From 12aca5dd819653e596f7c13e587e6e7967d6ded3 Mon Sep 17 00:00:00 2001 From: Louise Crow Date: Fri, 12 Dec 2014 14:06:51 +0000 Subject: Use RESTful routing for index and show actions --- app/controllers/admin_request_controller.rb | 25 ++++++++++--------------- 1 file changed, 10 insertions(+), 15 deletions(-) (limited to 'app/controllers/admin_request_controller.rb') diff --git a/app/controllers/admin_request_controller.rb b/app/controllers/admin_request_controller.rb index 8f023bf12..90811104b 100644 --- a/app/controllers/admin_request_controller.rb +++ b/app/controllers/admin_request_controller.rb @@ -8,11 +8,6 @@ require 'ostruct' class AdminRequestController < AdminController def index - list - render :action => 'list' - end - - def list @query = params[:query] if @query info_requests = InfoRequest.where(["lower(title) like lower('%'||?||'%')", @query]) @@ -108,7 +103,7 @@ class AdminRequestController < AdminController # expire cached files expire_for_request(@info_request) flash[:notice] = 'Request successfully updated.' - redirect_to admin_request_show_url(@info_request) + redirect_to admin_request_url(@info_request) else render :action => 'edit' end @@ -125,7 +120,7 @@ class AdminRequestController < AdminController expire_for_request(@info_request) email = user.try(:email) ? user.email : 'This request is external so has no associated user' flash[:notice] = "Request #{ url_title } has been completely destroyed. Email of user who made request: #{ email }" - redirect_to admin_request_list_url + redirect_to admin_requests_url end def edit_comment @@ -146,7 +141,7 @@ class AdminRequestController < AdminController :old_visible => old_visible, :visible => @comment.visible, }) flash[:notice] = 'Comment successfully updated.' - redirect_to admin_request_show_url(@comment.info_request) + redirect_to admin_request_url(@comment.info_request) else render :action => 'edit_comment' end @@ -172,7 +167,7 @@ class AdminRequestController < AdminController info_request.reindex_request_events flash[:notice] = "Message has been moved to new user" end - redirect_to admin_request_show_url(info_request) + redirect_to admin_request_url(info_request) elsif params[:commit] == 'Move request to authority' && !params[:public_body_url_name].blank? old_public_body = info_request.public_body destination_public_body = PublicBody.find_by_url_name(params[:public_body_url_name]) @@ -191,10 +186,10 @@ class AdminRequestController < AdminController flash[:notice] = "Request has been moved to new body" end - redirect_to admin_request_show_url(info_request) + redirect_to admin_request_url(info_request) else flash[:error] = "Please enter the user or authority to move the request to" - redirect_to admin_request_show_url(info_request) + redirect_to admin_request_url(info_request) end end @@ -218,7 +213,7 @@ class AdminRequestController < AdminController if !info_request.public_body.is_foi_officer?(user) flash[:notice] = user.email + " is not an email at the domain @" + info_request.public_body.foi_officer_domain_required + ", so won't be able to upload." - redirect_to admin_request_show_url(info_request) + redirect_to admin_request_url(info_request) return end @@ -231,7 +226,7 @@ class AdminRequestController < AdminController url = confirm_url(:email_token => post_redirect.email_token) flash[:notice] = ("Send \"#{name}\" <#{email}> this URL: #{url} - it will log them in and let them upload a response to this request.").html_safe - redirect_to admin_request_show_url(info_request) + redirect_to admin_request_url(info_request) end def show_raw_email @@ -281,7 +276,7 @@ class AdminRequestController < AdminController info_request_event.save! flash[:notice] = "Old response marked as having been a clarification" - redirect_to admin_request_show_url(info_request_event.info_request) + redirect_to admin_request_url(info_request_event.info_request) end def hide_request @@ -314,7 +309,7 @@ class AdminRequestController < AdminController end # expire cached files expire_for_request(info_request) - redirect_to admin_request_show_url(info_request) + redirect_to admin_request_url(info_request) end end -- cgit v1.2.3 From 11e2ae209c2c9c5d9452183daed1cc7f1226d7d6 