_ALL_PUBLIC_BODY_REQUEST_EMAILS: test-email@example.com
+OVERRIDE_ALL_PUBLIC_BODY_REQUEST_EMAILS: ''
# Search path for external commandline utilities (such as pdftohtml, pdftk,
# unrtf)
diff --git a/config/httpd.conf-example b/config/httpd.conf-example
index 2f6ca9c75..00722fbdf 100644
--- a/config/httpd.conf-example
+++ b/config/httpd.conf-example
@@ -34,7 +34,7 @@
# Passenger's default MaxPoolSize is 6. At the time of writing
# normal instances of Alaveteli seem to take 150-200MB per
# process, so we've set this conservatively at 3. Read the guides
- # above to tune this for your system
+ # above to tune this for your system
PassengerMaxPoolSize 3
# The RAILS_ENV that the app is running in. This can be any of
@@ -97,12 +97,24 @@
#
# The condition means that the rule will fire only if the cached
# file exists.
+ #
+ # The second condition-rule pair handles the same transformation for
+ # files served from a non-default locale, 'cy'. You will need one
+ # set of rules for each non-default locale.
+
RewriteMap escape int:escape
RewriteCond %{DOCUMENT_ROOT}/views_cache/request/$2/$1/${escape:$3} -f
RewriteRule ^/request/((\d{1,3})\d*)/(response/\d+/attach/(html/)?\d+/.+) /views_cache/request/$2/$1/${escape:$3} [L]
RewriteCond %{DOCUMENT_ROOT}/views_cache/cy/request/$2/$1/${escape:$3} -f
RewriteRule ^/cy/request/((\d{1,3})\d*)/(response/\d+/attach/(html/)?\d+/.+) /views_cache/cy/request/$2/$1/${escape:$3} [L]
+ # Don't allow anything to execute from the cache
+ <Directory "/var/www/alaveteli/public/views_cache">
+ Options -ExecCGI
+ SetHandler default-handler
+ AllowOverride None
+ </Directory>
+
# Compress assets
<Location />
<IfModule mod_deflate.c>
diff --git a/config/initializers/alaveteli.rb b/config/initializers/alaveteli.rb
index 3a1220326..128f6bc5a 100644
--- a/config/initializers/alaveteli.rb
+++ b/config/initializers/alaveteli.rb
@@ -10,7 +10,7 @@ load "debug_helpers.rb"
load "util.rb"
# Application version
-ALAVETELI_VERSION = '0.19'
+ALAVETELI_VERSION = '0.20.0.0'
# Add new inflection rules using the following format
# (all these examples are active by default):
@@ -56,6 +56,7 @@ require 'public_body_csv'
require 'category_and_heading_migrator'
require 'public_body_categories'
require 'routing_filters'
+require 'alaveteli_text_masker'
AlaveteliLocalization.set_locales(AlaveteliConfiguration::available_locales,
AlaveteliConfiguration::default_locale)
diff --git a/config/initializers/secure_headers.rb b/config/initializers/secure_headers.rb
new file mode 100644
index 000000000..99730e6b2
--- /dev/null
+++ b/config/initializers/secure_headers.rb
@@ -0,0 +1,24 @@
+::SecureHeaders::Configuration.configure do |config|
+
+ # https://tools.ietf.org/html/rfc6797
+ if AlaveteliConfiguration::force_ssl
+ config.hsts = { :max_age => 20.years.to_i, :include_subdomains => true }
+ else
+ config.hsts = false
+ end
+ # https://tools.ietf.org/html/draft-ietf-websec-x-frame-options-02
+ config.x_frame_options = "sameorigin"
+
+ # http://msdn.microsoft.com/en-us/library/ie/gg622941%28v=vs.85%29.aspx
+ config.x_content_type_options = "nosniff"
+
+ # http://msdn.microsoft.com/en-us/library/dd565647%28v=vs.85%29.aspx
+ config.x_xss_protection = { :value => 1 }
+
+ # https://w3c.github.io/webappsec/specs/content-security-policy/
+ config.csp = false
+
+ # https://www.nwebsec.com/HttpHeaders/SecurityHeaders/XDownloadOptions
+ config.x_download_options = false
+end
+
diff --git a/config/routes.rb b/config/routes.rb
index ff99e884c..c975d6007 100644
--- a/config/routes.rb
+++ b/config/routes.rb
@@ -155,6 +155,7 @@ Alaveteli::Application.routes.draw do
match '/help/api' => 'help#api', :as => :help_api
match '/help/credits' => 'help#credits', :as => :help_credits
match '/help/:action' => 'help#action', :as => :help_general
+ match '/help' => 'help#index'
####
#### Holiday controller
@@ -168,17 +169,15 @@ Alaveteli::Application.routes.draw do
####
#### AdminPublicBody controller
- match '/admin/missing_scheme' => 'admin_public_body#missing_scheme', :as => :admin_body_missing
- match '/admin/body' => 'admin_public_body#index', :as => :admin_body_index
- match '/admin/body/list' => 'admin_public_body#list', :as => :admin_body_list
