From ef8e7b1afac46bf016cb1485c546bf7aee734c0e Mon Sep 17 00:00:00 2001 From: Louise Crow Date: Thu, 13 Dec 2012 12:16:46 +0000 Subject: Don't offer or allow viewing of an HTML version of a request if it is hidden, or requester_only. Google docs viewer won't be able to access it, and our own conversion process currently produces image files that will then be publicly viewable. If necessary we can revisit this code to enable admins and requesters to view the HTML version created by our own conversion without adding these files to a path that is served directly by the web server. --- app/controllers/request_controller.rb | 6 ++++++ 1 file changed, 6 insertions(+) (limited to 'app/controllers/request_controller.rb') diff --git a/app/controllers/request_controller.rb b/app/controllers/request_controller.rb index c732a4b32..2c95114e6 100644 --- a/app/controllers/request_controller.rb +++ b/app/controllers/request_controller.rb @@ -743,6 +743,12 @@ class RequestController < ApplicationController end def get_attachment_as_html + + # The conversion process can generate files in the cache directory that can be served up + # directly by the webserver according to httpd.conf, so don't allow it unless that's OK. + if @files_can_be_cached != true + raise ActiveRecord::RecordNotFound.new("Attachment HTML not found.") + end get_attachment_internal(true) # images made during conversion (e.g. images in PDF files) are put in the cache directory, so -- cgit v1.2.3 From 153984fd2e6841f3b0bc62e25e1718800a7c63ed Mon Sep 17 00:00:00 2001 From: Louise Crow Date: Mon, 17 Dec 2012 15:32:39 +0000 Subject: Only serve up 'similar' pages up to the offset we use for list. --- app/controllers/request_controller.rb | 5 +++++ 1 file changed, 5 insertions(+) (limited to 'app/controllers/request_controller.rb') diff --git a/app/controllers/request_controller.rb b/app/controllers/request_controller.rb index d8c34c2dd..5d950ceb2 100644 --- a/app/controllers/request_controller.rb +++ b/app/controllers/request_controller.rb @@ -139,6 +139,11 @@ class RequestController < ApplicationController short_cache @per_page = 25 @page = (params[:page] || "1").to_i + + # Later pages are very expensive to load + if @page > MAX_RESULTS / PER_PAGE + raise ActiveRecord::RecordNotFound.new("Sorry. No pages after #{MAX_RESULTS / PER_PAGE}.") + end @info_request = InfoRequest.find_by_url_title!(params[:url_title]) raise ActiveRecord::RecordNotFound.new("Request not found") if @info_request.nil? -- cgit v1.2.3 From 9eb02d20ace73f74161c7f0b02ff2c6567cf5125 Mon Sep 17 00:00:00 2001 From: Louise Crow Date: Mon, 17 Dec 2012 15:50:36 +0000 Subject: Limit pagination on similar pages in line with new upper limit on page offset. --- app/controllers/request_controller.rb | 2 ++ 1 file changed, 2 insertions(+) (limited to 'app/controllers/request_controller.rb') diff --git a/app/controllers/request_controller.rb b/app/controllers/request_controller.rb index 5d950ceb2..970dfca45 100644 --- a/app/controllers/request_controller.rb +++ b/app/controllers/request_controller.rb @@ -153,6 +153,8 @@ class RequestController < ApplicationController end @xapian_object = ::ActsAsXapian::Similar.new([InfoRequestEvent], @info_request.info_request_events, :offset => (@page - 1) * @per_page, :limit => @per_page, :collapse_by_prefix => 'request_collapse') + @matches_estimated = @xapian_object.matches_estimated + @show_no_more_than = (@matches_estimated > MAX_RESULTS) ? MAX_RESULTS : @matches_estimated if (@page > 1) @page_desc = " (page " + @page.to_s + ")" -- cgit v1.2.3