diff options
| -rw-r--r-- | perllib/FixMyStreet/App/Controller/Admin.pm | 9 | ||||
| -rw-r--r-- | t/cobrand/zurich.t | 2 | ||||
| -rw-r--r-- | templates/web/base/admin/bodies.html | 2 | ||||
| -rw-r--r-- | templates/web/base/admin/body.html | 2 | ||||
| -rw-r--r-- | templates/web/base/admin/index.html | 26 |
5 files changed, 24 insertions, 17 deletions
diff --git a/perllib/FixMyStreet/App/Controller/Admin.pm b/perllib/FixMyStreet/App/Controller/Admin.pm index 43fffd315..776a9276a 100644 --- a/perllib/FixMyStreet/App/Controller/Admin.pm +++ b/perllib/FixMyStreet/App/Controller/Admin.pm @@ -315,8 +315,13 @@ sub body : Path('body') : Args(1) { sub check_for_super_user : Private { my ( $self, $c ) = @_; - if ( $c->cobrand->moniker eq 'zurich' && $c->stash->{admin_type} ne 'super' ) { - $c->detach('/page_error_404_not_found', []); + + my $superuser = $c->user->is_superuser; + # Zurich currently has its own way of defining superusers + $superuser ||= $c->cobrand->moniker eq 'zurich' && $c->stash->{admin_type} eq 'super'; + + unless ( $superuser ) { + $c->detach('/page_error_403_access_denied', []); } } diff --git a/t/cobrand/zurich.t b/t/cobrand/zurich.t index a595f48c9..e16738b30 100644 --- a/t/cobrand/zurich.t +++ b/t/cobrand/zurich.t @@ -698,7 +698,7 @@ subtest "only superuser can edit bodies" => sub { }, sub { $mech->get( '/admin/body/' . $zurich->id ); }; - is $mech->res->code, 404, "only superuser should be able to edit bodies"; + is $mech->res->code, 403, "only superuser should be able to edit bodies"; $mech->log_out_ok; }; diff --git a/templates/web/base/admin/bodies.html b/templates/web/base/admin/bodies.html index 4c95423c0..4b4fc83ef 100644 --- a/templates/web/base/admin/bodies.html +++ b/templates/web/base/admin/bodies.html @@ -69,7 +69,7 @@ </table> [% END %] -[% IF c.cobrand.moniker != 'zurich' OR admin_type == 'super' %] +[% IF (c.cobrand.moniker == 'zurich' AND admin_type == 'super') OR c.user.is_superuser %] <div class="admin-box"> <h2>[% loc('Add body') %]</h2> [% INCLUDE 'admin/body-form.html', body='' %] diff --git a/templates/web/base/admin/body.html b/templates/web/base/admin/body.html index 15802fc44..99b7249ce 100644 --- a/templates/web/base/admin/body.html +++ b/templates/web/base/admin/body.html @@ -213,7 +213,7 @@ </form> </div> -[% IF NOT errors %] +[% IF NOT errors and c.user.is_superuser %] <div class="admin-box"> <h2>[% loc('Edit body details') %]</h2> [% INCLUDE 'admin/body-form.html' %] diff --git a/templates/web/base/admin/index.html b/templates/web/base/admin/index.html index 3c510471e..beb4dad7f 100644 --- a/templates/web/base/admin/index.html +++ b/templates/web/base/admin/index.html @@ -30,19 +30,21 @@ and to receive notices of updates. <input type="text" name="search" size="30" id="search_users" value="[% searched | html %]"> </form> -<form method="get" action="[% c.uri_for('bodies') %]"> -<label for="search_body">[% loc('Edit body details') %]</label> -<select id="search_body" name="body"> -[% FOREACH body IN bodies %] - [%- SET id = body.id %] - <option[% IF body.deleted %] class="adminhidden"[% END %] value="[% body.id %]"> - [% body.name | html %] - [%- IF body.parent %], [% body.parent.name | html %][% END -%] - </option> +[% IF c.user.is_superuser %] + <form method="get" action="[% c.uri_for('bodies') %]"> + <label for="search_body">[% loc('Edit body details') %]</label> + <select id="search_body" name="body"> + [% FOREACH body IN bodies %] + [%- SET id = body.id %] + <option[% IF body.deleted %] class="adminhidden"[% END %] value="[% body.id %]"> + [% body.name | html %] + [%- IF body.parent %], [% body.parent.name | html %][% END -%] + </option> + [% END %] + </select> + <input type="submit" value="[% loc('Go') %]"> + </form> [% END %] -</select> -<input type="submit" value="[% loc('Go') %]"> -</form> [% IF unsent_reports.size %] <h2>[% loc('Reports waiting to be sent') %]</h2> |