From 05fc4076cd643e1cfeb9430296d394e8d456dcfd Mon Sep 17 00:00:00 2001 From: Louise Crow Date: Thu, 13 Dec 2012 12:16:46 +0000 Subject: Don't offer or allow viewing of an HTML version of a response attachment if the request is hidden, or requester_only. Google docs viewer won't be able to access it, and our own conversion process currently can produce image files that will then be publicly viewable directly from the webserver (see config/httpd.conf). If necessary we can revisit this code to enable admins and requesters to view the HTML version created by our own conversion without adding these files to a path that is served directly by the web server. --- spec/controllers/request_controller_spec.rb | 15 +++++++++++++++ 1 file changed, 15 insertions(+) (limited to 'spec/controllers/request_controller_spec.rb') diff --git a/spec/controllers/request_controller_spec.rb b/spec/controllers/request_controller_spec.rb index e898fb91b..63200fe09 100644 --- a/spec/controllers/request_controller_spec.rb +++ b/spec/controllers/request_controller_spec.rb @@ -859,6 +859,21 @@ describe RequestController, "when changing prominence of a request" do response.should render_template('request/hidden') end + it 'should not generate an HTML version of an attachment whose prominence is hidden/requester + only even for the requester or an admin but should return a 404' do + ir = info_requests(:fancy_dog_request) + ir.prominence = 'hidden' + ir.save! + receive_incoming_mail('incoming-request-two-same-name.email', ir.incoming_email) + session[:user_id] = users(:admin_user).id + lambda do + get :get_attachment_as_html, :incoming_message_id => ir.incoming_messages[1].id, + :id => ir.id, + :part => 2, + :file_name => ['hello.txt'] + end.should raise_error(ActiveRecord::RecordNotFound) + end + end # XXX do this for invalid ids -- cgit v1.2.3