diff options
| author | Dave Arter <davea@mysociety.org> | 2016-07-15 17:02:56 +0100 |
|---|---|---|
| committer | Dave Arter <davea@mysociety.org> | 2016-08-17 15:27:46 +0100 |
| commit | f0220a9742ef0b7458b2dafaba5d9f860a741a91 (patch) | |
| tree | 6d860ab0ad82864e94e9aa3215d6f1c3fa530ae6 | |
| parent | 0ce7030998ff93c893d78a04669582423daceaad (diff) | |
Require 'report_edit' permission for editing reports in admin
| -rw-r--r-- | perllib/FixMyStreet/App/Controller/Admin.pm | 7 | ||||
| -rw-r--r-- | t/app/controller/admin.t | 47 |
2 files changed, 54 insertions, 0 deletions
diff --git a/perllib/FixMyStreet/App/Controller/Admin.pm b/perllib/FixMyStreet/App/Controller/Admin.pm index ea8633db0..fbd855333 100644 --- a/perllib/FixMyStreet/App/Controller/Admin.pm +++ b/perllib/FixMyStreet/App/Controller/Admin.pm @@ -669,6 +669,13 @@ sub report_edit : Path('report_edit') : Args(1) { $c->detach( '/page_error_404_not_found' ) unless $problem; + unless ( + $c->cobrand->moniker eq 'zurich' + || $c->user->has_permission_to(report_edit => $problem->bodies_str) + ) { + $c->detach( '/page_error_403_access_denied', [] ); + } + $c->stash->{problem} = $problem; $c->forward('/auth/get_csrf_token'); diff --git a/t/app/controller/admin.t b/t/app/controller/admin.t index 51307f756..aceaf2981 100644 --- a/t/app/controller/admin.t +++ b/t/app/controller/admin.t @@ -1331,6 +1331,53 @@ subtest "Users with from_body can't access fixmystreet.com admin" => sub { }; }; +$report->bodies_str(2237); +$report->cobrand('oxfordshire'); +$report->update; + +$mech->log_in_ok( $oxfordshireuser->email ); + +subtest "Users can't edit report without report_edit permission" => sub { + FixMyStreet::override_config { + ALLOWED_COBRANDS => [ 'oxfordshire' ], + }, sub { + $mech->get("/admin/report_edit/$report_id"); + ok !$mech->res->is_success(), "want a bad response"; + is $mech->res->code, 404, "got 404, can't edit report without report_edit permission"; + }; +}; + +subtest "Users can edit report with report_edit permission" => sub { + FixMyStreet::override_config { + ALLOWED_COBRANDS => [ 'oxfordshire' ], + }, sub { + $oxfordshireuser->user_body_permissions->create({ + body => $oxfordshire, + permission_type => 'report_edit', + }); + + $mech->get_ok("/admin/report_edit/$report_id"); + $mech->content_contains( $report->title ); + }; +}; + +subtest "Users can't edit another council's reports with their own council's report_edit permission" => sub { + FixMyStreet::override_config { + ALLOWED_COBRANDS => [ 'oxfordshire' ], + }, sub { + $report->bodies_str(2482); + $report->cobrand('bromley'); + $report->update; + + $mech->get("/admin/report_edit/$report_id"); + ok !$mech->res->is_success(), "want a bad response"; + is $mech->res->code, 404, "got 404, can't edit report with incorrect body in report_edit permission"; + }; +}; + + +$mech->log_out_ok; +$oxfordshireuser->user_body_permissions->delete_all; $mech->delete_user( $user ); |