| Commit message (Collapse) | Author | Age | Lines |
|---|
| |
|
|
| |
Correct indentation to be consistent
|
| |
|
|
|
|
|
|
|
|
| |
Now that we use global CSRF authenticity checks, searches were logging
logged-in users out as the form is an HTML form, not a Rails-generated
form with a CSRF token. So form submission raised an InvalidAuthenticityToken
error and reset their session. We could generate the form in Rails, but we
also want to minimise the number of non-logged in people who have a
session cookie, so that varnish can cache pages extensively. So we don't
want to put the CSRF token for the search form in everyone's session.
|
| |
|
|
|
| |
Fixes submission of form containing both existing and new
translations
|
| | |
|
| |\ |
|
| | | |
|
| | | |
|
| |\ \
| |/
|/|
| |
| | |
Conflicts:
spec/models/public_body_spec.rb
|
| | |
| |
| |
| |
| | |
Removes logic from views and obsoletes
AdminPublicBodyHelper#public_body_form_object
|
| | | |
|
| | | |
|
| |\ \ |
|
| | |/
| |
| |
| |
| |
| |
| |
| | |
Fills in the first “Your e-mail:” field it finds, which could be
the sign _up_ form if the view is overridden to swap the order
of the sign in and sign up forms.
Also compacts a simple conditional on to one line.
|
| | |
| |
| |
| |
| |
| |
| |
| | |
This reverts commit 45f25290e2e4a1f33ec5d3df6ecfb40300318ece.
Use of the :ruby_20 platform requires bundler 1.3, which is not
available on all our supported OSes as a package. See
https://github.com/mysociety/alaveteli/issues/1276 for details.
|
| | | |
|
| | | |
|
| | |
| |
| |
| |
| | |
So data changing actions require a POST and can be protected against
CSRF.
|
| | |
| |
| |
| |
| | |
Move specs that involve receiving email and then viewing the interface
to be integration specs, which is what they really are.
|
| | | |
|
| |\ \ |
|
| | |/
| |
| |
| | |
This sanitises non utf-8 params before they're processed by Rails.
|
| |/ |
|
| |\ |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The original error `ActionView::Template::Error` that this spec was
written to represent (#1406) occurred under ruby 1.8 when the decoded
non-utf-8 string was used in the locale switcher on the 'not found'
error page to generate a url for the alternative locales.
Under Ruby >= 1.9, the error thrown in that situation is an `invalid
byte sequence in UTF-8` error, thrown in the same place - the locale
switcher. However, no error seems to be thrown when the same param is
used in a request in production.
The upgrade to Rails 3.2.20 causes `String.split` to be called on the
request path in `actionpack/lib/action_dispatch/middleware/static.rb` in
order to check for attempts to access files outside the `public`
directory. This means that under Ruby >= 1.9, an `invalid byte sequence
in UTF-8` error will be thrown there in running this spec.
I think a possible solution is to use the `rack-utf8_sanitizer` gem to
provide middleware to strip invalid utf-8 from request URIs and headers
before they're processed by Rails, but it's currently unclear whether
that would have any undesirable side-effects.
|
| |/
|
|
| |
Removes the dependency on fixtures having been loaded.
|
| | |
|
| |
|
|
|
|
|
| |
Stemming returns 'bore' as the word to highlight which can't be matched
in the original phrase.
Also removes duplicates from the results
|
| |
|
|
|
|
|
| |
Backport of https://github.com/rails/rails/pull/11793/
Contains integration tests to check that it works
as expected with ActsAsXapian.
|
| |\ |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Some proxies seem to be setting the Client-IP HTTP header to 127.0.0.1.
Rails checks that Client-IP is contained in X-Forwarded-For and raises
the error.
We decided to rescue in this individual case rather than adding a
middleware to strip Client-IP
(http://writeheavy.com/2011/07/31/when-its-ok-to-turn-of-rails-ip-spoof-checking.html#well_thats_stupid_can_we_turn_it_off)
so that we don't introduce unexpected behaviour. If we start to do anything
more with request.remote_ip, then we should look at doing so.
See
http://blog.gingerlime.com/2012/rails-ip-spoofing-vulnerabilities-and-protection
for an in-depth look at this issue.
|
| |/
|
|
|
|
| |
will_paginate intentionally throws an ArgumentError when a non-numeric page
parameter is used. Conveniently, they tag it with WillPaginate::InvalidPage,
so here we rescue with a 404.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If a request is made and path is something like /%d3 we rescue this with
a custom 404 template.
This gets unescaped as {"path"=>"\323"}.
In the case of a RouteNotFound, ApplicationController#render_exception
renders the general/exception_caught template in to the default layout,
which renders the general/_locale_switcher partial.
This partial calls url_for – sending the full params hash as the
argument – so that a user may return to the existing page in their
chosen locale.
The problem is that url_for tries to construct the url with the hash
{:action=>"not_found", :controller=>"general",
:path=>"\323"}.
ApplicationController#sanitize_params re-encodes the path parameter so
that it can be passed through to url_for without trouble.
|
| | |
|
| |
|
|
|
| |
As @mhl points out, this more clearly indicates that they may come back
at some point.
|
| |
|
|
|
| |
So that files attached to different messages with the same name and
url_part don't get overwritten.
|
| | |
|
| | |
|
| |
|
|
|
|
| |
Conflicts:
app/views/request/_incoming_correspondence.html.erb
|
| |
|
|
|
|
| |
Conflicts:
spec/integration/view_request_spec.rb
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
| |
This was disabled for hidden requests as the download was by redirect,
allowing people who have not been authenticated to conceivably access
the download. We'll be moving to send_file instead, so can restore it.
|
| |
|
|
|
| |
The third (and any subsequent) session created shares a session id with
the second without this explicit reset.
|
| |
|
|
| |
We're testing the code path where there is no converter here.
|
| | |
|
| |
|
|
|
|
|
| |
Adds a spec for what we want to see - no message text in
correspondence.txt, and no attachments. Refactors the
simple_correspondence templates to make it clearer that these are doing
the same job as the html.erb ones, for text.
|
| |
|
|
|
|
|
|
|
| |
Each part is a separate sentence, and we're going to reuse some of them
in the text view.
Conflicts:
spec/integration/view_request_spec.rb
|
| |
|
|
|
| |
Make it an integration spec so we don't need to touch the internals so
much.
|
| | |
|
