From 211fe84dc40d97df8aa8724906d9170ed4f78477 Mon Sep 17 00:00:00 2001
From: Louise Crow <louise.crow@gmail.com>
Date: Tue, 9 Oct 2012 18:15:06 +0100
Subject: Revert "Merge remote-tracking branch 'henare_github/patch-1'"

Mistakenly merged into master. Please note that we'll want to merge this work into master on the next release, at which point we'll want to revert this reversion in order that the changes are properly re-applied.

This reverts commit 54281fd50c3271835a54ab4bc08d40da09d643ee, reversing
changes made to 793ca358c37458e6cc4385d2366621aaee93a25e.
---
 spec/controllers/request_controller_spec.rb | 16 ----------------
 1 file changed, 16 deletions(-)

(limited to 'spec/controllers/request_controller_spec.rb')

diff --git a/spec/controllers/request_controller_spec.rb b/spec/controllers/request_controller_spec.rb
index 77f43b618..95737a250 100644
--- a/spec/controllers/request_controller_spec.rb
+++ b/spec/controllers/request_controller_spec.rb
@@ -238,22 +238,6 @@ describe RequestController, "when showing one request" do
         response.should have_tag('div#owner_actions')
     end
 
-    describe 'when the request does allow comments' do
-      it 'should have a comment link' do
-        get :show, { :url_title => 'why_do_you_have_such_a_fancy_dog' },
-                   { :user_id => users(:admin_user).id }
-        response.should have_tag('#anyone_actions', /Add an annotation/)
-      end
-    end
-    
-    describe 'when the request does not allow comments' do
-      it 'should not have a comment link' do
-        get :show, { :url_title => 'spam_1' },
-                   { :user_id => users(:admin_user).id }
-        response.should_not have_tag('#anyone_actions', /Add an annotation/)
-      end
-    end
-    
     describe 'when the request is being viewed by an admin' do
 
         describe 'if the request is awaiting description' do
-- 
cgit v1.2.3


From e6dc0f6606b26e13cb0cd16124fdb2aad3c1b5a6 Mon Sep 17 00:00:00 2001
From: Louise Crow <louise.crow@gmail.com>
Date: Wed, 17 Oct 2012 14:55:55 +0100
Subject: Revert "Revert "Merge remote-tracking branch
 'henare_github/patch-1'""

This reverts commit 211fe84dc40d97df8aa8724906d9170ed4f78477.
---
 spec/controllers/request_controller_spec.rb | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

(limited to 'spec/controllers/request_controller_spec.rb')

diff --git a/spec/controllers/request_controller_spec.rb b/spec/controllers/request_controller_spec.rb
index 95737a250..77f43b618 100644
--- a/spec/controllers/request_controller_spec.rb
+++ b/spec/controllers/request_controller_spec.rb
@@ -238,6 +238,22 @@ describe RequestController, "when showing one request" do
         response.should have_tag('div#owner_actions')
     end
 
+    describe 'when the request does allow comments' do
+      it 'should have a comment link' do
+        get :show, { :url_title => 'why_do_you_have_such_a_fancy_dog' },
+                   { :user_id => users(:admin_user).id }
+        response.should have_tag('#anyone_actions', /Add an annotation/)
+      end
+    end
+    
+    describe 'when the request does not allow comments' do
+      it 'should not have a comment link' do
+        get :show, { :url_title => 'spam_1' },
+                   { :user_id => users(:admin_user).id }
+        response.should_not have_tag('#anyone_actions', /Add an annotation/)
+      end
+    end
+    
     describe 'when the request is being viewed by an admin' do
 
         describe 'if the request is awaiting description' do
-- 
cgit v1.2.3


From 3910f7f545177cdb69a5ee0196ffa54a9dba0541 Mon Sep 17 00:00:00 2001
From: Louise Crow <louise.crow@gmail.com>
Date: Thu, 13 Dec 2012 12:16:46 +0000
Subject: Don't offer or allow viewing of an HTML version of a response
 attachment if the request is hidden, or requester_only. Google docs viewer
 won't be able to access it, and our own conversion process currently can
 produce image files that will then be publicly viewable directly from the
 webserver (see config/httpd.conf). If necessary we can revisit this code to
 enable admins and requesters to view the HTML version created by our own
 conversion without adding these files to a path that is served directly by
 the web server.

---
 spec/controllers/request_controller_spec.rb | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

(limited to 'spec/controllers/request_controller_spec.rb')

diff --git a/spec/controllers/request_controller_spec.rb b/spec/controllers/request_controller_spec.rb
index b0223588e..43eca46cd 100644
--- a/spec/controllers/request_controller_spec.rb
+++ b/spec/controllers/request_controller_spec.rb
@@ -859,6 +859,21 @@ describe RequestController, "when changing prominence of a request" do
         response.should render_template('request/hidden')
     end
 
+    it 'should not generate an HTML version of an attachment whose prominence is hidden/requester
+        only even for the requester or an admin but should return a 404' do
+        ir = info_requests(:fancy_dog_request)
+        ir.prominence = 'hidden'
+        ir.save!
+        receive_incoming_mail('incoming-request-two-same-name.email', ir.incoming_email)
+        session[:user_id] = users(:admin_user).id
+        lambda do
+            get :get_attachment_as_html, :incoming_message_id => ir.incoming_messages[1].id,
+                                      :id => ir.id,
+                                      :part => 2,
+                                      :file_name => ['hello.txt']
+        end.should raise_error(ActiveRecord::RecordNotFound)
+    end
+
 end
 
 # XXX do this for invalid ids
-- 
cgit v1.2.3