return 403 for non public reports

3 files changed, 21 insertions, 0 deletions

diff --git a/perllib/FixMyStreet/App/Controller/Report.pm b/perllib/FixMyStreet/App/Controller/Report.pm
index d36ba32fe..9405ec48c 100644
--- a/perllib/FixMyStreet/App/Controller/Report.pm
+++ b/perllib/FixMyStreet/App/Controller/Report.pm
@@ -74,6 +74,11 @@ sub load_problem_or_display_error : Private {
             '/page_error_410_gone',
             [ _('That report has been removed from FixMyStreet.') ]    #
         );
+    } elsif ( $problem->non_public ) {
+        $c->detach(
+            '/page_error_403_access_denied',
+            [ _('That report cannot be viewed on FixMyStreet.') ]    #
+        );
     }
 
     $c->stash->{problem} = $problem;
diff --git a/perllib/FixMyStreet/App/Controller/Root.pm b/perllib/FixMyStreet/App/Controller/Root.pm
index 7f7d7f5fd..769a147bf 100644
--- a/perllib/FixMyStreet/App/Controller/Root.pm
+++ b/perllib/FixMyStreet/App/Controller/Root.pm
@@ -94,6 +94,13 @@ sub page_error_410_gone : Private {
     $c->response->status(410);
 }
 
+sub page_error_403_access_denied : Private {
+    my ( $self, $c, $error_msg ) = @_;
+    $c->stash->{template}  = 'index.html';
+    $c->stash->{error} = $error_msg;
+    $c->response->status(403);
+}
+
 =head2 end
 
 Attempt to render a view, if needed.
diff --git a/t/app/controller/report_display.t b/t/app/controller/report_display.t
index 6c2733e36..c7ba8ab48 100644
--- a/t/app/controller/report_display.t
+++ b/t/app/controller/report_display.t
@@ -98,6 +98,15 @@ subtest "change report to hidden and check for 410 status" => sub {
     ok $report->update( { state => 'confirmed' } ), 'confirm report again';
 };
 
+subtest "change report to non_public and check for 403 status" => sub {
+    ok $report->update( { non_public => 1 } ), 'make report non public';
+    ok $mech->get("/report/$report_id"), "get '/report/$report_id'";
+    is $mech->res->code, 403, "access denied";
+    is $mech->uri->path, "/report/$report_id", "at /report/$report_id";
+    $mech->content_contains('That report cannot be viewed on FixMyStreet.');
+    ok $report->update( { non_public => 0 } ), 'make report public';
+};
+
 subtest "test a good report" => sub {
     $mech->get_ok("/report/$report_id");
     is $mech->uri->path, "/report/$report_id", "at /report/$report_id";