Mon Sep 17 00:00:00 2001 From: Louise Crow Date: Tue, 4 Nov 2014 14:44:16 +0000 Subject: Use RESTful routing for resend action --- app/controllers/admin_request_controller.rb | 30 ----------------------------- 1 file changed, 30 deletions(-) (limited to 'app/controllers/admin_request_controller.rb') diff --git a/app/controllers/admin_request_controller.rb b/app/controllers/admin_request_controller.rb index 90811104b..5ddc32648 100644 --- a/app/controllers/admin_request_controller.rb +++ b/app/controllers/admin_request_controller.rb @@ -30,36 +30,6 @@ class AdminRequestController < AdminController :locals => vars_for_explanation) end - def resend - @outgoing_message = OutgoingMessage.find(params[:outgoing_message_id]) - @outgoing_message.prepare_message_for_resend - - mail_message = case @outgoing_message.message_type - when 'initial_request' - OutgoingMailer.initial_request( - @outgoing_message.info_request, - @outgoing_message - ).deliver - when 'followup' - OutgoingMailer.followup( - @outgoing_message.info_request, - @outgoing_message, - @outgoing_message.incoming_message_followup - ).deliver - else - raise "Message id #{id} has type '#{message_type}' which cannot be resent" - end - - @outgoing_message.record_email_delivery( - mail_message.to_addrs.join(', '), - mail_message.message_id, - 'resent' - ) - - flash[:notice] = "Outgoing message resent" - redirect_to admin_request_show_url(@outgoing_message.info_request) - end - def edit @info_request = InfoRequest.find(params[:id]) end -- cgit v1.2.3 From df8488465a7f395e953f5dc9f83ddb2bac8e5df5 Mon Sep 17 00:00:00 2001 From: Louise Crow Date: Tue, 4 Nov 2014 14:48:31 +0000 Subject: Use RESTful routing for destroy action --- app/controllers/admin_request_controller.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'app/controllers/admin_request_controller.rb') diff --git a/app/controllers/admin_request_controller.rb b/app/controllers/admin_request_controller.rb index 5ddc32648..b123a3467 100644 --- a/app/controllers/admin_request_controller.rb +++ b/app/controllers/admin_request_controller.rb @@ -79,7 +79,7 @@ class AdminRequestController < AdminController end end - def fully_destroy + def destroy @info_request = InfoRequest.find(params[:id]) user = @info_request.user -- cgit v1.2.3 From 9aaffdd03ac41f0116e8da73793b9ace787b3ba2 Mon Sep 17 00:00:00 2001 From: Louise Crow Date: Tue, 4 Nov 2014 14:49:35 +0000 Subject: Make move a RESTful action --- app/controllers/admin_request_controller.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'app/controllers/admin_request_controller.rb') diff --git a/app/controllers/admin_request_controller.rb b/app/controllers/admin_request_controller.rb index b123a3467..87c07b3bd 100644 --- a/app/controllers/admin_request_controller.rb +++ b/app/controllers/admin_request_controller.rb @@ -118,8 +118,8 @@ class AdminRequestController < AdminController end # change user or public body of a request magically - def move_request - info_request = InfoRequest.find(params[:info_request_id]) + def move + info_request = InfoRequest.find(params[:id]) if params[:commit] == 'Move request to user' && !params[:user_url_name].blank? old_user = info_request.user destination_user = User.find_by_url_name(params[:user_url_name]) -- cgit v1.2.3 From dcfa7fd733008cd4b0bf066729df4b232342c65b Mon Sep 17 00:00:00 2001 From: Louise Crow Date: Tue, 4 Nov 2014 14:52:49 +0000 Subject: RESTful routing for editing and updating comments --- app/controllers/admin_request_controller.rb | 24 ------------------------ 1 file changed, 24 deletions(-) (limited to 'app/controllers/admin_request_controller.rb') diff --git a/app/controllers/admin_request_controller.rb b/app/controllers/admin_request_controller.rb index 87c07b3bd..6d6bf56e5 100644 --- a/app/controllers/admin_request_controller.rb +++ b/app/controllers/admin_request_controller.rb @@ -93,30 +93,6 @@ class AdminRequestController < AdminController redirect_to admin_requests_url end - def edit_comment - @comment = Comment.find(params[:id]) - end - - def update_comment - @comment = Comment.find(params[:id]) - - old_body = @comment.body - old_visible = @comment.visible - @comment.visible = params[:comment][:visible] == "true" ? true : false - - if @comment.update_attributes(params[:comment]) - @comment.info_request.log_event("edit_comment", - { :comment_id => @comment.id, :editor => admin_current_user(), - :old_body => old_body, :body => @comment.body, - :old_visible => old_visible, :visible => @comment.visible, - }) - flash[:notice] = 'Comment successfully updated.' - redirect_to admin_request_url(@comment.info_request) - else - render :action => 'edit_comment' - end - end - # change user or public body of a request magically def move info_request = InfoRequest.find(params[:id]) -- cgit v1.2.3 From 3d295b6a69ddd3a3a0cea95a383ee8757f61ed2a Mon Sep 17 00:00:00 2001 From: Louise Crow Date: Tue, 4 Nov 2014 09:13:49 +0000 Subject: Make show_raw_email a RESTful action via GET Move specs that involve receiving email and then viewing the interface to be integration specs, which is what they really are. --- app/controllers/admin_request_controller.rb | 28 ---------------------------- 1 file changed, 28 deletions(-) (limited to 'app/controllers/admin_request_controller.rb') diff --git a/app/controllers/admin_request_controller.rb b/app/controllers/admin_request_controller.rb index 6d6bf56e5..4869ea778 100644 --- a/app/controllers/admin_request_controller.rb +++ b/app/controllers/admin_request_controller.rb @@ -175,34 +175,6 @@ class AdminRequestController < AdminController redirect_to admin_request_url(info_request) end - def show_raw_email - @raw_email = RawEmail.find(params[:id]) - # For the holding pen, try to guess where it should be ... - @holding_pen = false - if (@raw_email.incoming_message.info_request == InfoRequest.holding_pen_request && !@raw_email.incoming_message.empty_from_field?) - @holding_pen = true - - # 1. Use domain of email to try and guess which public body it - # is associated with, so we can display that. - email = @raw_email.incoming_message.from_email - domain = PublicBody.extract_domain_from_email(email) - - if domain.nil? - @public_bodies = [] - else - @public_bodies = PublicBody.find(:all, :order => "name", - :conditions => [ "lower(request_email) like lower('%'||?||'%')", domain ]) - end - - # 2. Match the email address in the message without matching the hash - @info_requests = InfoRequest.guess_by_incoming_email(@raw_email.incoming_message) - - # 3. Give a reason why it's in the holding pen - last_event = InfoRequestEvent.find_by_incoming_message_id(@raw_email.incoming_message.id) - @rejected_reason = last_event.params[:rejected_reason] || "unknown reason" - end - end - def download_raw_email @raw_email = RawEmail.find(params[:id]) -- cgit v1.2.3 From 8916380169bcde8493230ea69adb9fcdf1522e6c Mon Sep 17 00:00:00 2001 From: Louise Crow Date: Tue, 4 Nov 2014 14:55:11 +0000 Subject: Make hide a RESTful action accessed via POST --- app/controllers/admin_request_controller.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'app/controllers/admin_request_controller.rb') diff --git a/app/controllers/admin_request_controller.rb b/app/controllers/admin_request_controller.rb index 4869ea778..30abc5067 100644 --- a/app/controllers/admin_request_controller.rb +++ b/app/controllers/admin_request_controller.rb @@ -197,7 +197,7 @@ class AdminRequestController < AdminController redirect_to admin_request_url(info_request_event.info_request) end - def hide_request + def hide ActiveRecord::Base.transaction do subject = params[:subject] explanation = params[:explanation] -- cgit v1.2.3 From af2e8aa9e6e978f1b6cd37a92b492e8a89e2ee4d Mon Sep 17 00:00:00 2001 From: Louise Crow Date: Mon, 3 Nov 2014 17:36:30 +0000 Subject: Remove obsolete 'require' statement --- app/controllers/admin_request_controller.rb | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) (limited to 'app/controllers/admin_request_controller.rb') diff --git a/app/controllers/admin_request_controller.rb b/app/controllers/admin_request_controller.rb index 8f023bf12..7d2ac2f35 100644 --- a/app/controllers/admin_request_controller.rb +++ b/app/controllers/admin_request_controller.rb @@ -4,9 +4,8 @@ # Copyright (c) 2007 UK Citizens Online Democracy. All rights reserved. # Email: hello@mysociety.org; WWW: http://www.mysociety.org/ -require 