diff options
| author | Dave Arter <davea@mysociety.org> | 2016-07-13 13:58:50 +0100 |
|---|---|---|
| committer | Dave Arter <davea@mysociety.org> | 2016-07-19 18:10:04 +0100 |
| commit | a001715332d9423dd4c68542f7eceac4c2e3900c (patch) | |
| tree | 6f62183f9e5efb736b8bdf4524cf6275e5b7832c /perllib/FixMyStreet/App | |
| parent | 7792c5328962a58ab60c6975a1fdba7ebb2786e9 (diff) | |
Restrict add/editing of bodies in admin to superusers
Diffstat (limited to 'perllib/FixMyStreet/App')
| -rw-r--r-- | perllib/FixMyStreet/App/Controller/Admin.pm | 9 |
1 files changed, 7 insertions, 2 deletions
diff --git a/perllib/FixMyStreet/App/Controller/Admin.pm b/perllib/FixMyStreet/App/Controller/Admin.pm index 43fffd315..776a9276a 100644 --- a/perllib/FixMyStreet/App/Controller/Admin.pm +++ b/perllib/FixMyStreet/App/Controller/Admin.pm @@ -315,8 +315,13 @@ sub body : Path('body') : Args(1) { sub check_for_super_user : Private { my ( $self, $c ) = @_; - if ( $c->cobrand->moniker eq 'zurich' && $c->stash->{admin_type} ne 'super' ) { - $c->detach('/page_error_404_not_found', []); + + my $superuser = $c->user->is_superuser; + # Zurich currently has its own way of defining superusers + $superuser ||= $c->cobrand->moniker eq 'zurich' && $c->stash->{admin_type} eq 'super'; + + unless ( $superuser ) { + $c->detach('/page_error_403_access_denied', []); } } |