diff options
| author | Struan Donald <struan@exo.org.uk> | 2018-06-05 17:07:09 +0100 |
|---|---|---|
| committer | Struan Donald <struan@exo.org.uk> | 2018-06-05 17:28:29 +0100 |
| commit | fb15760d8153971cce9185387c5d8ad5fc534aa7 (patch) | |
| tree | c38c8c850e0b868260b7955636c493e059a6fbea /perllib/FixMyStreet/App/Controller/Contact.pm | |
| parent | 7e3b1f2fc28c87f7099b989cf7dfe9e9ff860fc2 (diff) | |
error on bad update ids passed to contact form
Return an error if an id for either a hidden update or one not
associated with the problem id is passed to the contact form.
Diffstat (limited to 'perllib/FixMyStreet/App/Controller/Contact.pm')
| -rw-r--r-- | perllib/FixMyStreet/App/Controller/Contact.pm | 14 |
1 files changed, 11 insertions, 3 deletions
diff --git a/perllib/FixMyStreet/App/Controller/Contact.pm b/perllib/FixMyStreet/App/Controller/Contact.pm index b124ba1c0..997009b87 100644 --- a/perllib/FixMyStreet/App/Controller/Contact.pm +++ b/perllib/FixMyStreet/App/Controller/Contact.pm @@ -87,9 +87,17 @@ sub determine_contact_type : Private { } elsif ($id) { $c->forward( '/report/load_problem_or_display_error', [ $id ] ); if ($update_id) { - my $update = $c->model('DB::Comment')->find( - { id => $update_id } - ); + my $update = $c->model('DB::Comment')->search( + { + id => $update_id, + problem_id => $id, + state => 'confirmed', + } + )->first; + + unless ($update) { + $c->detach( '/page_error_404_not_found', [ _('Unknown update ID') ] ); + } $c->stash->{update} = $update; } |