From 482d0d351b48877ac1bf1e13678c5591997755b4 Mon Sep 17 00:00:00 2001 From: Louise Crow Date: Thu, 13 Dec 2012 19:05:17 +0000 Subject: Check that a request is publicly visible before generating a download link. --- app/controllers/request_controller.rb | 24 +++++++++++++++--------- 1 file changed, 15 insertions(+), 9 deletions(-) (limited to 'app/controllers/request_controller.rb') diff --git a/app/controllers/request_controller.rb b/app/controllers/request_controller.rb index 2c95114e6..6755afcda 100644 --- a/app/controllers/request_controller.rb +++ b/app/controllers/request_controller.rb @@ -868,13 +868,20 @@ class RequestController < ApplicationController def download_entire_request @locale = self.locale_from_params() PublicBody.with_locale(@locale) do - info_request = InfoRequest.find_by_url_title!(params[:url_title]) + @info_request = InfoRequest.find_by_url_title!(params[:url_title]) + # Test for whole request being hidden or requester-only + if !@info_request.all_can_view? + render :template => 'request/hidden', :status => 410 # gone + return + end if authenticated?( :web => _("To download the zip file"), - :email => _("Then you can download a zip file of {{info_request_title}}.",:info_request_title=>info_request.title), - :email_subject => _("Log in to download a zip file of {{info_request_title}}",:info_request_title=>info_request.title) + :email => _("Then you can download a zip file of {{info_request_title}}.", + :info_request_title=>@info_request.title), + :email_subject => _("Log in to download a zip file of {{info_request_title}}", + :info_request_title=>@info_request.title) ) - updated = Digest::SHA1.hexdigest(info_request.get_last_event.created_at.to_i.to_s + info_request.updated_at.to_i.to_s) + updated = Digest::SHA1.hexdigest(@info_request.get_last_event.created_at.to_i.to_s + @info_request.updated_at.to_i.to_s) @url_path = "/download/#{updated[0..1]}/#{updated}/#{params[:url_title]}.zip" file_path = File.expand_path(File.join(File.dirname(__FILE__), '../../cache/zips', @url_path)) if !File.exists?(file_path) @@ -883,7 +890,7 @@ class RequestController < ApplicationController convert_command = Configuration::html_to_pdf_command done = false if !convert_command.blank? && File.exists?(convert_command) - url = "http://#{Configuration::domain}#{request_url(info_request)}?print_stylesheet=1" + url = "http://#{Configuration::domain}#{request_url(@info_request)}?print_stylesheet=1" tempfile = Tempfile.new('foihtml2pdf') output = AlaveteliExternalCommand.run(convert_command, url, tempfile.path) if !output.nil? @@ -892,22 +899,21 @@ class RequestController < ApplicationController } done = true else - logger.error("Could not convert info request #{info_request.id} to PDF with command '#{convert_command} #{url} #{tempfile.path}'") + logger.error("Could not convert info request #{@info_request.id} to PDF with command '#{convert_command} #{url} #{tempfile.path}'") end tempfile.close else logger.warn("No HTML -> PDF converter found at #{convert_command}") end if !done - @info_request = info_request - @info_request_events = info_request.info_request_events + @info_request_events = @info_request.info_request_events template = File.read(File.join(File.dirname(__FILE__), "..", "views", "request", "simple_correspondence.rhtml")) output = ERB.new(template).result(binding) zipfile.get_output_stream("correspondence.txt") { |f| f.puts(output) } end - for message in info_request.incoming_messages + for message in @info_request.incoming_messages attachments = message.get_attachments_for_display for attachment in attachments filename = "#{attachment.url_part_number}_#{attachment.display_filename}" -- cgit v1.2.3 From 611411fc7907a97e3aa8c2339bc9f5b70a5d1a01 Mon Sep 17 00:00:00 2001 From: Louise Crow Date: Thu, 13 Dec 2012 19:11:48 +0000 Subject: Use helper method for download path, and use Rails.root instead of file location. --- app/controllers/request_controller.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'app/controllers/request_controller.rb') diff --git a/app/controllers/request_controller.rb b/app/controllers/request_controller.rb index 6755afcda..42cfa11c6 100644 --- a/app/controllers/request_controller.rb +++ b/app/controllers/request_controller.rb @@ -883,7 +883,7 @@ class RequestController < ApplicationController ) updated = Digest::SHA1.hexdigest(@info_request.get_last_event.created_at.to_i.to_s + @info_request.updated_at.to_i.to_s) @url_path = "/download/#{updated[0..1]}/#{updated}/#{params[:url_title]}.zip" - file_path = File.expand_path(File.join(File.dirname(__FILE__), '../../cache/zips', @url_path)) + file_path = File.expand_path(File.join(download_zip_dir(), @url_path)) if !File.exists?(file_path) FileUtils.mkdir_p(File.dirname(file_path)) Zip::ZipFile.open(file_path, Zip::ZipFile::CREATE) { |zipfile| -- cgit v1.2.3 From d2dc193066222b279faa52a66a22760e739dd87e Mon Sep 17 00:00:00 2001 From: Louise Crow Date: Thu, 13 Dec 2012 20:15:54 +0000 Subject: Put download zips in a predictable location - sharded folders based on request ID, rather than distributing them across the download directories by the generated SHA. Preserve the uniqueness of the subdirectory. --- app/controllers/request_controller.rb | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) (limited to 'app/controllers/request_controller.rb') diff --git a/app/controllers/request_controller.rb b/app/controllers/request_controller.rb index 42cfa11c6..d8c34c2dd 100644 --- a/app/controllers/request_controller.rb +++ b/app/controllers/request_controller.rb @@ -882,7 +882,10 @@ class RequestController < ApplicationController :info_request_title=>@info_request.title) ) updated = Digest::SHA1.hexdigest(@info_request.get_last_event.created_at.to_i.to_s + @info_request.updated_at.to_i.to_s) - @url_path = "/download/#{updated[0..1]}/#{updated}/#{params[:url_title]}.zip" + @url_path = File.join("/download", + request_dirs(@info_request), + updated, + "#{params[:url_title]}.zip") file_path = File.expand_path(File.join(download_zip_dir(), @url_path)) if !File.exists?(file_path) FileUtils.mkdir_p(File.dirname(file_path)) -- cgit v1.2.3