From f413c7bfb232db038dcb1265fda1bf5dabb9b4f8 Mon Sep 17 00:00:00 2001 From: Seb Bacon Date: Fri, 6 Jan 2012 09:53:36 +0000 Subject: Don't wildcard search public bodies when making a request (it causes performance issues and isn't useful here anyway) --- app/controllers/request_controller.rb | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) (limited to 'app/controllers/request_controller.rb') diff --git a/app/controllers/request_controller.rb b/app/controllers/request_controller.rb index dad5e81cd..8672fdf75 100644 --- a/app/controllers/request_controller.rb +++ b/app/controllers/request_controller.rb @@ -35,9 +35,8 @@ class RequestController < ApplicationController # do nothing - as "authenticated?" has done the redirect to signin page for us return end - if !params[:query].nil? - query = params[:query] + '*' + query = params[:query] query = query.split(' ').join(' OR ') # XXX: HACK for OR instead of default AND! @xapian_requests = perform_search([PublicBody], query, 'relevant', nil, 5) end -- cgit v1.2.3 From ec2614eba4591b0b138c87b84bef7ef1463aa5be Mon Sep 17 00:00:00 2001 From: Seb Bacon Date: Fri, 6 Jan 2012 17:04:12 +0000 Subject: Fix zip-attachment functionality --- app/controllers/request_controller.rb | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'app/controllers/request_controller.rb') diff --git a/app/controllers/request_controller.rb b/app/controllers/request_controller.rb index 8672fdf75..f3bbd6708 100644 --- a/app/controllers/request_controller.rb +++ b/app/controllers/request_controller.rb @@ -814,7 +814,8 @@ class RequestController < ApplicationController for message in info_request.incoming_messages attachments = message.get_attachments_for_display for attachment in attachments - zipfile.get_output_stream(attachment.display_filename) { |f| + filename = "#{attachment.url_part_number}_#{attachment.display_filename}" + zipfile.get_output_stream(filename) { |f| f.puts(attachment.body) } end -- cgit v1.2.3 From ba07a044614a1648eaa176436346a3aed7f4ac74 Mon Sep 17 00:00:00 2001 From: Seb Bacon Date: Wed, 11 Jan 2012 11:53:40 +0000 Subject: Fix problem with typeahead searches containing " - " characters and similar. Closes #328 --- app/controllers/request_controller.rb | 8 +------- 1 file changed, 1 insertion(+), 7 deletions(-) (limited to 'app/controllers/request_controller.rb') diff --git a/app/controllers/request_controller.rb b/app/controllers/request_controller.rb index f3bbd6708..6e33fe043 100644 --- a/app/controllers/request_controller.rb +++ b/app/controllers/request_controller.rb @@ -755,13 +755,7 @@ class RequestController < ApplicationController # Since acts_as_xapian doesn't support the Partial match flag, we work around it # by making the last work a wildcard, which is quite the same query = params[:q] - query = query.split(' ') - if query.last.nil? || query.last.strip.length < 3 - @xapian_requests = nil - else - query = query.join(' OR ') # XXX: HACK for OR instead of default AND! - @xapian_requests = perform_search([InfoRequestEvent], query, 'relevant', 'request_collapse', 5) - end + @xapian_requests = perform_search_typeahead(query, InfoRequestEvent) render :partial => "request/search_ahead.rhtml" end -- cgit v1.2.3 From 43bd77a1ad43d7cb24117bf3973f841221fd2c6e Mon Sep 17 00:00:00 2001 From: Seb Bacon Date: Thu, 12 Jan 2012 07:47:16 +0000 Subject: Return 403 when attachment "folders" are spidered. Fixes #340 --- app/controllers/request_controller.rb | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) (limited to 'app/controllers/request_controller.rb') diff --git a/app/controllers/request_controller.rb b/app/controllers/request_controller.rb index 6e33fe043..fbd7d24d4 100644 --- a/app/controllers/request_controller.rb +++ b/app/controllers/request_controller.rb @@ -600,9 +600,13 @@ class RequestController < ApplicationController before_filter :authenticate_attachment, :only => [ :get_attachment, :get_attachment_as_html ] def authenticate_attachment # Test for hidden - incoming_message = IncomingMessage.find(params[:incoming_message_id]) - if !incoming_message.info_request.user_can_view?