aboutsummaryrefslogtreecommitdiffstats
path: root/app/controllers/application_controller.rb
Commit message (Collapse)AuthorAgeLines
* Don't redirect to signin on expiration of a non remember-me sessionLouise Crow2015-04-23-1/+0
| | | | In practice, it's just confusing if you've been away from the site.
* Only use CSRF protection for logged-in users.Louise Crow2015-04-10-1/+12
|
* Merge branch 'brakeman_fixes' into rails-3-developLouise Crow2014-12-18-0/+2
|\
| * Add global protect_from_forgeryGareth Rees2014-12-18-0/+2
| | | | | | | | | | | | | | Grepping the git logs didn’t bring up a good reason for this to be excluded. Seems like it came along after the app was initially created so it never got fully added for fear of regressions. The specs pass for this commit.
* | Enforce a lifetime on session cookiesLouise Crow2014-12-12-0/+25
| | | | | | | | | | | | Problem described in http://seclists.org/fulldisclosure/2013/Sep/145 Pattern taken from https://www.coffeepowered.net/2013/09/26/rails-session-cookies/
* | Add secureheadersLouise Crow2014-12-05-0/+3
|/ | | | Issue some security-related headers by default.
* Move method to model to make it more testable, add spec.Louise Crow2014-09-01-8/+0
|
* Rename XXX comments with TODO:Gareth Rees2014-06-10-2/+2
| | | | Picks these up in `rake notes` and adds semantic meaning
* Merge branch 'issues/1343-ip-spoofing-error' into rails-3-developGareth Rees2014-04-14-1/+5
|\
| * Rescue from IpSpoofAttackError when using remote IPGareth Rees2014-04-14-1/+5
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Some proxies seem to be setting the Client-IP HTTP header to 127.0.0.1. Rails checks that Client-IP is contained in X-Forwarded-For and raises the error. We decided to rescue in this individual case rather than adding a middleware to strip Client-IP (http://writeheavy.com/2011/07/31/when-its-ok-to-turn-of-rails-ip-spoof-checking.html#well_thats_stupid_can_we_turn_it_off) so that we don't introduce unexpected behaviour. If we start to do anything more with request.remote_ip, then we should look at doing so. See http://blog.gingerlime.com/2012/rails-ip-spoofing-vulnerabilities-and-protection for an in-depth look at this issue.
* | Rescue from non-numeric page parameter exceptionsGareth Rees2014-04-10-1/+1
|/ | | | | | will_paginate intentionally throws an ArgumentError when a non-numeric page parameter is used. Conveniently, they tag it with WillPaginate::InvalidPage, so here we rescue with a 404.
* URL Encode the path parameter for render_exceptionGareth Rees2014-03-31-0/+10
| | | | | | | | | | | | | | | | | | | | | | If a request is made and path is something like /%d3 we rescue this with a custom 404 template. This gets unescaped as {"path"=>"\323"}. In the case of a RouteNotFound, ApplicationController#render_exception renders the general/exception_caught template in to the default layout, which renders the general/_locale_switcher partial. This partial calls url_for – sending the full params hash as the argument – so that a user may return to the existing page in their chosen locale. The problem is that url_for tries to construct the url with the hash {:action=>"not_found", :controller=>"general", :path=>"\323"}. ApplicationController#sanitize_params re-encodes the path parameter so that it can be passed through to url_for without trouble.
* Merge branch 'feature/batch-requests' into rails-3-developLouise Crow2014-01-29-2/+2
|\ | | | | | | | | | | Conflicts: config/general.yml-example spec/factories.rb
| * Raise limit on results to 1000.Louise Crow2013-12-04-2/+2
| | | | | | | | | | Seems like you have to specify a limit with xapian. We'll probably want to document the limit somewhere on this page.
* | Move make_query_from_params to XapianQueriesLouise Crow2013-12-19-94/+0
|/ | | | | | | | | | This is involved with the construction of meaningful xapian queries with respect to InfoRequestEvents. This commit also removes the get_tags_from_params method, which presumably was targeted at PublicBodies, but doesn't seem to actually be used anywhere. XapianQueries is used to extend InfoRequestEvent in order to prevent InfoRequestEvent becoming too unwieldy and to preserve the association between these methods.
