prevent non authority users from changing the state on updates

author: Struan Donald <struan@exo.org.uk> 2011-06-23 14:06:03 +0100
committer: Struan Donald <struan@exo.org.uk> 2011-06-23 14:06:03 +0100
commit: 59e5a595bd0a903f25eb6210209cec5afe1f699c (patch)
tree: 6665c9d5538a613d95a9d914c5d6f90e41c78096 /perllib/FixMyStreet/App/Controller/Report/Update.pm
parent: 1655eca8e8d5a710500151113fc3a1d2ee2fee4b (diff)
1 files changed, 9 insertions, 0 deletions
diff --git a/perllib/FixMyStreet/App/Controller/Report/Update.pm b/perllib/FixMyStreet/App/Controller/Report/Update.pm
index 88b53494b..02d111d9f 100644
--- a/perllib/FixMyStreet/App/Controller/Report/Update.pm
+++ b/perllib/FixMyStreet/App/Controller/Report/Update.pm
@@ -180,6 +180,15 @@ return false.
 sub check_for_errors : Private {
     my ( $self, $c ) = @_;
 
+    # they have to be an authority user to update the state
+    if ( $c->req->param('state') ) {
+        unless ( $c->user && $c->user->from_authority ) {
+            $c->stash->{errors} ||= [];
+            push @{ $c->stash->{errors} }, _('There was a problem with your update. Please try again.');
+            return;
+        }
+    }
+
     # let the model check for errors
     my %field_errors = (
         %{ $c->stash->{update_user}->check_for_errors },
author	Struan Donald <struan@exo.org.uk>	2011-06-23 14:06:03 +0100
committer	Struan Donald <struan@exo.org.uk>	2011-06-23 14:06:03 +0100
commit	59e5a595bd0a903f25eb6210209cec5afe1f699c (patch)
tree	6665c9d5538a613d95a9d914c5d6f90e41c78096 /perllib/FixMyStreet/App/Controller/Report/Update.pm
parent	1655eca8e8d5a710500151113fc3a1d2ee2fee4b (diff)