(authenticated_user) - render :template => 'request/hidden', :status => 410 # gone + if request.path =~ /\/$/ + raise PermissionDenied.new("Directory listing not allowed") + else + incoming_message = IncomingMessage.find(params[:incoming_message_id]) + if !incoming_message.info_request.user_can_view?(authenticated_user) + render :template => 'request/hidden', :status => 410 # gone + end end end -- cgit v1.2.3 From f158e9c96d2af74c940a8d775799fcb9755d0b12 Mon Sep 17 00:00:00 2001 From: Seb Bacon Date: Thu, 12 Jan 2012 08:05:57 +0000 Subject: Return 404 for non-existent 'details' pages. Fixes #325 --- app/controllers/request_controller.rb | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) (limited to 'app/controllers/request_controller.rb') diff --git a/app/controllers/request_controller.rb b/app/controllers/request_controller.rb index fbd7d24d4..65ce9c88a 100644 --- a/app/controllers/request_controller.rb +++ b/app/controllers/request_controller.rb @@ -118,11 +118,14 @@ class RequestController < ApplicationController def details long_cache @info_request = InfoRequest.find_by_url_title(params[:url_title]) - if !@info_request.user_can_view?(authenticated_user) - render :template => 'request/hidden', :status => 410 # gone - return + if @info_request.nil? + raise ActiveRecord::RecordNotFound.new("Request not found") + else + if !@info_request.user_can_view?(authenticated_user) + render :template => 'request/hidden', :status => 410 # gone + return + end end - @columns = ['id', 'event_type', 'created_at', 'described_state', 'last_described_at', 'calculated_state' ] end -- cgit v1.2.3 From 99121913fa5525c6b6cec8fd6062c8a6783379bc Mon Sep 17 00:00:00 2001 From: Seb Bacon Date: Thu, 12 Jan 2012 08:56:12 +0000 Subject: Further fix for issue #328. --- app/controllers/request_controller.rb | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) (limited to 'app/controllers/request_controller.rb') diff --git a/app/controllers/request_controller.rb b/app/controllers/request_controller.rb index 65ce9c88a..99aa3c7ea 100644 --- a/app/controllers/request_controller.rb +++ b/app/controllers/request_controller.rb @@ -37,8 +37,7 @@ class RequestController < ApplicationController end if !params[:query].nil? query = params[:query] - query = query.split(' ').join(' OR ') # XXX: HACK for OR instead of default AND! - @xapian_requests = perform_search([PublicBody], query, 'relevant', nil, 5) + @xapian_requests = perform_search_typeahead(query, PublicBody) end medium_cache end -- cgit v1.2.3 From cb020f57f9cec5610c40bbcb85257776c27642a1 Mon Sep 17 00:00:00 2001 From: Robin Houston Date: Thu, 12 Jan 2012 17:54:23 +0000 Subject: Set a variable the view relies on --- app/controllers/request_controller.rb | 1 + 1 file changed, 1 insertion(+) (limited to 'app/controllers/request_controller.rb') diff --git a/app/controllers/request_controller.rb b/app/controllers/request_controller.rb index 6e33fe043..b8f6fac5a 100644 --- a/app/controllers/request_controller.rb +++ b/app/controllers/request_controller.rb @@ -602,6 +602,7 @@ class RequestController < ApplicationController # Test for hidden incoming_message = IncomingMessage.find(params[:incoming_message_id]) if !incoming_message.info_request.user_can_view?(authenticated_user) + @info_request = incoming_message.info_request # used by view render :template => 'request/hidden', :status => 410 # gone end end -- cgit v1.2.3 From 4808347cb65556756d38b60b25fa9761f92c4513 Mon Sep 17 00:00:00 2001 From: Seb Bacon Date: Fri, 13 Jan 2012 10:46:30 +0000 Subject: Further refinement for issue #340 --- app/controllers/request_controller.