Guard against non-numeric lat and lons in nodes and notes

[rails.git] / app / controllers / notes_controller.rb

diff --git a/app/controllers/notes_controller.rb b/app/controllers/notes_controller.rb
index f59e9974e10dac2dfcc7fb75aa6ae6f4fc3d287a..9c6eb94572488e75e5a99e6ddeb3b8a3c2617491 100644 (file)
--- a/app/controllers/notes_controller.rb
+++ b/app/controllers/notes_controller.rb
@@ -59,8 +59,16 @@ class NotesController < ApplicationController
     raise OSM::APIBadUserInput.new("No text was given") if params[:text].blank?
 
     # Extract the arguments
-    lon = params[:lon].to_f
-    lat = params[:lat].to_f
+    begin
+      lon = Float(params[:lon])
+    rescue
+      raise OSM::APIBadUserInput.new("lon was not a number")
+    end
+    begin
+      lat = Float(params[:lat])
+    rescue
+      raise OSM::APIBadUserInput.new("lat was not a number")
+    end
     comment = params[:text]
 
     # Include in a transaction to ensure that there is always a note_comment for every note
@@ -237,7 +245,7 @@ class NotesController < ApplicationController
       @note.status = "hidden"
       @note.save
 
-      add_comment(@note, comment, "hidden")
+      add_comment(@note, comment, "hidden", false)
     end
 
     # Return a copy of the updated note
@@ -338,7 +346,7 @@ private
 
   ##
   # Add a comment to a note
-  def add_comment(note, text, event)
+  def add_comment(note, text, event, notify = true)
     attributes = { :visible => true, :event => event, :body => text }
 
     if @user  
@@ -350,7 +358,7 @@ private
     comment = note.comments.create(attributes, :without_protection => true)
 
     note.comments.map { |c| c.author }.uniq.each do |user|
-      if user and user != @user
+      if notify and user and user != @user
         Notifier.note_comment_notification(comment, user).deliver
       end
     end