- match '/admin/body/show/:id' => 'admin_public_body#show', :as => :admin_body_show
- match '/admin/body/new' => 'admin_public_body#new', :as => :admin_body_new
- match '/admin/body/edit/:id' => 'admin_public_body#edit', :as => :admin_body_edit
- match '/admin/body/update/:id' => 'admin_public_body#update', :as => :admin_body_update
- match '/admin/body/create' => 'admin_public_body#create', :as => :admin_body_create
- match '/admin/body/destroy/:id' => 'admin_public_body#destroy', :as => :admin_body_destroy
- match '/admin/body/import_csv' => 'admin_public_body#import_csv', :as => :admin_body_import_csv
- match '/admin/body/mass_tag_add' => 'admin_public_body#mass_tag_add', :as => :admin_body_mass_tag_add
+ scope '/admin', :as => 'admin' do
+ resources :bodies,
+ :controller => 'admin_public_body' do
+ get 'missing_scheme', :on => :collection
+ post 'mass_tag_add', :on => :collection
+ get 'import_csv', :on => :collection
+ post 'import_csv', :on => :collection
+ end
+ end
####
#### AdminPublicBodyCategory controller
@@ -199,9 +198,27 @@ Alaveteli::Application.routes.draw do
end
####
+ #### AdminHoliday controller
+ scope '/admin', :as => 'admin' do
+ resources :holidays,
+ :controller => 'admin_holidays'
+ end
+ ####
+
+ #### AdminHolidayImports controller
+ scope '/admin', :as => 'admin' do
+ resources :holiday_imports,
+ :controller => 'admin_holiday_imports',
+ :only => [:new, :create]
+ end
+ ####
+
#### AdminPublicBodyChangeRequest controller
- match '/admin/change_request/edit/:id' => 'admin_public_body_change_requests#edit', :as => :admin_change_request_edit
- match '/admin/change_request/update/:id' => 'admin_public_body_change_requests#update', :as => :admin_change_request_update
+ scope '/admin', :as => 'admin' do
+ resources :change_requests,
+ :controller => 'admin_public_body_change_requests',
+ :only => [:edit, :update]
+ end
####
#### AdminGeneral controller
@@ -212,62 +229,98 @@ Alaveteli::Application.routes.draw do
####
#### AdminRequest controller
- match '/admin/request' => 'admin_request#index', :as => :admin_request_index
- match '/admin/request/list' => 'admin_request#list', :as => :admin_request_list
- match '/admin/request/show/:id' => 'admin_request#show', :as => :admin_request_show
- match '/admin/request/resend' => 'admin_request#resend', :as => :admin_request_resend
- match '/admin/request/edit/:id' => 'admin_request#edit', :as => :admin_request_edit
- match '/admin/request/update/:id' => 'admin_request#update', :as => :admin_request_update
- match '/admin/request/destroy/:id' => 'admin_request#fully_destroy', :as => :admin_request_destroy
- match '/admin/request/edit_comment/:id' => 'admin_request#edit_comment', :as => :admin_request_edit_comment
- match '/admin/request/update_comment/:id' => 'admin_request#update_comment', :as => :admin_request_update_comment
- match '/admin/request/move_request' => 'admin_request#move_request', :as => :admin_request_move_request
- match '/admin/request/generate_upload_url/:id' => 'admin_request#generate_upload_url', :as => :admin_request_generate_upload_url
- match '/admin/request/show_raw_email/:id' => 'admin_request#show_raw_email', :as => :admin_request_show_raw_email
- match '/admin/request/download_raw_email/:id' => 'admin_request#download_raw_email', :as => :admin_request_download_raw_email
- match '/admin/request/mark_event_as_clarification' => 'admin_request#mark_event_as_clarification', :as => :admin_request_clarification
- match '/admin/request/hide/:id' => 'admin_request#hide_request', :as => :admin_request_hide
+ scope '/admin', :as => 'admin' do
+ resources :requests,
+ :controller => 'admin_request',
+ :except => [:new, :create] do
+ post 'move', :on => :member
+ post 'generate_upload_url', :on => :member
+ post 'hide', :on => :member
+ resources :censor_rules,
+ :controller => 'admin_censor_rule',
+ :only => [:new, :create],
+ :name_prefix => 'request_'
+
+ end
+ end
+ ####
+
+ #### AdminComment controller
+ scope '/admin', :as => 'admin' do
+ resources :comments,
+ :controller => 'admin_comment',
+ :only => [:edit, :update]
+ end
####
+ #### AdminRawEmail controller
+ scope '/admin', :as => 'admin' do