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'app/controllers/request_controller.rb') diff --git a/app/controllers/request_controller.rb b/app/controllers/request_controller.rb index fbf862af3..af0ac4a46 100644 --- a/app/controllers/request_controller.rb +++ b/app/controllers/request_controller.rb @@ -601,10 +601,10 @@ class RequestController < ApplicationController before_filter :authenticate_attachment, :only => [ :get_attachment, :get_attachment_as_html ] def authenticate_attachment - # Test for hidden - if request.path =~ /\/$/ + if request.path =~ /\/$/ || !(params[:part] =~ /^\d+$/) raise PermissionDenied.new("Directory listing not allowed") else + # Test for hidden incoming_message = IncomingMessage.find(params[:incoming_message_id]) if !incoming_message.info_request.user_can_view?(authenticated_user) @info_request = incoming_message.info_request # used by view -- cgit v1.2.3 From a39f71ee21739eb754688f185c59c3a7f209aaa8 Mon Sep 17 00:00:00 2001 From: Seb Bacon Date: Sat, 14 Jan 2012 09:34:09 +0000 Subject: Redirect /list/recent requests to /list/all. --- app/controllers/request_controller.rb | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) (limited to 'app/controllers/request_controller.rb') diff --git a/app/controllers/request_controller.rb b/app/controllers/request_controller.rb index af0ac4a46..7ff97a717 100644 --- a/app/controllers/request_controller.rb +++ b/app/controllers/request_controller.rb @@ -151,11 +151,14 @@ class RequestController < ApplicationController def list medium_cache @view = params[:view] + @page = get_search_page_from_params if !@page # used in cache case, as perform_search sets @page as side effect + if @view == "recent" + redirect_to request_list_all_path(:action => "list", :view => "all", :page => @page), :status => :moved_permanently + end params[:latest_status] = @view query = make_query_from_params @title = _("View and search requests") sortby = "newest" - @page = get_search_page_from_params if !@page # used in cache case, as perform_search sets @page as side effect behavior_cache :tag => [@view, @page] do xapian_object = perform_search([InfoRequestEvent], query, sortby, 'request_collapse') @list_results = xapian_object.results.map { |r| r[:model] } -- cgit v1.2.3 From 73b2fb25cd257a2e37865198fc684d3e572cf582 Mon Sep 17 00:00:00 2001 From: Seb Bacon Date: Sat, 14 Jan 2012 10:56:25 +0000 Subject: include "return" or the rest of the controller still gets executed... Belongs with commit a39f71ee21739eb754688f185c59c3a7f209aaa8 --- app/controllers/request_controller.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'app/controllers/request_controller.rb') diff --git a/app/controllers/request_controller.rb b/app/controllers/request_controller.rb index 7ff97a717..8714f03cf 100644 --- a/app/controllers/request_controller.rb +++ b/app/controllers/request_controller.rb @@ -153,7 +153,7 @@ class RequestController < ApplicationController @view = params[:view] @page = get_search_page_from_params if !@page # used in cache case, as perform_search sets @page as side effect if @view == "recent" - redirect_to request_list_all_path(:action => "list", :view => "all", :page => @page), :status => :moved_permanently + return redirect_to request_list_all_path(:action => "list", :view => "all", :page => @page), :status => :moved_permanently end params[:latest_status] = @view query = make_query_from_params -- cgit v1.2.3 From 3affd6ab3d29bf2e86c9d4b00733499d060af20c Mon Sep 17 00:00:00 2001 From: Seb Bacon Date: Tue, 17 Jan 2012 13:31:22 +0000 Subject: Don't allow directory listings (better fix for and closes #340). --- app/controllers/request_controller.rb | 17 +++++++---------- 1 file changed, 7 insertions(+), 10 deletions(-) (limited to 'app/controllers/request_controller.rb') diff --git a/app/controllers/request_controller.rb b/app/controllers/request_controller.rb index 8714f03cf..1c7aeedcc 100644 --- a/app/controllers/request_controller.rb +++ b/app/controllers/request_controller.rb @@ -604,15 +604,12 @@ class RequestController < ApplicationController before_filter :authenticate_attachment, :only => [ :get_attachment, :get_attachment_as_html ] def authenticate_attachment - if request.path =~ /\/$/ || !