'ostruct' - class AdminRequestController < AdminController + def index list render :action => 'list' -- cgit v1.2.3 From 148eb5e7e36a3e069d73a85188298d26bee1b220 Mon Sep 17 00:00:00 2001 From: Louise Crow Date: Tue, 4 Nov 2014 14:55:38 +0000 Subject: Make marking an event as a clarification a RESTful route --- app/controllers/admin_request_controller.rb | 15 --------------- 1 file changed, 15 deletions(-) (limited to 'app/controllers/admin_request_controller.rb') diff --git a/app/controllers/admin_request_controller.rb b/app/controllers/admin_request_controller.rb index 30abc5067..9ccbd2d6f 100644 --- a/app/controllers/admin_request_controller.rb +++ b/app/controllers/admin_request_controller.rb @@ -182,21 +182,6 @@ class AdminRequestController < AdminController render :text => @raw_email.data end - # used so due dates get fixed - def mark_event_as_clarification - info_request_event = InfoRequestEvent.find(params[:info_request_event_id]) - if info_request_event.event_type != 'response' - raise Exception("can only mark responses as requires clarification") - end - info_request_event.described_state = 'waiting_clarification' - info_request_event.calculated_state = 'waiting_clarification' - # TODO: deliberately don't update described_at so doesn't reenter search? - info_request_event.save! - - flash[:notice] = "Old response marked as having been a clarification" - redirect_to admin_request_url(info_request_event.info_request) - end - def hide ActiveRecord::Base.transaction do subject = params[:subject] -- cgit v1.2.3 From 2a76e61f6ca78a867e4a01589287ec76a5c8f4f7 Mon Sep 17 00:00:00 2001 From: Louise Crow Date: Tue, 4 Nov 2014 14:55:59 +0000 Subject: Make downloading a raw email a RESTful route --- app/controllers/admin_request_controller.rb | 7 ------- 1 file changed, 7 deletions(-) (limited to 'app/controllers/admin_request_controller.rb') diff --git a/app/controllers/admin_request_controller.rb b/app/controllers/admin_request_controller.rb index 9ccbd2d6f..e63d5e80a 100644 --- a/app/controllers/admin_request_controller.rb +++ b/app/controllers/admin_request_controller.rb @@ -175,13 +175,6 @@ class AdminRequestController < AdminController redirect_to admin_request_url(info_request) end - def download_raw_email - @raw_email = RawEmail.find(params[:id]) - - response.content_type = 'message/rfc822' - render :text => @raw_email.data - end - def hide ActiveRecord::Base.transaction do subject = params[:subject] -- cgit v1.2.3 From 92ba5052a21519af59c2aa904e1e28d9081179fb Mon Sep 17 00:00:00 2001 From: Louise Crow Date: Fri, 31 Oct 2014 16:52:04 +0000 Subject: Escape responder name before marking notice as safe --- app/controllers/admin_request_controller.rb | 53 ++++++++++++++++++++++++++++- 1 file changed, 52 insertions(+), 1 deletion(-) (limited to 'app/controllers/admin_request_controller.rb') diff --git a/app/controllers/admin_request_controller.rb b/app/controllers/admin_request_controller.rb index cbf7b9f4f..b7834dfb6 100644 --- a/app/controllers/admin_request_controller.rb +++ b/app/controllers/admin_request_controller.rb @@ -170,10 +170,61 @@ class AdminRequestController < AdminController post_redirect.save! url = confirm_url(:email_token => post_redirect.email_token) - flash[:notice] = ("Send \"#{name}\" <#{email}> this URL: #{url} - it will log them in and let them upload a response to this request.").html_safe + flash[:notice] = ("Send \"#{CGI.escapeHTML(name)}\" <#{email}> this URL: #{url} - it will log them in and let them upload a response to this request.").html_safe redirect_to admin_request_url(info_request) end + def show_raw_email + @raw_email = RawEmail.find(params[:id]) + # For the holding pen, try to guess where it should be ... + @holding_pen = false + if (@raw_email.incoming_message.info_request == InfoRequest.holding_pen_request && !@raw_email.incoming_message.empty_from_field?) + @holding_pen = true + + # 1. Use domain of email to try and guess which public body it + # is associated with, so we can display that. + email = @raw_email.incoming_message.from_email + domain = PublicBody.extract_domain_from_email(email) + + if domain.nil? + @public_bodies = [] + else + @public_bodies = PublicBody.find(:all, :order => "name", + :conditions => [ "lower(request_email) like lower('%'||?