From 49fc4ef5c5b297b6759415a8a82fcd7eab8e3579 Mon Sep 17 00:00:00 2001
From: irisfaraway
Date: Fri, 17 Nov 2017 15:29:00 +0000
Subject: [PATCH 1/2] Refactor pages to fix security issue
From fa3f9e042171aaad48b348b4f1a0618a321e1ab3 Mon Sep 17 00:00:00 2001
From: irisfaraway
Date: Fri, 17 Nov 2017 15:33:15 +0000
Subject: [PATCH 2/2] Generate pages with High Voltage
---
Gemfile | 3 +++
Gemfile.lock | 2 ++
app/controllers/pages_controller.rb | 15 ---------------
app/views/shared/_footer.html.erb | 4 ++--
config/routes.rb | 2 --
5 files changed, 7 insertions(+), 19 deletions(-)
delete mode 100644 app/controllers/pages_controller.rb
diff --git a/Gemfile b/Gemfile
index f416f12a9..c4d942c0c 100644
--- a/Gemfile
+++ b/Gemfile
@@ -42,6 +42,9 @@ gem "devise", "~> 4.3"
gem "govuk_elements_rails", "~> 3.1"
gem "govuk_template", "~> 0.23"
+# Use High Voltage for static pages
+gem "high_voltage"
+
group :development, :test do
# Call "byebug" anywhere in the code to stop execution and get a debugger console
gem "byebug"
diff --git a/Gemfile.lock b/Gemfile.lock
index 24c4eaadf..b6768951a 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -82,6 +82,7 @@ GEM
sass (>= 3.2.0)
govuk_template (0.23.0)
rails (>= 3.1)
+ high_voltage (3.0.0)
i18n (0.9.0)
concurrent-ruby (~> 1.0)
jbuilder (2.7.0)
@@ -224,6 +225,7 @@ DEPENDENCIES
factory_bot_rails
govuk_elements_rails (~> 3.1)
govuk_template (~> 0.23)
+ high_voltage
jbuilder (~> 2.0)
jquery-rails
mongoid (~> 5.2)
diff --git a/app/controllers/pages_controller.rb b/app/controllers/pages_controller.rb
deleted file mode 100644
index e2392ce9a..000000000
--- a/app/controllers/pages_controller.rb
+++ /dev/null
@@ -1,15 +0,0 @@
-class PagesController < ApplicationController
- def show
- if valid_page?
- render template: "pages/#{params[:page]}"
- else
- render file: "public/404.html", status: :not_found
- end
- end
-
- private
-
- def valid_page?
- File.exist?(Pathname.new(Rails.root + "app/views/pages/#{params[:page]}.html.erb"))
- end
-end
diff --git a/app/views/shared/_footer.html.erb b/app/views/shared/_footer.html.erb
index 96df667a1..a7ce69698 100644
--- a/app/views/shared/_footer.html.erb
+++ b/app/views/shared/_footer.html.erb
@@ -3,7 +3,7 @@
<%= t(".support_text") %>
- - <%= link_to 'Privacy', "/pages/privacy", target: "_blank" %>
- - <%= link_to 'Cookies', "/pages/cookies", target: "_blank" %>
+ - <%= link_to 'Privacy', page_path("privacy"), target: "_blank" %>
+ - <%= link_to 'Cookies', page_path("cookies"), target: "_blank" %>
diff --git a/config/routes.rb b/config/routes.rb
index 10c16a9e6..f6b230976 100644
--- a/config/routes.rb
+++ b/config/routes.rb
@@ -6,7 +6,5 @@
resources :registrations
- get "/pages/:page" => "pages#show"
-
root "registrations#index"
end