use strict; use warnings; use Test::More; use FixMyStreet::TestMech; my $mech = FixMyStreet::TestMech->new; subtest "check that a bad request produces the appropriate response" => sub { my $bad_date = "Invalid dates supplied"; my $mad_date = "Start date after end date"; my $bad_type = "Invalid type supplied"; my %tests = ( '?' => $bad_date, '?foo=bar' => $bad_date, '?start_date=&end_date=' => $bad_date, '?start_date=bad&end_date=2000-02-01' => $bad_date, '?start_date=2000-01-01&end_date=bad' => $bad_date, '?start_date=2000-02-31&end_date=2000-02-01' => $bad_date, '?start_date=2000-01-01&end_date=2000-02-31' => $bad_date, '?start_date=2000-02-01&end_date=2000-01-01' => $mad_date, '?start_date=2000-01-01&end_date=2000-02-01' => $bad_type, '/foo?type=foo&start_date=2000-01-01&end_date=2000-02-01' => $bad_type, ); foreach my $q ( sort keys %tests ) { is_deeply # pre { line-height: 125%; } td.linenos .normal { color: inherit; background-color: transparent; padding-left: 5px; padding-right: 5px; } span.linenos { color: inherit; background-color: transparent; padding-left: 5px; padding-right: 5px; } td.linenos .special { color: #000000; background-color: #ffffc0; padding-left: 5px; padding-right: 5px; } span.linenos.special { color: #000000; background-color: #ffffc0; padding-left: 5px; padding-right: 5px; } .highlight .hll { background-color: #ffffcc } .highlight .c { color: #888888 } /* Comment */ .highlight .err { color: #a61717; background-color: #e3d2d2 } /* Error */ .highlight .k { color: #008800; font-weight: bold } /* Keyword */ .highlight .ch { color: #888888 } /* Comment.Hashbang */ .highlight .cm { color: #888888 } /* Comment.Multiline */ .highlight .cp { color: #cc0000; font-weight: bold } /* Comment.Preproc */ .highlight .cpf { color: #888888 } /* Comment.PreprocFile */ .highlight .c1 { color: #888888 } /* Comment.Single */ .highlight .cs { color: #cc0000; font-weight: bold; background-color: #fff0f0 } /* Comment.Special */ .highlight .gd { color: #000000; background-color: #ffdddd } /* Generic.Deleted */ .highlight .ge { font-style: italic } /* Generic.Emph */ .highlight .ges { font-weight: bold; font-style: italic } /* Generic.EmphStrong */ .highlight .gr { color: #aa0000 } /* Generic.Error */ .highlight .gh { color: #333333 } /* Generic.Heading */ .highlight .gi { color: #000000; background-color: #ddffdd } /* Generic.Inserted */ .highlight .go { color: #888888 } /* Generic.Output */ .highlight .gp { color: #555555 } /* Generic.Prompt */ .highlight .gs { font-weight: bold } /* Generic.Strong */ .highlight .gu { color: #666666 } /* Generic.Subheading */ .highlight .gt { color: #aa0000 } /* Generic.Traceback */ .highlight .kc { color: #008800; font-weight: bold } /* Keyword.Constant */ .highlight .kd { color: #008800; font-weight: bold } /* Keyword.Declaration */ .highlight .kn { color: #008800; font-weight: bold } /* Keyword.Namespace */ .highlight .kp { color: #008800 } /* Keyword.Pseudo */ .highlight .kr { color: #008800; font-weight: bold } /* Keyword.Reserved */ .highlight .kt { color: #888888; font-weight: bold } /* Keyword.Type */ .highlight .m { color: #0000DD; font-weight: bold } /* Literal.Number */ .highlight .s { color: #dd2200; background-color: #fff0f0 } /* Literal.String */ .highlight .na { color: #336699 } /* Name.Attribute */ .highlight .nb { color: #003388 } /* Name.Builtin */ .highlight .nc { color: #bb0066; font-weight: bold } /* Name.Class */ .highlight .no { color: #003366; font-weight: bold } /* Name.Constant */ .highlight .nd { color: #555555 } /* Name.Decorator */ .highlight .ne { color: #bb0066; font-weight: bold } /* Name.Exception */ .highlight .nf { color: #0066bb; font-weight: bold } /* Name.Function */ .highlight .nl { color: #336699; font-style: italic } /* Name.Label */ .highlight .nn { color: #bb0066; font-weight: bold } /* Name.Namespace */ .highlight .py { color: #336699; font-weight: bold } /* Name.Property */ .highlight .nt { color: #bb0066; font-weight: bold } /* Name.Tag */ .highlight .nv { color: #336699 } /* Name.Variable */ .highlight .ow { color: #008800 } /* Operator.Word */ .highlight .w { color: #bbbbbb } /* Text.Whitespace */ .highlight .mb { color: #0000DD; font-weight: bold } /* Literal.Number.Bin */ .highlight .mf { color: #0000DD; font-weight: bold } /* Literal.Number.Float */ .highlight .mh { color: #0000DD; font-weight: bold } /* Literal.Number.Hex */ .highlight .mi { color: #0000DD; font-weight: bold } /* Literal.Number.Integer */ .highlight .mo { color: #0000DD; font-weight: bold } /* Literal.Number.Oct */ .highlight .sa { color: #dd2200; background-color: #fff0f0 } /* Literal.String.Affix */ .highlight .sb { color: #dd2200; background-color: #fff0f0 } /* Literal.String.Backtick */ .highlight .sc { color: #dd2200; background-color: #fff0f0 } /* Literal.String.Char */ .highlight .dl { color: #dd2200; background-color: #fff0f0 } /* Literal.String.Delimiter */ .highlight .sd { color: #dd2200; background-color: #fff0f0 } /* Literal.String.Doc */ .highlight .s2 { color: #dd2200; background-color: #fff0f0 } /* Literal.String.Double */ .highlight .se { color: #0044dd; background-color: #fff0f0 } /* Literal.String.Escape */ .highlight .sh { color: #dd2200; background-color: #fff0f0 } /* Literal.String.Heredoc */ .highlight .si { color: #3333bb; background-color: #fff0f0 } /* Literal.String.Interpol */ .highlight .sx { color: #22bb22; background-color: #f0fff0 } /* Literal.String.Other */ .highlight .sr { color: #008800; background-color: #fff0ff } /* Literal.String.Regex */ .highlight .s1 { color: #dd2200; background-color: #fff0f0 } /* Literal.String.Single */ .highlight .ss { color: #aa6600; background-color: #fff0f0 } /* Literal.String.Symbol */ .highlight .bp { color: #003388 } /* Name.Builtin.Pseudo */ .highlight .fm { color: #0066bb; font-weight: bold } /* Name.Function.Magic */ .highlight .vc { color: #336699 } /* Name.Variable.Class */ .highlight .vg { color: #dd7700 } /* Name.Variable.Global */ .highlight .vi { color: #3333bb } /* Name.Variable.Instance */ .highlight .vm { color: #336699 } /* Name.Variable.Magic */ .highlight .il { color: #0000DD; font-weight: bold } /* Literal.Number.Integer.Long */# controllers/admin.rb: # All admin controllers are dervied from this. # # Copyright (c) 2009 UK Citizens Online Democracy. All rights reserved. # Email: francis@mysociety.org; WWW: http://www.mysociety.org/ require 'fileutils' class AdminController < ApplicationController layout "admin" before_filter :authenticate protect_from_forgery # See ActionController::RequestForgeryProtection for details # action to take if expecting an authenticity token and one isn't received def handle_unverified_request raise(ActionController::InvalidAuthenticityToken) end # Always give full stack trace for admin interface def local_request? true end # Expire cached attachment files for a request def expire_for_request(info_request) # Clear out cached entries, by removing files from disk (the built in # Rails fragment cache made doing this and other things too hard) cache_subpath = foi_fragment_cache_all_for_request(info_request) FileUtils.rm_rf(cache_subpath) # Remove any download zips download_dir = request_download_zip_dir(info_request) FileUtils.rm_rf(download_dir) # Remove the database caches of body / attachment text (the attachment text # one is after privacy rules are applied) info_request.clear_in_database_caches! # also force a search reindexing (so changed text reflected in search) info_request.reindex_request_events # and remove from varnish info_request.purge_in_cache end # Expire cached attachment files for a user def expire_requests_for_user(user) for info_request in user.info_requests expire_for_request(info_request) end end # For administration interface, return display name of authenticated user def admin_current_user if Configuration::skip_admin_auth admin_http_auth_user else session[:admin_name] end end # If we're skipping Alaveteli admin authentication, assume that the environment # will give us an authenticated user name def admin_http_auth_user # This needs special magic in mongrel: http://www.ruby-forum.com/topic/83067 # Hence the second clause which reads X-Forwarded-User header if available. # See the rewrite rules in conf/httpd.conf which set X-Forwarded-User if request.env["REMOTE_USER"] return request.env["REMOTE_USER"] elsif request.env["HTTP_X_FORWARDED_USER"] return request.env["HTTP_X_FORWARDED_USER"] else return "*unknown*"; end end def authenticate if Configuration::skip_admin_auth session[:using_admin] = 1 return else if session[:using_admin].nil? || session[:admin_name].nil? if params[:emergency].nil? if authenticated?