diff options
| author | Struan Donald <struan@exo.org.uk> | 2011-06-23 14:06:03 +0100 |
|---|---|---|
| committer | Struan Donald <struan@exo.org.uk> | 2011-06-23 14:06:03 +0100 |
| commit | 59e5a595bd0a903f25eb6210209cec5afe1f699c (patch) | |
| tree | 6665c9d5538a613d95a9d914c5d6f90e41c78096 | |
| parent | 1655eca8e8d5a710500151113fc3a1d2ee2fee4b (diff) | |
prevent non authority users from changing the state on updates
| -rw-r--r-- | perllib/FixMyStreet/App/Controller/Report/Update.pm | 9 | ||||
| -rw-r--r-- | t/app/controller/report_updates.t | 34 |
2 files changed, 43 insertions, 0 deletions
diff --git a/perllib/FixMyStreet/App/Controller/Report/Update.pm b/perllib/FixMyStreet/App/Controller/Report/Update.pm index 88b53494b..02d111d9f 100644 --- a/perllib/FixMyStreet/App/Controller/Report/Update.pm +++ b/perllib/FixMyStreet/App/Controller/Report/Update.pm @@ -180,6 +180,15 @@ return false. sub check_for_errors : Private { my ( $self, $c ) = @_; + # they have to be an authority user to update the state + if ( $c->req->param('state') ) { + unless ( $c->user && $c->user->from_authority ) { + $c->stash->{errors} ||= []; + push @{ $c->stash->{errors} }, _('There was a problem with your update. Please try again.'); + return; + } + } + # let the model check for errors my %field_errors = ( %{ $c->stash->{update_user}->check_for_errors }, diff --git a/t/app/controller/report_updates.t b/t/app/controller/report_updates.t index 4dd1db737..bec81fb83 100644 --- a/t/app/controller/report_updates.t +++ b/t/app/controller/report_updates.t @@ -382,6 +382,40 @@ for my $test ( }; } +$report->state('confirmed'); +$report->update; + +subtest 'check non authority user cannot change set state' => sub { + $mech->log_in_ok( $user->email ); + $user->from_authority( 0 ); + $user->update; + + $mech->get_ok("/report/$report_id"); + $mech->submit_form_ok( { + form_number => 2, + fields => { + submit_update => 1, + id => $report_id, + name => $user->name, + rznvy => $user->email, + may_show_name => 1, + add_alert => 0, + photo => '', + update => 'this is a forbidden update', + state => 'fixed - council', + }, + }, + 'submitted with state', + ); + + is $mech->uri->path, "/report/update", "at /report/update"; + + my $errors = $mech->page_errors; + is_deeply $errors, [ 'There was a problem with your update. Please try again.' ], 'error message'; + + is $report->state, 'confirmed', 'state unchanged'; +}; + for my $test ( { desc => 'submit update for register user', |