aboutsummaryrefslogtreecommitdiffstats
path: root/app/controllers
Commit message (Collapse)AuthorAgeLines
...
* | Merge branch 'issues/1343-ip-spoofing-error' into rails-3-developGareth Rees2014-04-14-1/+5
|\ \
| * | Rescue from IpSpoofAttackError when using remote IPGareth Rees2014-04-14-1/+5
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Some proxies seem to be setting the Client-IP HTTP header to 127.0.0.1. Rails checks that Client-IP is contained in X-Forwarded-For and raises the error. We decided to rescue in this individual case rather than adding a middleware to strip Client-IP (http://writeheavy.com/2011/07/31/when-its-ok-to-turn-of-rails-ip-spoof-checking.html#well_thats_stupid_can_we_turn_it_off) so that we don't introduce unexpected behaviour. If we start to do anything more with request.remote_ip, then we should look at doing so. See http://blog.gingerlime.com/2012/rails-ip-spoofing-vulnerabilities-and-protection for an in-depth look at this issue.
* | | Rescue from non-numeric page parameter exceptionsGareth Rees2014-04-10-1/+1
|/ / | | | | | | | | | | will_paginate intentionally throws an ArgumentError when a non-numeric page parameter is used. Conveniently, they tag it with WillPaginate::InvalidPage, so here we rescue with a 404.
* | Merge branch 'issues/1317-holding-pen-spam' into rails-3-developGareth Rees2014-04-07-0/+27
|\ \
| * | Add AdminSpamAddressesController and UIGareth Rees2014-03-28-0/+27
| |/
* | Merge branch 'rails-3-develop' of ↵Louise Crow2014-04-04-0/+10
|\ \ | | | | | | | | | ssh://git.mysociety.org/data/git/public/alaveteli into rails-3-develop
| * \ Merge branch 'issues/1406-render-exception-error' into rails-3-developGareth Rees2014-04-02-0/+10
| |\ \
| | * | URL Encode the path parameter for render_exceptionGareth Rees2014-03-31-0/+10
| | |/ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | If a request is made and path is something like /%d3 we rescue this with a custom 404 template. This gets unescaped as {"path"=>"\323"}. In the case of a RouteNotFound, ApplicationController#render_exception renders the general/exception_caught template in to the default layout, which renders the general/_locale_switcher partial. This partial calls url_for – sending the full params hash as the argument – so that a user may return to the existing page in their chosen locale. The problem is that url_for tries to construct the url with the hash {:action=>"not_found", :controller=>"general", :path=>"\323"}. ApplicationController#sanitize_params re-encodes the path parameter so that it can be passed through to url_for without trouble.
* | | Merge branch 'feature/1310-better-track-translation' into rails-3-developLouise Crow2014-04-04-16/+3
|\ \ \ | |/ / |/| | | | | | | | Conflicts: spec/factories.rb
| * | Add notices for unsubscribing from things.Louise Crow2014-03-24-1/+1
| | | | | | | | | | | | | | | These are full sentences, not composed on the fly, so should be easier to translate.
| * | Add notices for subscribing to something.Louise Crow2014-03-24-5/+1
| | | | | | | | | | | | | | | These notices are complete sentences, not composed on the fly, so should be easier to translate.
| * | Add notices for subscribing something you're subscribed to.Louise Crow2014-03-24-1/+1
| | | | | | | | | | | | | | | These notices are full sentences, rather than being composed of phrases, which should make them easier to translate.
| * | Remove obsolete line.Louise Crow2014-03-24-1/+0
| | | | | | | | | | | | | | | Should have been removed in https://github.com/mysociety/alaveteli/commit/b236d4f113187b0e5d87867fc6512e5486f9764f.
| * | Remove old unused code.Louise Crow2014-03-24-8/+0
| | |
* | | Add honeypot spam protection to contact formGareth Rees2014-03-31-0/+9
| |/ |/| | | | | | | Intercepts the request and redirects to the homepage if the comment field is filled in on the contact form.
* | Controller code to hide/unhide annotationsAndrew Black2014-03-25-0/+6
| | | | | | | | The UI provides a list of comment_ids and a newstate="visible" or "hide"
* | Merge branch 'rails-3-develop' of ↵Louise Crow2014-03-13-26/+41
|\ \ | | | | | | | | | ssh://git.mysociety.org/data/git/public/alaveteli into rails-3-develop
| * | Use filter to reject if user is bannedGareth Rees2014-03-13-7/+9
| | | | | | | | | | | | | | | | | | | | | | | | | | | Extract checking whether a user is banned from making Comments on an InfoRequest to a filter in CommentController. Removes responsibility from the #new method. Adds a missing spec.
| * | Use filter to reject unless comments allowedGareth Rees2014-03-13-9/+11
| | | | | | | | | | | | | | | | | | | | | Extract checking whether comments are allowed on an InfoRequest to a filter in CommentController. Removes responsibility from the #new method.
| * | Extract create_track_thing from CommentControllerGareth Rees2014-03-13-1/+5
| | | | | | | | | | | | | | | Use a before_filter to make @track_thing available to all filters called on the same action and remove responsibility from the #new method
| * | Extract find_info_request from CommentControllerGareth Rees2014-03-13-12/+17
| | | | | | | | | | | | | | | Use a before_filter to make @info_request available to all filters called on the same action
| * | Graceful failure of new_comment routeGareth Rees2014-03-13-4/+6
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Fixes https://github.com/mysociety/alaveteli/issues/662 If /annotate/request/:url_title is accessed when comments are disabled an exception is incorrectly thrown. Conditionals should be used for control flow, so now the action redirects to the info_request path and displays a notice.