||'%')", domain ]) + end + + # 2. Match the email address in the message without matching the hash + @info_requests = InfoRequest.guess_by_incoming_email(@raw_email.incoming_message) + + # 3. Give a reason why it's in the holding pen + last_event = InfoRequestEvent.find_by_incoming_message_id(@raw_email.incoming_message.id) + @rejected_reason = last_event.params[:rejected_reason] || "unknown reason" + end + end + + def download_raw_email + @raw_email = RawEmail.find(params[:id]) + + response.content_type = 'message/rfc822' + render :text => @raw_email.data + end + + # used so due dates get fixed + def mark_event_as_clarification + info_request_event = InfoRequestEvent.find(params[:info_request_event_id]) + if info_request_event.event_type != 'response' + raise Exception("can only mark responses as requires clarification") + end + info_request_event.described_state = 'waiting_clarification' + info_request_event.calculated_state = 'waiting_clarification' + # TODO: deliberately don't update described_at so doesn't reenter search? + info_request_event.save! + + flash[:notice] = "Old response marked as having been a clarification" + redirect_to admin_request_show_url(info_request_event.info_request) +>>>>>>> a5442c6... Fix XSS opportunity + end + def hide ActiveRecord::Base.transaction do subject = params[:subject] -- cgit v1.2.3 From 9de1d6b71ee0d9785631222e5619691da692fcb9 Mon Sep 17 00:00:00 2001 From: Louise Crow Date: Fri, 19 Dec 2014 17:05:12 +0000 Subject: Fix bad merge in 92ba5052a21519af59c2aa904e1e28d9081179fb --- app/controllers/admin_request_controller.rb | 51 ----------------------------- 1 file changed, 51 deletions(-) (limited to 'app/controllers/admin_request_controller.rb') diff --git a/app/controllers/admin_request_controller.rb b/app/controllers/admin_request_controller.rb index b7834dfb6..1e083f57e 100644 --- a/app/controllers/admin_request_controller.rb +++ b/app/controllers/admin_request_controller.rb @@ -174,57 +174,6 @@ class AdminRequestController < AdminController redirect_to admin_request_url(info_request) end - def show_raw_email - @raw_email = RawEmail.find(params[:id]) - # For the holding pen, try to guess where it should be ... - @holding_pen = false - if (@raw_email.incoming_message.info_request == InfoRequest.holding_pen_request && !@raw_email.incoming_message.empty_from_field?) - @holding_pen = true - - # 1. Use domain of email to try and guess which public body it - # is associated with, so we can display that. - email = @raw_email.incoming_message.from_email - domain = PublicBody.extract_domain_from_email(email) - - if domain.nil? - @public_bodies = [] - else - @public_bodies = PublicBody.find(:all, :order => "name", - :conditions => [ "lower(request_email) like lower('%'||?||'%')", domain ]) - end - - # 2. Match the email address in the message without matching the hash - @info_requests = InfoRequest.guess_by_incoming_email(@raw_email.incoming_message) - - # 3. Give a reason why it's in the holding pen - last_event = InfoRequestEvent.find_by_incoming_message_id(@raw_email.incoming_message.id) - @rejected_reason = last_event.params[:rejected_reason] || "unknown reason" - end - end - - def download_raw_email - @raw_email = RawEmail.find(params[:id]) - - response.content_type = 'message/rfc822' - render :text => @raw_email.data - end - - # used so due dates get fixed - def mark_event_as_clarification - info_request_event = InfoRequestEvent.find(params[:info_request_event_id]) - if info_request_event.event_type != 'response' - raise Exception("can only mark responses as requires clarification") - end - info_request_event.described_state = 'waiting_clarification' - info_request_event.calculated_state = 'waiting_clarification' - # TODO: deliberately don't update described_at so doesn't reenter search? - info_request_event.save! - - flash[:notice] = "Old response marked as having been a clarification" - redirect_to admin_request_show_url(info_request_event.info_request) ->>>>>>> a5442c6... Fix XSS opportunity - end - def hide ActiveRecord::Base.transaction do subject = params[:subject] -- cgit v1.2.3