( :web => _("To log into the administrative interface"), :email => _("Then you can log into the administrative interface"), :email_subject => _("Log into the admin interface"), :user_name => "a superuser") if !@user.nil? && @user.admin_level == "super" session[:using_admin] = 1 session[:admin_name] = @user.url_name else session[:using_admin] = nil session[:user_id] = nil session[:admin_name] = nil self.authenticate end end else authenticate_or_request_with_http_basic do |user_name, password| if user_name == Configuration::admin_username && password == Configuration::admin_password session[:using_admin] = 1 session[:admin_name] = user_name else request_http_basic_authentication end end end end end end end
# controllers/admin.rb: # All admin controllers are dervied from this. # # Copyright (c) 2009 UK Citizens Online Democracy. All rights reserved. # Email: francis@mysociety.org; WWW: http://www.mysociety.org/ require 'fileutils' class AdminController < ApplicationController layout "admin" before_filter :authenticate protect_from_forgery # See ActionController::RequestForgeryProtection for details # action to take if expecting an authenticity token and one isn't received def handle_unverified_request raise(ActionController::InvalidAuthenticityToken) end # Always give full stack trace for admin interface def local_request? true end # Expire cached attachment files for a request def expire_for_request(info_request) # Clear out cached entries, by removing files from disk (the built in # Rails fragment cache made doing this and other things too hard) cache_subpath = foi_fragment_cache_all_for_request(info_request) FileUtils.rm_rf(cache_subpath) # Remove any download zips download_dir = request_download_zip_dir(info_request) FileUtils.rm_rf(download_dir) # Remove the database caches of body / attachment text (the attachment text # one is after privacy rules are applied) info_request.clear_in_database_caches! # also force a search reindexing (so changed text reflected in search) info_request.reindex_request_events # and remove from varnish info_request.purge_in_cache end # Expire cached attachment files for a user def expire_requests_for_user(user) for info_request in user.info_requests expire_for_request(info_request) end end # For administration interface, return display name of authenticated user def admin_current_user if Configuration::skip_admin_auth admin_http_auth_user else session[:admin_name] end end # If we're skipping Alaveteli admin authentication, assume that the environment # will give us an authenticated user name def admin_http_auth_user # This needs special magic in mongrel: http://www.ruby-forum.com/topic/83067 # Hence the second clause which reads X-Forwarded-User header if available. # See the rewrite rules in conf/httpd.conf which set X-Forwarded-User if request.env["REMOTE_USER"] return request.env["REMOTE_USER"] elsif request.env["HTTP_X_FORWARDED_USER"] return request.env["HTTP_X_FORWARDED_USER"] else return "*unknown*"; end end def authenticate if Configuration::skip_admin_auth session[:using_admin] = 1 return else if session[:using_admin].nil? || session[:admin_name].nil? if params[:emergency].nil? if authenticated?( :web => _("To log into the administrative interface"), :email => _("Then you can log into the administrative interface"), :email_subject => _("Log into the admin interface"), :user_name => "a superuser") if !@user.nil? && @user.admin_level == "super" session[:using_admin] = 1 session[:admin_name] = @user.url_name else session[:using_admin] = nil session[:user_id] = nil session[:admin_name] = nil self.authenticate end end else authenticate_or_request_with_http_basic do |user_name, password| if user_name == Configuration::admin_username && password == Configuration::admin_password session[:using_admin] = 1 session[:admin_name] = user_name else request_http_basic_authentication end end end end end end end