(params[:part] =~ /^\d+$/) - raise PermissionDenied.new("Directory listing not allowed") - else - # Test for hidden - incoming_message = IncomingMessage.find(params[:incoming_message_id]) - if !incoming_message.info_request.user_can_view?(authenticated_user) - @info_request = incoming_message.info_request # used by view - render :template => 'request/hidden', :status => 410 # gone - end + # Test for hidden + incoming_message = IncomingMessage.find(params[:incoming_message_id]) + raise ActiveRecord::RecordNotFound.new("Message not found") if incoming_message.nil? + if !incoming_message.info_request.user_can_view?(authenticated_user) + @info_request = incoming_message.info_request # used by view + render :template => 'request/hidden', :status => 410 # gone end end @@ -624,8 +621,8 @@ class RequestController < ApplicationController else key = params.merge(:only_path => true) key_path = foi_fragment_cache_path(key) - if foi_fragment_cache_exists?(key_path) + raise PermissionDenied.new("Directory listing not allowed") if File.directory?(key_path) cached = foi_fragment_cache_read(key_path) response.content_type = AlaveteliFileTypes.filename_to_mimetype(params[:file_name].join("/")) || 'application/octet-stream' render_for_text(cached) -- cgit v1.2.3 From c1cfd0944500982a62187ec0cf22f008b1f1e723 Mon Sep 17 00:00:00 2001 From: Seb Bacon Date: Wed, 18 Jan 2012 11:21:27 +0000 Subject: Return a 404 for broken attachment urls. Fixes #351. --- app/controllers/request_controller.rb | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'app/controllers/request_controller.rb') diff --git a/app/controllers/request_controller.rb b/app/controllers/request_controller.rb index 1c7aeedcc..33ea7d5a6 100644 --- a/app/controllers/request_controller.rb +++ b/app/controllers/request_controller.rb @@ -682,10 +682,11 @@ class RequestController < ApplicationController # Internal function def get_attachment_internal(html_conversion) @incoming_message = IncomingMessage.find(params[:incoming_message_id]) + @requested_request = InfoRequest.find(params[:id]) @incoming_message.parse_raw_email! @info_request = @incoming_message.info_request if @incoming_message.info_request_id != params[:id].to_i - raise sprintf("Incoming message %d does not belong to request %d", @incoming_message.info_request_id, params[:id]) + raise ActiveRecord::RecordNotFound.new("Incoming message %d does not belong to request %d", @incoming_message.info_request_id, params[:id]) end @part_number = params[:part].to_i @filename = params[:file_name].join("/") -- cgit v1.2.3 From bf66cd1d1d4faa249c692f13543e43f2bd6b0c03 Mon Sep 17 00:00:00 2001 From: Robin Houston Date: Thu, 19 Jan 2012 12:40:06 +0000 Subject: Forbid very slow-to-load results pages Another temporary patch to protect the live site. --- app/controllers/request_controller.rb | 7 +++++++ 1 file changed, 7 insertions(+) (limited to 'app/controllers/request_controller.rb') diff --git a/app/controllers/request_controller.rb b/app/controllers/request_controller.rb index 1c7aeedcc..90c1f416d 100644 --- a/app/controllers/request_controller.rb +++ b/app/controllers/request_controller.rb @@ -155,6 +155,13 @@ class RequestController < ApplicationController if @view == "recent" return redirect_to request_list_all_path(:action => "list", :view => "all", :page => @page), :status => :moved_permanently end + + # Temporary patch + # Later pages are very expensive to load + if @page > 100 + raise "Sorry. No pages after 100 today." + end + params[:latest_status] = @view query = make_query_from_params @title = _("View and search requests") -- cgit v1.2.3 From 3e84062e1136e3e20c5b0948813397982f254f95 Mon Sep 17 00:00:00 2001 From: Robin Houston Date: Thu, 19 Jan 2012 15:57:24 +0000 Subject: Don't obscure user searches on request listing page behind cache. Fixes #256 --- app/controllers/request_controller.