+ resources :raw_emails,
+ :controller => 'admin_raw_email',
+ :only => [:show]
+ end
+ ####
+
+ #### AdminInfoRequestEvent controller
+ scope '/admin', :as => 'admin' do
+ resources :info_request_events,
+ :controller => 'admin_info_request_event',
+ :only => [:update]
+ end
+
#### AdminIncomingMessage controller
- match '/admin/incoming/destroy' => 'admin_incoming_message#destroy', :as => :admin_incoming_destroy
- match '/admin/incoming/redeliver' => 'admin_incoming_message#redeliver', :as => :admin_incoming_redeliver
- match '/admin/incoming/edit/:id' => 'admin_incoming_message#edit', :as => :admin_incoming_edit
- match '/admin/incoming/update/:id' => 'admin_incoming_message#update', :as => :admin_incoming_update
+ scope '/admin', :as => 'admin' do
+ resources :incoming_messages,
+ :controller => 'admin_incoming_message',
+ :only => [:edit, :update, :destroy] do
+ post 'redeliver', :on => :member
+ end
+ end
####
#### AdminOutgoingMessage controller
- match '/admin/outgoing/edit/:id' => 'admin_outgoing_message#edit', :as => :admin_outgoing_edit
- match '/admin/outgoing/destroy/:id' => 'admin_outgoing_message#destroy', :as => :admin_outgoing_destroy
- match '/admin/outgoing/update/:id' => 'admin_outgoing_message#update', :as => :admin_outgoing_update
+ scope '/admin', :as => 'admin' do
+ resources :outgoing_messages,
+ :controller => 'admin_outgoing_message',
+ :only => [:edit, :update, :destroy] do
+ post 'resend', :on => :member
+ end
+ end
####
#### AdminUser controller
- match '/admin/user' => 'admin_user#index', :as => :admin_user_index
- match '/admin/user/list' => 'admin_user#list', :as => :admin_user_list
- match '/admin/user/banned' => 'admin_user#list_banned', :as => :admin_user_list_banned
- match '/admin/user/show/:id' => 'admin_user#show', :as => :admin_user_show
- match '/admin/user/edit/:id' => 'admin_user#edit', :as => :admin_user_edit
- match '/admin/user/show_bounce_message/:id' => 'admin_user#show_bounce_message', :as => :admin_user_show_bounce
- match '/admin/user/update/:id' => 'admin_user#update', :as => :admin_user_update
- match '/admin/user/clear_bounce/:id' => 'admin_user#clear_bounce', :as => :admin_user_clear_bounce
- match '/admin/user/destroy_track' => 'admin_user#destroy_track', :as => :admin_user_destroy_track
- match '/admin/user/login_as/:id' => 'admin_user#login_as', :as => :admin_user_login_as
- match '/admin/user/clear_profile_photo/:id' => 'admin_user#clear_profile_photo', :as => :admin_clear_profile_photo
- match '/admin/user/modify_comment_visibility/:id' => 'admin_user#modify_comment_visibility', :as => 'admin_user_modify_comment_visibility'
+ scope '/admin', :as => 'admin' do
+ resources :users,
+ :controller => 'admin_user',
+ :except => [:new, :create, :destroy] do
+ get 'banned', :on => :collection
+ get 'show_bounce_message', :on => :member
+ post 'clear_bounce', :on => :member
+ post 'login_as', :on => :member
+ post 'clear_profile_photo', :on => :member
+ post 'modify_comment_visibility', :on => :collection
+ resources :censor_rules,
+ :controller => 'admin_censor_rule',
+ :only => [:new, :create],
+ :name_prefix => 'user_'
+ end
+ end
####
#### AdminTrack controller
- match '/admin/track/list' => 'admin_track#list', :as => :admin_track_list
+ scope '/admin', :as => 'admin' do
+ resources :tracks,
+ :controller => 'admin_track',
+ :only => [:index, :destroy]
+ end
####
#### AdminCensorRule controller
- match '/admin/censor/new' => 'admin_censor_rule#new', :as => :admin_rule_new
- match '/admin/censor/create' => 'admin_censor_rule#create', :as => :admin_rule_create
- match '/admin/censor/edit/:id' => 'admin_censor_rule#edit', :as => :admin_rule_edit
- match '/admin/censor/update/:id' => 'admin_censor_rule#update', :as => :admin_rule_update
- match '/admin/censor/destroy/:censor_rule_id' => 'admin_censor_rule#destroy', :as => :admin_rule_destroy
- ####
+ scope '/admin', :as => 'admin' do
+ resources :censor_rules,
+ :controller => 'admin_censor_rule',
+ :except => [:index, :new, :create]
+ end
#### AdminSpamAddresses controller
scope '/admin', :as => 'admin' do
generated by cgit v1.2.3 (git 2.25.1) at 2025-07-23 23:25:34 +0000