Link in other-reported email shows private report.

Use a token that does not log the user in, but lets the report be shown,
even if it's a private report. Allow old tokens of that type to work.

2 files changed, 85 insertions, 32 deletions

diff --git a/t/app/controller/report_display.t b/t/app/controller/report_display.t
index 48a827a63..4bd0fc991 100644
--- a/t/app/controller/report_display.t
+++ b/t/app/controller/report_display.t
@@ -73,38 +73,6 @@ subtest "change report to hidden and check for 410 status" => sub {
     ok $report->update( { state => 'confirmed' } ), 'confirm report again';
 };
 
-subtest "change report to non_public and check for 403 status" => sub {
-    ok $report->update( { non_public => 1 } ), 'make report non public';
-    ok $mech->get("/report/$report_id"), "get '/report/$report_id'";
-    is $mech->res->code, 403, "access denied";
-    is $mech->uri->path, "/report/$report_id", "at /report/$report_id";
-    $mech->content_contains('permission to do that. If you are the problem reporter');
-    $mech->content_lacks('Report another problem here');
-    $mech->content_lacks($report->latitude);
-    $mech->content_lacks($report->longitude);
-    ok $report->update( { non_public => 0 } ), 'make report public';
-};
-
-subtest "check owner of report can view non public reports" => sub {
-    ok $report->update( { non_public => 1 } ), 'make report non public';
-    $mech->log_in_ok( $report->user->email );
-    ok $mech->get("/report/$report_id"), "get '/report/$report_id'";
-    is $mech->res->code, 200, "report can be viewed";
-    is $mech->uri->path, "/report/$report_id", "at /report/$report_id";
-    $mech->log_out_ok;
-
-    $mech->log_in_ok( $user2->email );
-    ok $mech->get("/report/$report_id"), "get '/report/$report_id'";
-    is $mech->res->code, 403, "access denied to user who is not report creator";
-    is $mech->uri->path, "/report/$report_id", "at /report/$report_id";
-    $mech->content_contains('permission to do that. If you are the problem reporter');
-    $mech->content_lacks('Report another problem here');
-    $mech->content_lacks($report->latitude);
-    $mech->content_lacks($report->longitude);
-    $mech->log_out_ok;
-    ok $report->update( { non_public => 0 } ), 'make report public';
-};
-
 subtest "duplicate reports are signposted correctly" => sub {
     $report2->set_extra_metadata(duplicate_of => $report->id);
     $report2->state('duplicate');
diff --git a/t/app/controller/report_non_public.t b/t/app/controller/report_non_public.t
new file mode 100644
index 000000000..6d52647a8
--- /dev/null
+++ b/t/app/controller/report_non_public.t
@@ -0,0 +1,85 @@
+use FixMyStreet::TestMech;
+
+# disable info logs for this test run
+FixMyStreet::App->log->disable('info');
+END { FixMyStreet::App->log->enable('info'); }
+
+my $mech = FixMyStreet::TestMech->new;
+
+my $body = $mech->create_body_ok(2237, 'Oxfordshire County Council');
+$mech->create_contact_ok( body_id => $body->id, category => 'Potholes', email => 'potholes@example.com' );
+
+my $staffuser = $mech->create_user_ok('body-user@example.net', name => 'Body User', from_body => $body->id);
+$staffuser->user_body_permissions->create({ body => $body, permission_type => 'contribute_as_another_user' });
+$staffuser->user_body_permissions->create({ body => $body, permission_type => 'report_mark_private' });
+
+my $user = $mech->create_user_ok('test@example.com', name => 'Test User');
+my $user2 = $mech->create_user_ok('test2@example.com', name => 'Other User');
+
+my ($report) = $mech->create_problems_for_body(1, $body->id, "Example", {
+    user => $user,
+    non_public => 1,
+});
+my $report_id = $report->id;
+
+subtest "check cannot view non_public report by default" => sub {
+    ok $mech->get("/report/$report_id"), "get '/report/$report_id'";
+    is $mech->res->code, 403, "access denied";
+    is $mech->uri->path, "/report/$report_id", "at /report/$report_id";
+    $mech->content_contains('permission to do that. If you are the problem reporter');
+    $mech->content_lacks('Report another problem here');
+    $mech->content_lacks($report->latitude);
+    $mech->content_lacks($report->longitude);
+};
+
+subtest "check owner of report can view non public reports" => sub {
+    $mech->log_in_ok( $report->user->email );
+    ok $mech->get("/report/$report_id"), "get '/report/$report_id'";
+    is $mech->res->code, 200, "report can be viewed";
+    is $mech->uri->path, "/report/$report_id", "at /report/$report_id";
+    $mech->log_out_ok;
+
+    $mech->log_in_ok( $user2->email );
+    ok $mech->get("/report/$report_id"), "get '/report/$report_id'";
+    is $mech->res->code, 403, "access denied to user who is not report creator";
+    is $mech->uri->path, "/report/$report_id", "at /report/$report_id";
+    $mech->content_contains('permission to do that. If you are the problem reporter');
+    $mech->content_lacks('Report another problem here');
+    $mech->content_lacks($report->latitude);
+    $mech->content_lacks($report->longitude);
+    $mech->log_out_ok;
+};
+
+subtest "Logged email working on private report" => sub {
+    FixMyStreet::override_config {
+        ALLOWED_COBRANDS => 'fixmystreet',
+        MAPIT_URL => 'http://mapit.uk/',
+    }, sub {
+        $mech->log_in_ok($staffuser->email);
+        $mech->get_ok('/report/new?latitude=51.7549262252&longitude=-1.25617899435');
+        $mech->submit_form_ok({
+            with_fields => {
+                form_as => 'another_user',
+                title => "Test Report",
+                detail => 'Test report details.',
+                category => 'Potholes',
+                name => 'Another User',
+                username => 'another@example.net',
+                non_public => 1,
+            }
+        }, "submit details");
+    };
+    $mech->content_contains('Thank you for reporting this issue');
+    my $report = FixMyStreet::DB->resultset("Problem")->search(undef, { order_by => { -desc => 'id' } })->first;
+    ok $report, "Found the report";
+    is $report->state, 'confirmed', "report is now confirmed";
+    is $report->non_public, 1;
+
+    my $email = $mech->get_email;
+    my $body = $mech->get_text_body_from_email($email);
+    my $url = $mech->get_link_from_email($email);
+    like $body, qr/Your report to Oxfordshire County Council has been logged/;
+    $mech->get_ok($url);
+};
+
+done_testing();