prevent non authority users from changing the state on updates

1 files changed, 34 insertions, 0 deletions

diff --git a/t/app/controller/report_updates.t b/t/app/controller/report_updates.t
index 4dd1db737..bec81fb83 100644
--- a/t/app/controller/report_updates.t
+++ b/t/app/controller/report_updates.t
@@ -382,6 +382,40 @@ for my $test (
     };
 }
 
+$report->state('confirmed');
+$report->update;
+
+subtest 'check non authority user cannot change set state' => sub {
+    $mech->log_in_ok( $user->email );
+    $user->from_authority( 0 );
+    $user->update;
+
+    $mech->get_ok("/report/$report_id");
+    $mech->submit_form_ok( {
+            form_number => 2,
+            fields => {
+                submit_update => 1,
+                id => $report_id,
+                name => $user->name,
+                rznvy => $user->email,
+                may_show_name => 1,
+                add_alert => 0,
+                photo => '',
+                update => 'this is a forbidden update',
+                state => 'fixed - council',
+            },
+        },
+        'submitted with state',
+    );
+
+    is $mech->uri->path, "/report/update", "at /report/update";
+
+    my $errors = $mech->page_errors;
+    is_deeply $errors, [ 'There was a problem with your update. Please try again.' ], 'error message';
+
+    is $report->state, 'confirmed', 'state unchanged';
+};
+
 for my $test (
     {
         desc => 'submit update for register user',