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'app/controllers/request_controller.rb') diff --git a/app/controllers/request_controller.rb b/app/controllers/request_controller.rb index aeb6d31fe..7bc51bc28 100644 --- a/app/controllers/request_controller.rb +++ b/app/controllers/request_controller.rb @@ -166,7 +166,7 @@ class RequestController < ApplicationController query = make_query_from_params @title = _("View and search requests") sortby = "newest" - behavior_cache :tag => [@view, @page] do + behavior_cache :tag => [@query, @page, I18n.locale] do xapian_object = perform_search([InfoRequestEvent], query, sortby, 'request_collapse') @list_results = xapian_object.results.map { |r| r[:model] } @matches_estimated = xapian_object.matches_estimated -- cgit v1.2.3 From a37e9f21f00af03d271cb40de7d849cb8941bc02 Mon Sep 17 00:00:00 2001 From: Seb Bacon Date: Fri, 20 Jan 2012 11:00:05 +0000 Subject: Don't allow users to page beyond a certain number of results (because in large databases, the sorting of such large batches causes an extreme slowdown). --- app/controllers/request_controller.rb | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) (limited to 'app/controllers/request_controller.rb') diff --git a/app/controllers/request_controller.rb b/app/controllers/request_controller.rb index 7bc51bc28..0f980b43f 100644 --- a/app/controllers/request_controller.rb +++ b/app/controllers/request_controller.rb @@ -13,6 +13,9 @@ require 'open-uri' class RequestController < ApplicationController before_filter :check_read_only, :only => [ :new, :show_response, :describe_state, :upload_response ] protect_from_forgery :only => [ :new, :show_response, :describe_state, :upload_response ] # See ActionController::RequestForgeryProtection for details + + MAX_RESULTS = 500 + PER_PAGE = 25 @@custom_states_loaded = false begin @@ -155,11 +158,10 @@ class RequestController < ApplicationController if @view == "recent" return redirect_to request_list_all_path(:action => "list", :view => "all", :page => @page), :status => :moved_permanently end - - # Temporary patch - # Later pages are very expensive to load - if @page > 100 - raise "Sorry. No pages after 100 today." + + # Later pages are very expensive to load + if @page > MAX_RESULTS / PER_PAGE + raise ActiveRecord::RecordNotFound.new("Sorry. No pages after #{MAX_RESULTS / PER_PAGE}.") end params[:latest_status] = @view @@ -170,6 +172,7 @@ class RequestController < ApplicationController xapian_object = perform_search([InfoRequestEvent], query, sortby, 'request_collapse') @list_results = xapian_object.results.map { |r| r[:model] } @matches_estimated = xapian_object.matches_estimated + @show_no_more_than = (@matches_estimated > MAX_RESULTS) ? MAX_RESULTS : @matches_estimated end @title = @title + " (page " + @page.to_s + ")" if (@page > 1) -- cgit v1.2.3 From a225ecc14774edad034b16ffe62a31e06ff0b98c Mon Sep 17 00:00:00 2001 From: Seb Bacon Date: Tue, 24 Jan 2012 10:29:17 +0000 Subject: Bug: we are causing a 500 when trying to raise 404 because the arguments to the exception constructor are wrong. --- app/controllers/request_controller.rb | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'app/controllers/request_controller.rb') diff --git a/app/controllers/request_controller.rb b/app/controllers/request_controller.rb index 0f980b43f..f8d4de22b 100644 --- a/app/controllers/request_controller.rb +++ b/app/controllers/request_controller.rb @@ -696,7 +696,8 @@ class RequestController < ApplicationController @incoming_message.parse_raw_email! @info_request = @incoming_message.info_request if @incoming_message.info_request_id != params[:id].to_i - raise ActiveRecord::RecordNotFound.new("Incoming message %d does not belong to request %d", @incoming_message.info_request_id, params[:id]) + message = "Incoming message %d does not belong to request %d" % [@incoming_message.info_request_id, params[:id]] + raise ActiveRecord::RecordNotFound.new(message) end @part_number = params[:part].to_i @filename = params[:file_name].join("/") -- cgit v1.2.3 From 5ccba9966f685ab61efa97350177c745f36bf13b Mon Sep 