* | | Merge branch 'feature/1345-other-country-fallback' into rails-3-developLouise Crow2014-03-13-2/+9
|\ \ \ | |/ / |/| |
| * | Handle the case where the current locale isn't in site listLouise Crow2014-03-13-2/+9
| |/ | | | | | | | | | | We only really want to redirect people to live sites, so pre-launch sites don't belong in WorldFOIWebsites. Handle the case where the current locale isn't there. Closes #1345.
* / Correctly call helpers in RequestController#describe_stateGareth Rees2014-03-13-2/+2
|/ | | | | | Calling simple_date threw an exception as it uses a helper internally. Only LinkToHelper is included in to the controller, so the underlying helper was not available.
* Merge branch 'feature/batch-requests' into rails-3-developLouise Crow2014-01-29-93/+221
|\ | | | | | | | | | | Conflicts: config/general.yml-example spec/factories.rb
| * Preserve whitespace in strings for translation.Louise Crow2014-01-28-1/+1
| | | | | | | | | | Otherwise they get marked as fuzzy in .po files and lose their existing translations.
| * Update notices for offline sending.Louise Crow2013-12-04-16/+11
| |
| * Display batch requests for user on 'my requests' pageLouise Crow2013-12-04-0/+3
| | | | | | | | This is the most rudimentary possible way to give them access to the batch request urls, pending #1239
| * Split the creation of a batch and the associated requests.Louise Crow2013-12-04-5/+6
| | | | | | | | We're going to want to actually create and send the requests later.
| * Add list of bodies batch request will be sent to.Louise Crow2013-12-04-0/+6
| |
| * Javascript enhancements.Louise Crow2013-12-04-6/+18
| | | | | | | | Add or remove all buttons, ajax search as you type.
| * Raise limit on results to 1000.Louise Crow2013-12-04-3/+3
| | | | | | | | | | Seems like you have to specify a limit with xapian. We'll probably want to document the limit somewhere on this page.
| * Move creation of batch to InfoRequestBatch.Louise Crow2013-12-04-21/+7
| |
| * Add a rudimentary view for an info request batch.Louise Crow2013-12-04-2/+4
| |
| * Notices for success and errors.Louise Crow2013-12-04-7/+28
| |
| * Add check for double submission.Louise Crow2013-12-04-5/+8
| |
| * Make method names for finding existing objects clearerLouise Crow2013-12-04-5/+5
| | | | | | | | | | They're not finding by the existing object, they're finding an existing object.
| * Simple code for the happy pathLouise Crow2013-12-04-19/+28
| | | | | | | | | | Create the batch and associate new requests with it, send the outgoing messages, and redirect to a page for the new batch.
| * Remove extra 'is invalid' error message.Louise Crow2013-12-04-2/+4
| | | | | | | | | | | | This duplicates what's done in the new action, but I can't currently think of a way of sharing functionality that doesn't seem overly complex and/or risky.
| * Handle a banned user making batch requests.Louise Crow2013-12-04-1/+5
| |
| * Batch users don't have a daily limit.Louise Crow2013-12-04-2/+1
| | | | | | | | | | | | | | It doesn't make logical sense that they would. However I am preserving the ability to make batch requests as a separate thing from not having a daily limit - I think batch sending requires a (perhaps marginally) bigger level of trust.
| * Pass public bodies list through forms.Louise Crow2013-12-04-1/+0
| |
| * Require at least one public body in the params.Louise Crow2013-12-04-3/+3
| |
| * Create template and outgoing messageLouise Crow2013-12-04-18/+60
| | | | | | | | | | Add validation, preview as in single request creation. Add comments noting further work to be done in this action.
| * Isolate code for preparing to display the compose interface.Louise Crow2013-12-04-51/+67
| | | | | | | | Reuse it for the batch request page.
| * Add new_batch actionLouise Crow2013-12-04-15/+23
| | | | | | | | | | | | Give it basic access control, and add some conditionals to the 'new' template around bits that use @info_request.public_body so that they render something different if @batch is assigned.
| * Add template for select_authoritiesLouise Crow2013-12-04-0/+11
| | | | | | | | Should retain a list of selected public bodies across searches.
| * Handle not enabled, no user, unauthorised user.Louise Crow2013-12-04-12/+17
| |
| * Add a select_authorities action.Louise Crow2013-12-04-0/+3
| |
generated by cgit v1.2.3 (git 2.25.1) at 2025-07-23 23:41:01 +0000