display non public reports to creator if logged in

author: Struan Donald <struan@exo.org.uk> 2012-08-31 17:55:36 +0100
committer: Struan Donald <struan@exo.org.uk> 2012-08-31 17:55:36 +0100
commit: 8989c1cce705be9d071e62e47c08f2838f1b16e8 (patch)
tree: ef3d13c6db25132047e60b0bae71600a3c87ca73
parent: 1567ec21cf085c87b5e92d5755e8cccaec4e656d (diff)
2 files changed, 28 insertions, 4 deletions
diff --git a/perllib/FixMyStreet/App/Controller/Report.pm b/perllib/FixMyStreet/App/Controller/Report.pm
index 9405ec48c..cda569860 100644
--- a/perllib/FixMyStreet/App/Controller/Report.pm
+++ b/perllib/FixMyStreet/App/Controller/Report.pm
@@ -75,10 +75,12 @@ sub load_problem_or_display_error : Private {
             [ _('That report has been removed from FixMyStreet.') ]    #
         );
     } elsif ( $problem->non_public ) {
-        $c->detach(
-            '/page_error_403_access_denied',
-            [ _('That report cannot be viewed on FixMyStreet.') ]    #
-        );
+        if ( !$c->user || $c->user->id != $problem->user->id ) {
+            $c->detach(
+                '/page_error_403_access_denied',
+                [ _('That report cannot be viewed on FixMyStreet.') ]    #
+            );
+        }
     }
 
     $c->stash->{problem} = $problem;
diff --git a/t/app/controller/report_display.t b/t/app/controller/report_display.t
index c7ba8ab48..3bb0913f1 100644
--- a/t/app/controller/report_display.t
+++ b/t/app/controller/report_display.t
@@ -16,6 +16,11 @@ my $user =
   ->find_or_create( { email => 'test@example.com', name => 'Test User' } );
 ok $user, "created test user";
 
+my $user2 =
+  FixMyStreet::App->model('DB::User')
+  ->find_or_create( { email => 'test2@example.com', name => 'Other User' } );
+ok $user2, "created test user";
+
 my $dt = DateTime->new(
     year   => 2011,
     month  => 04,
@@ -107,6 +112,23 @@ subtest "change report to non_public and check for 403 status" => sub {
     ok $report->update( { non_public => 0 } ), 'make report public';
 };
 
+subtest "check owner of report can view non public reports" => sub {
+    ok $report->update( { non_public => 1 } ), 'make report non public';
+    $mech->log_in_ok( $report->user->email );
+    ok $mech->get("/report/$report_id"), "get '/report/$report_id'";
+    is $mech->res->code, 200, "report can be viewed";
+    is $mech->uri->path, "/report/$report_id", "at /report/$report_id";
+    $mech->log_out_ok;
+
+    $mech->log_in_ok( $user2->email );
+    ok $mech->get("/report/$report_id"), "get '/report/$report_id'";
+    is $mech->res->code, 403, "access denied to user who is not report creator";
+    is $mech->uri->path, "/report/$report_id", "at /report/$report_id";
+    $mech->content_contains('That report cannot be viewed on FixMyStreet.');
+    $mech->log_out_ok;
+    ok $report->update( { non_public => 0 } ), 'make report public';
+};
+
 subtest "test a good report" => sub {
     $mech->get_ok("/report/$report_id");
     is $mech->uri->path, "/report/$report_id", "at /report/$report_id";
author	Struan Donald <struan@exo.org.uk>	2012-08-31 17:55:36 +0100
committer	Struan Donald <struan@exo.org.uk>	2012-08-31 17:55:36 +0100
commit	8989c1cce705be9d071e62e47c08f2838f1b16e8 (patch)
tree	ef3d13c6db25132047e60b0bae71600a3c87ca73
parent	1567ec21cf085c87b5e92d5755e8cccaec4e656d (diff)