* Add a dummy exception notification address for testingLouise Crow2013-11-12-1/+3
| | | | | | ActionMailer now checks for a 'to' address on sending mail, so supply one so that we can check exception notification mail sending. Also check that we have one before trying to call the exception notification code.
* Merge branch 'feature/hide-individual-responses' into rails-3-developLouise Crow2013-09-17-13/+0
|\ | | | | | | | | | | | | | | | | | | | | Conflicts: Gemfile app/views/admin_request/edit_outgoing.html.erb config/packages doc/CHANGES.md doc/INSTALL.md spec/models/info_request_spec.rb spec/models/public_body_spec.rb
| * Move some download methods to InfoRequest.Louise Crow2013-09-16-13/+0
| | | | | | | | | | | | Use send_file to send zips. Also adds 'all_can_view_all_correspondence?' - is this request completely cachable, or do we need to cache different versions for different levels of privilege?
* | Make method name clearerHenare Degan2013-08-10-2/+2
| |
* | Don't show diagnostic messages when request is simply localHenare Degan2013-08-10-6/+3
|/ | | | | | This fixes the scenario when Alaveteli is behind a proxy in production Resolves #1039
* Merge remote-tracking branch 'openaustralia_github/app_version_api_feature' ↵Louise Crow2013-06-18-0/+4
|\ | | | | | | | | | | | | | | | | into rails-3-develop Conflicts: app/controllers/application_controller.rb app/controllers/general_controller.rb config/routes.rb
| * Extract methodMatthew Landauer2013-02-24-0/+5
| |
* | Merge branch 'hotfix/0.11.0.13' into rails-3-developLouise Crow2013-06-17-1/+4
|\ \ | | | | | | | | | | | | Conflicts: spec/mailers/outgoing_mailer_spec.rb
| * | Explicitly set I18n.locale in set_gettext_locale in order to get Rails to ↵0.11.0.13hotfix/0.11.0.13Louise Crow2013-06-17-1/+4
| | | | | | | | | | | | expire the template cache and trigger a lookup.
* | | Merge commit '0.11.0.8' into rails-3-developLouise Crow2013-06-11-4/+0
|\| |
| * | Only render the popup banner in the layout where it's actually used.Louise Crow2013-06-11-4/+0
| | |
* | | Merge branch 'release/0.11' into rails-3-developLouise Crow2013-06-04-1/+4
|\| |
| * | For non-HTML requests, just return the response code for now.Louise Crow2013-06-03-1/+4
| | |
* | | Merge remote-tracking branch ↵Louise Crow2013-06-04-6/+9
|\ \ \ | |/ / |/| | | | | 'openaustralia_github/inline_search_method_refactor' into rails-3-develop
| * | Tiny refactorMatthew Landauer2013-03-25-5/+2
| | |
| * | Inline method InfoRequest.full_searchMatthew Landauer2013-03-25-1/+7
| | |
* | | Add logging of any errors.Louise Crow2013-05-02-0/+4
| | |
* | | Remove now unused methodsLouise Crow2013-05-02-50/+0
| | |
* | | Handle routing errors with our custom template too.Louise Crow2013-05-02-1/+4
| | |
* | | Clearer setting of status code, addition of notification.Louise Crow2013-05-02-10/+17
| | |
* | | Return the correct status codes for ActiveRecord::RecordNotFound, ↵Louise Crow2013-05-02-0/+8
| | | | | | | | | | | | ActionController::UnknownAction, PermissionDenied and general exceptions.
