Fixed diary entry and comment hiding for mass assignment protection
[rails.git] / app / controllers / diary_entry_controller.rb
1 class DiaryEntryController < ApplicationController
2   layout 'site', :except => :rss
3
4   before_filter :authorize_web
5   before_filter :set_locale
6   before_filter :require_user, :only => [:new, :edit, :comment, :hide, :hidecomment]
7   before_filter :lookup_this_user, :only => [:view, :comments]
8   before_filter :check_database_readable
9   before_filter :check_database_writable, :only => [:new, :edit]
10   before_filter :require_administrator, :only => [:hide, :hidecomment]
11
12   caches_action :list, :layout => false, :unless => :user_specific_list?
13   caches_action :rss, :layout => true
14   caches_action :view, :layout => false
15   cache_sweeper :diary_sweeper, :only => [:new, :edit, :comment, :hide, :hidecomment]
16
17   def new
18     @title = t 'diary_entry.new.title'
19
20     if params[:diary_entry]
21       @diary_entry = DiaryEntry.new(params[:diary_entry])
22       @diary_entry.user = @user
23
24       if @diary_entry.save
25         default_lang = @user.preferences.where(:k => "diary.default_language").first
26         if default_lang
27           default_lang.v = @diary_entry.language_code
28           default_lang.save!
29         else
30           @user.preferences.create(:k => "diary.default_language", :v => @diary_entry.language_code)
31         end
32         redirect_to :controller => 'diary_entry', :action => 'list', :display_name => @user.display_name 
33       else
34         render :action => 'edit'
35       end
36     else
37       default_lang = @user.preferences.where(:k => "diary.default_language").first
38       lang_code = default_lang ? default_lang.v : @user.preferred_language
39       @diary_entry = DiaryEntry.new(:language_code => lang_code)
40       render :action => 'edit'
41     end
42   end
43
44   def edit
45     @title= t 'diary_entry.edit.title'
46     @diary_entry = DiaryEntry.find(params[:id])
47
48     if @user != @diary_entry.user
49       redirect_to :controller => 'diary_entry', :action => 'view', :id => params[:id]
50     elsif params[:diary_entry]
51       if @diary_entry.update_attributes(params[:diary_entry])
52         redirect_to :controller => 'diary_entry', :action => 'view', :id => params[:id]
53       end
54     end
55   rescue ActiveRecord::RecordNotFound
56     render :action => "no_such_entry", :status => :not_found
57   end
58
59   def comment
60     @entry = DiaryEntry.find(params[:id])
61     @diary_comment = @entry.comments.build(params[:diary_comment])
62     @diary_comment.user = @user
63     if @diary_comment.save
64       if @diary_comment.user != @entry.user
65         Notifier.diary_comment_notification(@diary_comment).deliver
66       end
67
68       redirect_to :controller => 'diary_entry', :action => 'view', :display_name => @entry.user.display_name, :id => @entry.id
69     else
70       render :action => 'view'
71     end
72   end
73
74   def list
75     if params[:display_name]
76       @this_user = User.active.find_by_display_name(params[:display_name])
77
78       if @this_user
79         @title = t 'diary_entry.list.user_title', :user => @this_user.display_name
80         @entry_pages, @entries = paginate(:diary_entries,
81                                           :conditions => { 
82                                             :user_id => @this_user.id,
83                                             :visible => true 
84                                           },
85                                           :order => 'created_at DESC',
86                                           :per_page => 20)
87       else
88         render_unknown_user params[:display_name]
89       end
90     elsif params[:language]
91       @title = t 'diary_entry.list.in_language_title', :language => Language.find(params[:language]).english_name
92       @entry_pages, @entries = paginate(:diary_entries, :include => :user,
93                                         :conditions => {
94                                           :users => { :status => ["active", "confirmed"] },
95                                           :visible => true,
96                                           :language_code => params[:language]
97                                         },
98                                         :order => 'created_at DESC',
99                                         :per_page => 20)
100     elsif params[:friends]
101       if @user
102         @title = t 'diary_entry.list.title_friends'
103         @entry_pages, @entries = paginate(:diary_entries, :include => :user,
104                                           :conditions => {
105                                             :user_id => @user.friend_users,
106                                             :visible => true
