diff options
| -rw-r--r-- | perllib/FixMyStreet/App/Controller/Admin.pm | 5 | ||||
| -rw-r--r-- | t/app/controller/admin.t | 18 | ||||
| -rw-r--r-- | t/cobrand/zurich.t | 8 |
3 files changed, 14 insertions, 17 deletions
diff --git a/perllib/FixMyStreet/App/Controller/Admin.pm b/perllib/FixMyStreet/App/Controller/Admin.pm index d5a6486fd..c4bd5c293 100644 --- a/perllib/FixMyStreet/App/Controller/Admin.pm +++ b/perllib/FixMyStreet/App/Controller/Admin.pm @@ -33,9 +33,12 @@ sub begin : Private { # User must be logged in to see cobrand, and meet whatever checks the # cobrand specifies. Default cobrand just requires superuser flag to be set. - unless ( $c->user_exists && $c->cobrand->admin_allow_user($c->user) ) { + unless ( $c->user_exists ) { $c->detach( '/auth/redirect' ); } + unless ( $c->cobrand->admin_allow_user($c->user) ) { + $c->detach('/page_error_403_access_denied', []); + } if ( $c->cobrand->moniker eq 'zurich' ) { $c->cobrand->admin_type(); diff --git a/t/app/controller/admin.t b/t/app/controller/admin.t index 6086cf3ac..1ab0cb488 100644 --- a/t/app/controller/admin.t +++ b/t/app/controller/admin.t @@ -1396,10 +1396,8 @@ subtest "Users without from_body can't access admin" => sub { $mech->log_in_ok( $user->email ); - $mech->get_ok('/admin'); - is $mech->uri->path, '/my', "redirected to correct page"; - is $mech->res->code, 200, "got 200 for final destination"; - is $mech->res->previous->code, 302, "got 302 for redirect"; + ok $mech->get('/admin'); + is $mech->res->code, 403, "got 403"; $mech->log_out_ok; }; @@ -1423,10 +1421,8 @@ subtest "Users with from_body can't access another council's admin" => sub { }, sub { $mech->log_in_ok( $oxfordshireuser->email ); - $mech->get_ok('/admin'); - is $mech->uri->path, '/my', "redirected to correct page"; - is $mech->res->code, 200, "got 200 for final destination"; - is $mech->res->previous->code, 302, "got 302 for redirect"; + ok $mech->get('/admin'); + is $mech->res->code, 403, "got 403"; $mech->log_out_ok; }; @@ -1438,10 +1434,8 @@ subtest "Users with from_body can't access fixmystreet.com admin" => sub { }, sub { $mech->log_in_ok( $oxfordshireuser->email ); - $mech->get_ok('/admin'); - is $mech->uri->path, '/my', "redirected to correct page"; - is $mech->res->code, 200, "got 200 for final destination"; - is $mech->res->previous->code, 302, "got 302 for redirect"; + ok $mech->get('/admin'); + is $mech->res->code, 403, "got 403"; $mech->log_out_ok; }; diff --git a/t/cobrand/zurich.t b/t/cobrand/zurich.t index 1ea55b003..b59e546dd 100644 --- a/t/cobrand/zurich.t +++ b/t/cobrand/zurich.t @@ -138,8 +138,8 @@ FixMyStreet::override_config { my $user = $mech->log_in_ok( 'dm1@example.org') ; $user->from_body( undef ); $user->update; - $mech->get_ok( '/admin' ); - is $mech->uri->path, '/my', "got sent to /my"; + ok $mech->get( '/admin' ); + is $mech->res->code, 403, 'Got 403'; $user->from_body( $division->id ); $user->update; @@ -361,9 +361,9 @@ subtest 'SDM' => sub { FixMyStreet::override_config { ALLOWED_COBRANDS => [ 'zurich' ], }, sub { - $mech->get_ok( '/admin' ); + ok $mech->get( '/admin' ); }; - is $mech->uri->path, '/my', "got sent to /my"; + is $mech->res->code, 403, 'Got 403'; $user->from_body( $subdivision->id ); $user->update; |