* | | Add new error handler method that renders the general/exception_caught templateLouise Crow2013-05-02-0/+13
| | |
* | | Change email address in header of source code to hello@mysociety.orgMatthew Landauer2013-03-26-1/+1
|/ /
* | Merge remote-tracking branch 'mysociety/develop' into rails-3-developHenare Degan2013-03-14-17/+13
|\| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Conflicts: Gemfile Gemfile.lock app/controllers/admin_request_controller.rb app/controllers/admin_track_controller.rb app/controllers/request_controller.rb app/controllers/services_controller.rb app/helpers/link_to_helper.rb app/mailers/request_mailer.rb app/models/application_mailer.rb app/models/info_request.rb app/views/admin_censor_rule/edit.html.erb app/views/admin_censor_rule/new.html.erb app/views/admin_public_body/_form.html.erb app/views/admin_public_body/_locale_selector.html.erb app/views/admin_public_body/_one_list.html.erb app/views/admin_public_body/edit.html.erb app/views/admin_public_body/list.html.erb app/views/admin_public_body/new.html.erb app/views/admin_request/_incoming_message_actions.html.erb app/views/admin_request/edit.html.erb app/views/admin_request/edit_comment.html.erb app/views/admin_request/edit_outgoing.html.erb app/views/admin_request/list.html.erb app/views/admin_request/list_old_unclassified.html.erb app/views/admin_request/show.html.erb app/views/admin_track/_some_tracks.html.erb app/views/admin_track/list.html.erb app/views/admin_user/edit.html.erb app/views/admin_user/list.html.erb app/views/admin_user/show.html.erb app/views/general/_footer.html.erb app/views/general/exception_caught.html.erb app/views/help/contact.html.erb app/views/layouts/default.html.erb app/views/public_body/_alphabet.html.erb app/views/request/_request_listing_single.html.erb app/views/request/_sidebar.html.erb app/views/request/new.html.erb app/views/request/show.html.erb app/views/request_mailer/external_response.rhtml app/views/request_mailer/fake_response.rhtml config/environment.rb config/environments/production.rb config/routes.rb spec/controllers/admin_censor_rule_controller_spec.rb spec/controllers/request_controller_spec.rb spec/controllers/track_controller_spec.rb spec/helpers/link_to_helper_spec.rb spec/mailers/request_mailer_spec.rb spec/models/info_request_spec.rb spec/spec_helper.rb spec/views/public_body/show.html.erb_spec.rb spec/views/request/show.html.erb_spec.rb vendor/plugins/rails_xss/lib/rails_xss/erubis.rb
| * Pass parameters to method rather explicitlyMatthew Landauer2013-02-12-9/+9
| |
| * Inline methodMatthew Landauer2013-02-12-8/+4
| |
| * Simplify param_exists methodMatthew Landauer2013-02-12-1/+1
| |
* | Not required with the new version of exception_notificationHenare Degan2013-03-05-3/+0
| |
* | Rename Configuration class to avoid conflict with ActiveSupport::ConfigurableHenare Degan2013-03-03-8/+8
| |
* | Rename ALL THE TEMPLATES!!1!!!one!!1!!Henare Degan2013-02-27-1/+1
| | | | | | | | .rhtml is deprecated in favour of .erb in Rails 3
* | Merge branch 'develop' into rails-3-spikeHenare Degan2013-02-15-1/+1
|\| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Conflicts: Gemfile Gemfile.lock app/controllers/general_controller.rb app/controllers/track_controller.rb app/models/outgoing_message.rb app/models/public_body.rb app/models/user.rb app/views/general/frontpage.rhtml config/environment.rb config/initializers/inflections.rb config/initializers/mime_types.rb db/migrate/094_remove_old_tags_foreign_key.rb lib/timezone_fixes.rb spec/models/request_mailer_spec.rb spec/views/request/list.rhtml_spec.rb
| * Mark popup banner as html_safeLouise Crow2013-02-08-1/+1
| |
* | Fixup up test_code_redirect_by_email_token for rspec 2Matthew Landauer2013-01-29-1/+2
| |
* | Merge remote-tracking branch 'mysociety/develop' into rails-3-spikeMatthew Landauer2013-01-04-0/+13
|\| | | | | | | | | | | | | | | | | | | | | Conflicts: Gemfile.lock Rakefile app/controllers/request_controller.rb lib/tasks/rspec.rake spec/controllers/services_controller_spec.rb spec/spec_helper.rb spec/views/request/_after_actions.rhtml_spec.rb
| * Merge branch 'hotfix/authenticate-and-expire-download-zips' into developLouise Crow2012-12-13-0/+13
| |\
generated by cgit v1.2.3 (git 2.25.1) at 2025-07-26 08:59:50 +0000