diff options
| author | Struan Donald <struan@exo.org.uk> | 2011-06-23 16:34:19 +0100 |
|---|---|---|
| committer | Struan Donald <struan@exo.org.uk> | 2011-06-23 16:34:19 +0100 |
| commit | fb56c38856fe33c971903ab0efde1cf5d4829426 (patch) | |
| tree | 91409b19c31f82118b279e29ee3d344a9414c745 | |
| parent | 2264d094189ff9d5e1c52b58329fc191f97c3fd6 (diff) | |
check that state is permitted
| -rw-r--r-- | perllib/FixMyStreet/App/Controller/Report/Update.pm | 9 | ||||
| -rw-r--r-- | t/app/controller/report_updates.t | 33 |
2 files changed, 41 insertions, 1 deletions
diff --git a/perllib/FixMyStreet/App/Controller/Report/Update.pm b/perllib/FixMyStreet/App/Controller/Report/Update.pm index 41bc3a4bd..5421385fb 100644 --- a/perllib/FixMyStreet/App/Controller/Report/Update.pm +++ b/perllib/FixMyStreet/App/Controller/Report/Update.pm @@ -181,11 +181,18 @@ sub check_for_errors : Private { # they have to be an authority user to update the state if ( $c->req->param('state') ) { - unless ( $c->user && $c->user->from_authority ) { + my $error = 0; + $error = 1 unless $c->user && $c->user->from_authority; + + my $state = $c->req->param('state'); + $error = 1 unless ( grep { $state eq $_ } ( qw/closed fixed investigating planned/, 'in progress', 'fixed', 'fixed - user', 'fixed - council' ) ); + + if ( $error ) { $c->stash->{errors} ||= []; push @{ $c->stash->{errors} }, _('There was a problem with your update. Please try again.'); return; } + } # let the model check for errors diff --git a/t/app/controller/report_updates.t b/t/app/controller/report_updates.t index e5495ebf1..45e8e8c57 100644 --- a/t/app/controller/report_updates.t +++ b/t/app/controller/report_updates.t @@ -416,6 +416,39 @@ subtest 'check non authority user cannot change set state' => sub { is $report->state, 'confirmed', 'state unchanged'; }; +for my $state ( qw/unconfirmed hidden partial/ ) { + subtest "check that update cannot set state to $state" => sub { + $mech->log_in_ok( $user->email ); + $user->from_authority( 1 ); + $user->update; + + $mech->get_ok("/report/$report_id"); + $mech->submit_form_ok( { + form_number => 2, + fields => { + submit_update => 1, + id => $report_id, + name => $user->name, + rznvy => $user->email, + may_show_name => 1, + add_alert => 0, + photo => '', + update => 'this is a forbidden update', + state => $state, + }, + }, + 'submitted with state', + ); + + is $mech->uri->path, "/report/update", "at /report/update"; + + my $errors = $mech->page_errors; + is_deeply $errors, [ 'There was a problem with your update. Please try again.' ], 'error message'; + + is $report->state, 'confirmed', 'state unchanged'; + }; +} + for my $test ( { desc => 'from authority user marks report as fixed', |