diff options
| author | Dave Arter <davea@mysociety.org> | 2019-04-12 17:32:06 +0100 |
|---|---|---|
| committer | Matthew Somerville <matthew-github@dracos.co.uk> | 2019-04-23 17:34:00 +0100 |
| commit | 022a7f3366b149a97124f5c8c57f6682b5fcc7f6 (patch) | |
| tree | dae76e282c4c099cca9b99f52eeeb2a04a29c9eb | |
| parent | 49e1578a3c2be13079e8a05ec18074b84401919e (diff) | |
[Open311] Ensures non_public/hidden reports aren’t visible at /open311
| -rw-r--r-- | CHANGELOG.md | 1 | ||||
| -rw-r--r-- | perllib/FixMyStreet/App/Controller/JSON.pm | 1 | ||||
| -rw-r--r-- | perllib/FixMyStreet/App/Controller/Open311.pm | 4 | ||||
| -rw-r--r-- | t/app/controller/open311.t | 41 |
4 files changed, 45 insertions, 2 deletions
diff --git a/CHANGELOG.md b/CHANGELOG.md index 53a580b11..40e554cc3 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -39,6 +39,7 @@ - Stop category_change firing more than it should. - Fix extra question display when only one category. - Fix superusers creating anonymous reports. #2435 + - Ensure non_public reports aren't exposed at /open311 endpoint. - Development improvements: - Make front page cache time configurable. - Better working of /fakemapit/ under https. diff --git a/perllib/FixMyStreet/App/Controller/JSON.pm b/perllib/FixMyStreet/App/Controller/JSON.pm index e1e135054..ccc5b31dc 100644 --- a/perllib/FixMyStreet/App/Controller/JSON.pm +++ b/perllib/FixMyStreet/App/Controller/JSON.pm @@ -87,6 +87,7 @@ sub problems : Local { my $query = { $date_col => $range->sql, state => [ @state ], + non_public => 0, }; $query->{category} = $category if $category; my @problems = $c->cobrand->problems->search( $query, { diff --git a/perllib/FixMyStreet/App/Controller/Open311.pm b/perllib/FixMyStreet/App/Controller/Open311.pm index 97e1a782a..841330e92 100644 --- a/perllib/FixMyStreet/App/Controller/Open311.pm +++ b/perllib/FixMyStreet/App/Controller/Open311.pm @@ -309,7 +309,8 @@ sub get_requests : Private { delete $states->{unconfirmed}; delete $states->{submitted}; my $criteria = { - state => [ keys %$states ] + state => [ keys %$states ], + non_public => 0, }; my %rules = ( @@ -414,6 +415,7 @@ sub get_request : Private { my $criteria = { state => [ keys %$states ], id => $id, + non_public => 0, }; $c->forward( 'output_requests', [ $criteria ] ); } diff --git a/t/app/controller/open311.t b/t/app/controller/open311.t index 9f4f594fe..79fe159a3 100644 --- a/t/app/controller/open311.t +++ b/t/app/controller/open311.t @@ -6,7 +6,7 @@ my $mech = FixMyStreet::TestMech->new; $mech->get_ok('/open311.cgi/v2/requests.rss?jurisdiction_id=fiksgatami.no&status=open&agency_responsible=1854'); like $mech->uri, qr[/open311/v2/requests\.rss\?.{65}]; # Don't know order parameters will be in now -$mech->create_problems_for_body(2, 2237, 'Around page'); +my ($problem1, $problem2) = $mech->create_problems_for_body(2, 2237, 'Around page'); $mech->get_ok('/open311/v2/requests.xml?jurisdiction_id=foo&status=open&agency_responsible=2237'); $mech->content_contains('<description>Around page Test 2 for 2237: Around page Test 2 for 2237 Detail</description>'); $mech->content_contains('<interface_used>Web interface</interface_used>'); @@ -18,4 +18,43 @@ my $problems = $json->{requests}[0]{request}; is @$problems, 2; like $problems->[0]{description}, qr/Around page Test/; +subtest "non_public reports aren't available" => sub { + $problem1->update({ + non_public => 1, + detail => 'This report is now private', + }); + $mech->get_ok('/open311/v2/requests.json?jurisdiction_id=foo'); + $json = decode_json($mech->content); + $problems = $json->{requests}[0]{request}; + is @$problems, 1; + like $problems->[0]{description}, qr/Around page Test/; + $mech->content_lacks('This report is now private'); + + my $problem_id = $problem1->id; + $mech->get_ok("/open311/v2/requests/$problem_id.json?jurisdiction_id=foo"); + $json = decode_json($mech->content); + $problems = $json->{requests}[0]{request}; + is @$problems, 0; +}; + +subtest "hidden reports aren't available" => sub { + $problem1->update({ + non_public => 0, + detail => 'This report is now hidden', + state => "hidden", + }); + $mech->get_ok('/open311/v2/requests.json?jurisdiction_id=foo'); + $json = decode_json($mech->content); + $problems = $json->{requests}[0]{request}; + is @$problems, 1; + like $problems->[0]{description}, qr/Around page Test/; + $mech->content_lacks('This report is now hidden'); + + my $problem_id = $problem1->id; + $mech->get_ok("/open311/v2/requests/$problem_id.json?jurisdiction_id=foo"); + $json = decode_json($mech->content); + $problems = $json->{requests}[0]{request}; + is @$problems, 0; +}; + done_testing(); |