107                                           },
108                                           :order => 'created_at DESC',
109                                           :per_page => 20)
110       else
111           require_user
112           return     
113       end
114     elsif params[:nearby]
115       if @user
116         @title = t 'diary_entry.list.title_nearby'
117         @entry_pages, @entries = paginate(:diary_entries, :include => :user,
118                                           :conditions => {
119                                             :user_id => @user.nearby,
120                                             :visible => true
121                                           },
122                                           :order => 'created_at DESC',
123                                           :per_page => 20)                                        
124       else
125           require_user
126           return     
127       end                                  
128     else
129       @title = t 'diary_entry.list.title'
130       @entry_pages, @entries = paginate(:diary_entries, :include => :user,
131                                         :conditions => {
132                                           :users => { :status => ["active", "confirmed"] },
133                                           :visible => true
134                                         },
135                                         :order => 'created_at DESC',
136                                         :per_page => 20)
137     end
138   end
139
140   def rss
141     @entries = DiaryEntry.includes(:user).order("created_at DESC").limit(20)
142
143     if params[:display_name]
144       user = User.active.find_by_display_name(params[:display_name])
145
146       if user
147         @entries = user.diary_entries.visible
148         @title = I18n.t('diary_entry.feed.user.title', :user => user.display_name)
149         @description = I18n.t('diary_entry.feed.user.description', :user => user.display_name)
150         @link = "http://#{SERVER_URL}/user/#{user.display_name}/diary"
151       else
152         render :nothing => true, :status => :not_found
153       end
154     elsif params[:language]
155       @entries = @entries.visible.where(:language_code => params[:language]).joins(:user).where(:users => { :status => ["active", "confirmed"] })
156       @title = I18n.t('diary_entry.feed.language.title', :language_name => Language.find(params[:language]).english_name)
157       @description = I18n.t('diary_entry.feed.language.description', :language_name => Language.find(params[:language]).english_name)
158       @link = "http://#{SERVER_URL}/diary/#{params[:language]}"
159     else
160       @entries = @entries.visible.joins(:user).where(:users => { :status => ["active", "confirmed"] })
161       @title = I18n.t('diary_entry.feed.all.title')
162       @description = I18n.t('diary_entry.feed.all.description')
163       @link = "http://#{SERVER_URL}/diary"
164     end
165   end
166
167   def view
168     @entry = @this_user.diary_entries.visible.where(:id => params[:id]).first
169     if @entry
170       @title = t 'diary_entry.view.title', :user => params[:display_name], :title => @entry.title
171     else
172       @title = t 'diary_entry.no_such_entry.title', :id => params[:id]
173       render :action => 'no_such_entry', :status => :not_found
174     end
175   end
176
177   def hide
178     entry = DiaryEntry.find(params[:id])
179     entry.update_attributes({:visible => false}, :without_protection => true)
180     redirect_to :action => "list", :display_name => entry.user.display_name
181   end
182
183   def hidecomment
184     comment = DiaryComment.find(params[:comment])
185     comment.update_attributes({:visible => false}, :without_protection => true)
186     redirect_to :action => "view", :display_name => comment.diary_entry.user.display_name, :id => comment.diary_entry.id
187   end
188
189   def comments
190     @comment_pages, @comments = paginate(:diary_comments,
191                                          :conditions => { :user_id => @this_user },
192                                          :order => 'created_at DESC',
193                                          :per_page => 20)
194     @page = (params[:page] || 1).to_i
195   end  
196 private
197   ##
198   # require that the user is a administrator, or fill out a helpful error message
199   # and return them to the user page.
200   def require_administrator
201     unless @user.administrator?
202       flash[:error] = t('user.filter.not_an_administrator')
203       redirect_to :controller => 'diary_entry', :action => 'view', :display_name => params[:id]
204     end
205   end
206
207   ##
208   # is this list user specific?
209   def user_specific_list?
210     params[:friends] or params[:nearby]
211   end
212 end