aboutsummaryrefslogtreecommitdiffstats
path: root/perllib/FixMyStreet/App/Controller/Report.pm
diff options
context:
space:
mode:
authorMatthew Somerville <matthew@mysociety.org>2020-02-11 15:42:30 +0000
committerMatthew Somerville <matthew@mysociety.org>2020-02-13 14:31:09 +0000
commitcf4f4473a795d2e1dd213f31b3d3fb4ab2711b72 (patch)
tree483a7498f7ff30a541e175b2fa460e595359a028 /perllib/FixMyStreet/App/Controller/Report.pm
parente2e6f7babbb04d2a78dc3fbf43eb4f7865672444 (diff)
Link in other-reported email shows private report.
Use a token that does not log the user in, but lets the report be shown, even if it's a private report. Allow old tokens of that type to work.
Diffstat (limited to 'perllib/FixMyStreet/App/Controller/Report.pm')
-rw-r--r--perllib/FixMyStreet/App/Controller/Report.pm11
1 files changed, 10 insertions, 1 deletions
diff --git a/perllib/FixMyStreet/App/Controller/Report.pm b/perllib/FixMyStreet/App/Controller/Report.pm
index 7168e8379..72f96013a 100644
--- a/perllib/FixMyStreet/App/Controller/Report.pm
+++ b/perllib/FixMyStreet/App/Controller/Report.pm
@@ -160,7 +160,16 @@ sub load_problem_or_display_error : Private {
$c->stash->{problem} = $problem;
my $permissions = $c->stash->{_permissions} = $c->forward( 'check_has_permission_to',
[ qw/report_inspect report_edit_category report_edit_priority report_mark_private / ] );
- if ( !$c->user || ($c->user->id != $problem->user->id && !($permissions->{report_inspect} || $permissions->{report_mark_private})) ) {
+
+ # If someone has clicked a unique token link in an email to them
+ my $from_email = $c->sessionid && $c->flash->{alert_to_reporter} && $c->flash->{alert_to_reporter} == $problem->id;
+
+ my $allowed = 0;
+ $allowed = 1 if $from_email;
+ $allowed = 1 if $c->user_exists && $c->user->id == $problem->user->id;
+ $allowed = 1 if $permissions->{report_inspect} || $permissions->{report_mark_private};
+
+ unless ($allowed) {
my $url = '/auth?r=report/' . $problem->id;
$c->detach(
'/page_error_403_access_denied',