From b90567e197c26c7d7d0082554317324e949a3be6 Mon Sep 17 00:00:00 2001
From: Tom Hughes <tom@compton.nu>
Date: Sun, 28 Feb 2010 15:13:06 +0000
Subject: [PATCH] Tidy up error handling in the message controller, and make it
 redirect to the login page if you are logged in as the wrong user. Closes
 #1569.

---
 app/controllers/message_controller.rb      | 49 ++++++++++++++--------
 app/views/message/no_such_message.html.erb |  2 +
 config/locales/en.yml                      | 13 ++++--
 3 files changed, 43 insertions(+), 21 deletions(-)
 create mode 100644 app/views/message/no_such_message.html.erb

diff --git a/app/controllers/message_controller.rb b/app/controllers/message_controller.rb
index 435c3fa78..89a6c1436 100644
--- a/app/controllers/message_controller.rb
+++ b/app/controllers/message_controller.rb
@@ -47,25 +47,38 @@ class MessageController < ApplicationController
 
   # Allow the user to reply to another message.
   def reply
-    message = Message.find(params[:message_id], :conditions => ["to_user_id = ? or from_user_id = ?", @user.id, @user.id ])
-    @body = "On #{message.sent_on} #{message.sender.display_name} wrote:\n\n#{message.body.gsub(/^/, '> ')}" 
-    @title = @subject = "Re: #{message.title.sub(/^Re:\s*/, '')}"
-    @to_user = User.find(message.from_user_id)
-    render :action => 'new'
+    message = Message.find(params[:message_id])
+
+    if message.to_user_id == @user.id then
+      @body = "On #{message.sent_on} #{message.sender.display_name} wrote:\n\n#{message.body.gsub(/^/, '> ')}" 
+      @title = @subject = "Re: #{message.title.sub(/^Re:\s*/, '')}"
+      @to_user = User.find(message.from_user_id)
+
+      render :action => 'new'
+    else
+      flash[:notice] = t 'message.reply.wrong_user', :user => @user.display_name
+      redirect_to :controller => "user", :action => "login", :referer => request.request_uri
+    end
   rescue ActiveRecord::RecordNotFound
-    @title = t'message.no_such_user.title'
-    render :action => 'no_such_user', :status => :not_found
+    @title = t'message.no_such_message.title'
+    render :action => 'no_such_message', :status => :not_found
   end
 
   # Show a message
   def read
     @title = t 'message.read.title'
-    @message = Message.find(params[:message_id], :conditions => ["to_user_id = ? or from_user_id = ?", @user.id, @user.id ])
-    @message.message_read = true if @message.to_user_id == @user.id
-    @message.save
+    @message = Message.find(params[:message_id])
+
+    if @message.to_user_id == @user.id or @message.from_user_id == @user.id then
+      @message.message_read = true if @message.to_user_id == @user.id
+      @message.save
+    else
+      flash[:notice] = t 'message.read.wrong_user', :user => @user.display_name
+      redirect_to :controller => "user", :action => "login", :referer => request.request_uri
+    end
   rescue ActiveRecord::RecordNotFound
-    @title = t'message.no_such_user.title'
-    render :action => 'no_such_user', :status => :not_found
+    @title = t'message.no_such_message.title'
+    render :action => 'no_such_message', :status => :not_found
   end
 
   # Display the list of messages that have been sent to the user.
@@ -90,7 +103,7 @@ class MessageController < ApplicationController
   def mark
     if params[:message_id]
       id = params[:message_id]
-      message = Message.find_by_id(id)
+      message = Message.find_by_id(id, :conditions => ["to_user_id = ? or from_user_id = ?", @user.id, @user.id])
       if params[:mark] == 'unread'
         message_read = false 
         notice = t 'message.mark.as_unread'
@@ -112,15 +125,15 @@ class MessageController < ApplicationController
       end
     end
   rescue ActiveRecord::RecordNotFound
-    @title = t'message.no_such_user.title'
-    render :action => 'no_such_user', :status => :not_found
+    @title = t'message.no_such_message.title'
+    render :action => 'no_such_message', :status => :not_found
   end
 
   # Delete the message.
   def delete
     if params[:message_id]
       id = params[:message_id]
-      message = Message.find_by_id(id)
+      message = Message.find_by_id(id => ["to_user_id = ? or from_user_id = ?", @user.id, @user.id])
       message.from_user_visible = false if message.sender == @user
       message.to_user_visible = false if message.recipient == @user
       if message.save
@@ -134,7 +147,7 @@ class MessageController < ApplicationController
       end
     end
   rescue ActiveRecord::RecordNotFound
-    @title = t'message.no_such_user.title'
-    render :action => 'no_such_user', :status => :not_found
+    @title = t'message.no_such_message.title'
+    render :action => 'no_such_message', :status => :not_found
   end
 end
diff --git a/app/views/message/no_such_message.html.erb b/app/views/message/no_such_message.html.erb
new file mode 100644
index 000000000..6fd52124a
--- /dev/null
+++ b/app/views/message/no_such_message.html.erb
@@ -0,0 +1,2 @@
+<h1><%= t'message.no_such_message.heading' %></h1>
+<p><%= t'message.no_such_message.body' %></p>
diff --git a/config/locales/en.yml b/config/locales/en.yml
index 89043afbb..5d647e515 100644
--- a/config/locales/en.yml
+++ b/config/locales/en.yml
@@ -1035,9 +1035,13 @@ en:
       message_sent: "Message sent"
       limit_exceeded: "You have sent a lot of messages recently. Please wait a while before trying to send any more."
     no_such_user:
-      title: "No such user or message"
-      heading: "No such user or message"
-      body: "Sorry there is no user or message with that name or id"
+      title: "No such user"
+      heading: "No such user"
+      body: "Sorry there is no user owith that name."
+    no_such_message:
+      title: "No such message"
+      heading: "No such message"
+      body: "Sorry there is no message with that id."
     outbox: 
       title: "Outbox"
       my_inbox: "My {{inbox_link}}"
@@ -1049,6 +1053,8 @@ en:
       date: "Date"
       no_sent_messages: "You have no sent messages yet. Why not get in touch with some of the {{people_mapping_nearby_link}}?"
       people_mapping_nearby: "people mapping nearby"
+    reply:
+      wrong_user: "You are logged in as `{{user}}' but the message you have asked to reply to was not sent to that user. Please login as the correct user in order to reply."
     read:
       title: "Read message"
       reading_your_messages: "Reading your messages"
@@ -1061,6 +1067,7 @@ en:
       reading_your_sent_messages: "Reading your sent messages"
       to: "To"
       back_to_outbox: "Back to outbox"
+      wrong_user: "You are logged in as `{{user}}' but the message you have asked to read to was not sent by or to that user. Please login as the correct user in order to read it."
     sent_message_summary:
       delete_button: "Delete"
     mark:
-- 
2.43.2