Merge branch 'master' into develop

mysociety · Feb 8, 2017 · 72c7d47 · 72c7d47
2 parents 857ee1c + 04c9564
commit 72c7d47
Show file tree

Hide file tree

Showing 7 changed files with 44 additions and 30 deletions.
diff --git a/Gemfile b/Gemfile
@@ -1,6 +1,6 @@
 source 'https://rubygems.org'
 
-gem 'rails', '3.2.22.3'
+gem 'rails', '3.2.22.4'
 
 gem 'pg', '~> 0.18.4'
 

diff --git a/Gemfile.lock b/Gemfile.lock
@@ -54,31 +54,31 @@ PATH
 GEM
   remote: https://rubygems.org/
   specs:
-    actionmailer (3.2.22.3)
-      actionpack (= 3.2.22.3)
+    actionmailer (3.2.22.4)
+      actionpack (= 3.2.22.4)
       mail (~> 2.5.4)
-    actionpack (3.2.22.3)
-      activemodel (= 3.2.22.3)
-      activesupport (= 3.2.22.3)
+    actionpack (3.2.22.4)
+      activemodel (= 3.2.22.4)
+      activesupport (= 3.2.22.4)
       builder (~> 3.0.0)
       erubis (~> 2.7.0)
       journey (~> 1.0.4)
       rack (~> 1.4.5)
       rack-cache (~> 1.2)
       rack-test (~> 0.6.1)
       sprockets (~> 2.2.1)
-    activemodel (3.2.22.3)
-      activesupport (= 3.2.22.3)
+    activemodel (3.2.22.4)
+      activesupport (= 3.2.22.4)
       builder (~> 3.0.0)
-    activerecord (3.2.22.3)
-      activemodel (= 3.2.22.3)
-      activesupport (= 3.2.22.3)
+    activerecord (3.2.22.4)
+      activemodel (= 3.2.22.4)
+      activesupport (= 3.2.22.4)
       arel (~> 3.0.2)
       tzinfo (~> 0.3.29)
-    activeresource (3.2.22.3)
-      activemodel (= 3.2.22.3)
-      activesupport (= 3.2.22.3)
-    activesupport (3.2.22.3)
+    activeresource (3.2.22.4)
+      activemodel (= 3.2.22.4)
+      activesupport (= 3.2.22.4)
+    activesupport (3.2.22.4)
       i18n (~> 0.6, >= 0.6.4)
       multi_json (~> 1.0)
     addressable (2.4.0)
@@ -261,20 +261,20 @@ GEM
       rack (>= 1.0)
     rack-utf8_sanitizer (1.3.2)
       rack (>= 1.0, < 3.0)
-    rails (3.2.22.3)
-      actionmailer (= 3.2.22.3)
-      actionpack (= 3.2.22.3)
-      activerecord (= 3.2.22.3)
-      activeresource (= 3.2.22.3)
-      activesupport (= 3.2.22.3)
+    rails (3.2.22.4)
+      actionmailer (= 3.2.22.4)
+      actionpack (= 3.2.22.4)
+      activerecord (= 3.2.22.4)
+      activeresource (= 3.2.22.4)
+      activesupport (= 3.2.22.4)
       bundler (~> 1.0)
-      railties (= 3.2.22.3)
+      railties (= 3.2.22.4)
     rails-i18n (3.0.1)
       i18n (~> 0.5)
       rails (>= 3.0.0, < 4.0.0)
-    railties (3.2.22.3)
-      actionpack (= 3.2.22.3)
-      activesupport (= 3.2.22.3)
+    railties (3.2.22.4)
+      actionpack (= 3.2.22.4)
+      activesupport (= 3.2.22.4)
       rack-ssl (~> 1.3.2)
       rake (>= 0.8.7)
       rdoc (~> 3.4)
@@ -429,7 +429,7 @@ DEPENDENCIES
   quiet_assets (~> 1.1.0)
   rack (~> 1.4.6)
   rack-utf8_sanitizer (~> 1.3.0)
-  rails (= 3.2.22.3)
+  rails (= 3.2.22.4)
   rails-i18n (~> 3.0.0)
   rdoc (~> 3.12.2)
   recaptcha (~> 0.4.0)

diff --git a/app/controllers/request_controller.rb b/app/controllers/request_controller.rb
@@ -1115,6 +1115,11 @@ def redirect_numeric_id_to_url_title
     # Look up by old style numeric identifiers
     if params[:url_title].match(/^[0-9]+$/)
       @info_request = InfoRequest.find(params[:url_title].to_i)
+      # We don't want to leak the title of embargoed or hidden requests, so
+      # don't even redirect on if the user can't access the request
+      if cannot?(:read, @info_request)
+        return render_hidden
+      end
       redirect_to request_url(@info_request, :format => params[:format])
     end
   end

diff --git a/config/initializers/alaveteli.rb b/config/initializers/alaveteli.rb
@@ -11,7 +11,7 @@
 load "util.rb"
 
 # Application version
-ALAVETELI_VERSION = '0.26.0.8'
+ALAVETELI_VERSION = '0.27.0.0'
 
 # Add new inflection rules using the following format
 # (all these examples are active by default):

diff --git a/doc/CHANGES.md b/doc/CHANGES.md
@@ -1,11 +1,13 @@
-# develop
+# 0.27.0.0
 
 ## Highlighted Features
 * Time in application time zone is used where appropriate in code, this fixes
   a bug in due date calculation for zones offset from UTC (Louise Crow)
 * Prevent long authority names overflowing on statistics page (Gareth Rees)
 * Fix css bug which allowed some "visually-hidden" elements to affect page
   length (Liz Conlan)
+* Header now contains pull-down menu for user-specific links, which has
+  swapped place with the search box (Martin Wright)
 * This release rolls out the first implementation of Alaveteli Pro - a service
   for use by journalists and campaigners. Includes ability to embargo requests,
   and dashboard for managing to-do items and requests. This is functionality
@@ -65,7 +67,8 @@
     app/views/user/rate_limited.html.erb
     app/views/user/show.html.erb
     app/views/widgets/show.html.erb
-0.26.0.8
+
+# 0.26.0.8
 
 ## Highlighted Features
 

diff --git a/lib/tasks/graphs.rake b/lib/tasks/graphs.rake
@@ -149,7 +149,7 @@ namespace :graphs do
     ENV["GDFONTPATH"] = "/usr/share/fonts/truetype/ttf-bitstream-vera"
 
     def assemble_sql(where_clause="")
-      "SELECT DATE(created_at), COUNT(*) " \
+      "SELECT DATE(info_requests.created_at), COUNT(*) " \
               "FROM info_requests " \
               "LEFT OUTER JOIN embargoes " \
               "ON embargoes.info_request_id = info_requests.id " \

diff --git a/spec/controllers/request_controller_spec.rb b/spec/controllers/request_controller_spec.rb
@@ -209,6 +209,12 @@
       expect{ get :show, :url_title => embargoed_request.url_title }
         .to raise_error(ActiveRecord::RecordNotFound)
     end
+
+    it "doesn't even redirect from a numeric id" do
+      embargoed_request = FactoryGirl.create(:embargoed_request)
+      expect{ get :show, :url_title => embargoed_request.id }
+        .to raise_error(ActiveRecord::RecordNotFound)
+    end
   end
 
   describe 'when showing an external request' do