Require 'report_edit' permission for editing reports in admin

author: Dave Arter <davea@mysociety.org> 2016-07-15 17:02:56 +0100
committer: Dave Arter <davea@mysociety.org> 2016-08-17 15:27:46 +0100
commit: f0220a9742ef0b7458b2dafaba5d9f860a741a91 (patch)
tree: 6d860ab0ad82864e94e9aa3215d6f1c3fa530ae6 /perllib/FixMyStreet/App/Controller/Admin.pm
parent: 0ce7030998ff93c893d78a04669582423daceaad (diff)
1 files changed, 7 insertions, 0 deletions
diff --git a/perllib/FixMyStreet/App/Controller/Admin.pm b/perllib/FixMyStreet/App/Controller/Admin.pm
index ea8633db0..fbd855333 100644
--- a/perllib/FixMyStreet/App/Controller/Admin.pm
+++ b/perllib/FixMyStreet/App/Controller/Admin.pm
@@ -669,6 +669,13 @@ sub report_edit : Path('report_edit') : Args(1) {
     $c->detach( '/page_error_404_not_found' )
       unless $problem;
 
+    unless (
+        $c->cobrand->moniker eq 'zurich'
+        || $c->user->has_permission_to(report_edit => $problem->bodies_str)
+    ) {
+        $c->detach( '/page_error_403_access_denied', [] );
+    }
+
     $c->stash->{problem} = $problem;
 
     $c->forward('/auth/get_csrf_token');
author	Dave Arter <davea@mysociety.org>	2016-07-15 17:02:56 +0100
committer	Dave Arter <davea@mysociety.org>	2016-08-17 15:27:46 +0100
commit	f0220a9742ef0b7458b2dafaba5d9f860a741a91 (patch)
tree	6d860ab0ad82864e94e9aa3215d6f1c3fa530ae6 /perllib/FixMyStreet/App/Controller/Admin.pm
parent	0ce7030998ff93c893d78a04669582423daceaad (diff)