17 00:00:00 2001 From: Seb Bacon Date: Tue, 24 Jan 2012 10:40:35 +0000 Subject: Ensure short cache keys for interlock. Fixes #362 --- app/controllers/request_controller.rb | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'app/controllers/request_controller.rb') diff --git a/app/controllers/request_controller.rb b/app/controllers/request_controller.rb index f8d4de22b..75bdac2a9 100644 --- a/app/controllers/request_controller.rb +++ b/app/controllers/request_controller.rb @@ -168,7 +168,8 @@ class RequestController < ApplicationController query = make_query_from_params @title = _("View and search requests") sortby = "newest" - behavior_cache :tag => [@query, @page, I18n.locale] do + @cache_tag = Digest::MD5.hexdigest(query + @page.to_s) + behavior_cache :tag => [@cache_tag] do xapian_object = perform_search([InfoRequestEvent], query, sortby, 'request_collapse') @list_results = xapian_object.results.map { |r| r[:model] } @matches_estimated = xapian_object.matches_estimated -- cgit v1.2.3 From 257c6d0688b7288d64bc59192e9cc96a2be3d22d Mon Sep 17 00:00:00 2001 From: Robin Houston Date: Thu, 26 Jan 2012 00:52:27 +0000 Subject: Remove trailing spaces --- app/controllers/request_controller.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'app/controllers/request_controller.rb') diff --git a/app/controllers/request_controller.rb b/app/controllers/request_controller.rb index 75bdac2a9..8e9b925dd 100644 --- a/app/controllers/request_controller.rb +++ b/app/controllers/request_controller.rb @@ -74,7 +74,7 @@ class RequestController < ApplicationController @info_request_events = @info_request.info_request_events @status = @info_request.calculate_status @collapse_quotes = params[:unfold] ? false : true - @update_status = params[:update_status] ? true : false + @update_status = params[:update_status] ? true : false @old_unclassified = @info_request.is_old_unclassified? && !authenticated_user.nil? if @update_status -- cgit v1.2.3 From 6d7bea575ec185379efb648f6bbbd520029e3a91 Mon Sep 17 00:00:00 2001 From: Robin Houston Date: Thu, 26 Jan 2012 00:54:22 +0000 Subject: Fix #372 --- app/controllers/request_controller.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'app/controllers/request_controller.rb') diff --git a/app/controllers/request_controller.rb b/app/controllers/request_controller.rb index 8e9b925dd..a70e8d16c 100644 --- a/app/controllers/request_controller.rb +++ b/app/controllers/request_controller.rb @@ -76,6 +76,7 @@ class RequestController < ApplicationController @collapse_quotes = params[:unfold] ? false : true @update_status = params[:update_status] ? true : false @old_unclassified = @info_request.is_old_unclassified? && !authenticated_user.nil? + @is_owning_user = @info_request.is_owning_user?(authenticated_user) if @update_status return if !@is_owning_user && !authenticated_as_user?(@info_request.user, @@ -108,7 +109,6 @@ class RequestController < ApplicationController # For send followup link at bottom @last_response = @info_request.get_last_response - @is_owning_user = @info_request.is_owning_user?(authenticated_user) respond_to do |format| format.html { @has_json = true; render :template => 'request/show'} format.json { render :json => @info_request.json_for_api(true) } -- cgit v1.2.3 From 500b4d37702cdbad113ccb94c875e90dd770231a Mon Sep 17 00:00:00 2001 From: Robin Houston Date: Sun, 29 Jan 2012 20:23:34 +0000 Subject: Rate limiting Add the capability to specify a limit to the number of requests a user can make per day, which can be turned off for specific users in the admin interface. --- app/controllers/request_controller.rb | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) (limited to 'app/controllers/request_controller.rb') diff --git a/app/controllers/request_controller.rb b/app/controllers/request_controller.rb index a70e8d16c..fc1ffdd75 100644 --- a/app/controllers/request_controller.rb +++ b/app/controllers/request_controller.rb @@ -208,8 +208,12 @@ class RequestController < ApplicationController # Banned from making new requests? if !authenticated_user.nil? && !authenticated_user.can_file_requests? - @details = authenticated_user.can_fail_html - render :template => 'user/banned' + if authenticated_user.exceeded_limit? + render :template => 'user/rate_limited' + else + @details = authenticated_user.can_fail_html + render :template => 'user/banned' + end return end -- cgit v1.2.3 From c36b1b52e04213be91b461416d81ecbade4db159 Mon Sep 17 00:00:00 2001 From: Robin Houston Date: Tue, 31 Jan 2012 17:40:02 +0000 Subject: Keep message text if user is rate-limited If a user cannot make new requests because they are rate-limited, and they compose a request whilst logged out, include the text of the request in the message that explains about the rate limit so it is not lost. --- app/controllers/request_controller.rb | 23 +++++++++++++++++++---- 1 file changed, 19 insertions(+), 4 deletions(-) (limited to 'app/controllers/request_controller.rb') diff --git a/app/controllers/request_controller.rb b/app/controllers/request_controller.rb index fc1ffdd75..ccd9636d1 100644 --- a/app/controllers/request_controller.rb +++ b/app/controllers/request_controller.rb @@ -207,18 +207,28 @@ class RequestController < ApplicationController end # Banned from making new requests? + user_exceeded_limit = false if !authenticated_user.nil? && !authenticated_user.can_file_requests? - if authenticated_user.exceeded_limit? - render :template => 'user/rate_limited' - else + # If the reason the user cannot make new requests is that they are + # rate-limited, it’s possible they composed a request before they + # logged in and we want to include the text of the request so they + # can squirrel it away for tomorrow, so we detect this later after + # we have constructed the InfoRequest. + user_exceeded_limit = authenticated_user.exceeded_limit? + if !user_exceeded_limit @details = authenticated_user.can_fail_html render :template => 'user/banned' + return end - return end # First time we get to the page, just display it if params[:submitted_new_request].nil? || params[:reedit] + if user_exceeded_limit + render :template => 'user/rate_limited' + return + end + params[:info_request] = { } if !params[:info_request] # Read parameters in - first the public body (by URL name or id) @@ -318,6 +328,11 @@ class RequestController < ApplicationController return end + if user_exceeded_limit + render :template => 'user/rate_limited' + return + end + if !authenticated?( :web => _("To send your FOI request"), :email => _("Then your FOI request to {{public_body_name}} will be sent.",:public_body_name=>@info_request.public_body.name), -- cgit v1.2.3 From 8ce0205f1553f724f070544d275c7762f480efb3 Mon Sep 17 00:00:00 2001 From: Robin Houston Date: Wed, 1 Feb 2012 12:01:21 +0000 Subject: issue #351 redux Corrected diagnosis, test & fix for issue #351. Fixes #351. --- app/controllers/request_controller.rb | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) (limited to 'app/controllers/request_controller.rb') diff --git a/app/controllers/request_controller.rb b/app/controllers/request_controller.rb index ccd9636d1..2295d6718 100644 --- a/app/controllers/request_controller.rb +++ b/app/controllers/request_controller.rb @@ -716,7 +716,10 @@ class RequestController < ApplicationController @incoming_message.parse_raw_email! @info_request = @incoming_message.info_request if @incoming_message.info_request_id != params[:id].to_i - message = "Incoming message %d does not belong to request %d" % [@incoming_message.info_request_id, params[:id]] + # Note that params[:id] might not be an integer, though + # if we’ve got this far then it must begin with an integer + # and that integer must be the id number of an actual request. + message = "Incoming message %d does not belong to request '%s'" % [@incoming_message.info_request_id, params[:id]] raise ActiveRecord::RecordNotFound.new(message) end @part_number = params[:part].to_i -- cgit v1.2.3