2 files changed, 25 insertions, 9 deletions

diff --git a/perllib/FixMyStreet/App/Controller/Report.pm b/perllib/FixMyStreet/App/Controller/Report.pm
index 5718bc021..1951028c8 100644
--- a/perllib/FixMyStreet/App/Controller/Report.pm
+++ b/perllib/FixMyStreet/App/Controller/Report.pm
@@ -85,7 +85,7 @@ sub display :PathPart('') :Chained('id') :Args(0) {
     $c->forward( 'format_problem_for_display' );
 
     my $permissions = $c->stash->{_permissions} ||= $c->forward( 'check_has_permission_to',
-        [ qw/report_inspect report_edit_category report_edit_priority/ ] );
+        [ qw/report_inspect report_edit_category report_edit_priority report_mark_private/ ] );
     if (any { $_ } values %$permissions) {
         $c->stash->{template} = 'report/inspect.html';
         $c->forward('inspect');
@@ -131,8 +131,8 @@ sub load_problem_or_display_error : Private {
         # Creator, and inspection users can see non_public reports
         $c->stash->{problem} = $problem;
         my $permissions = $c->stash->{_permissions} = $c->forward( 'check_has_permission_to',
-            [ qw/report_inspect report_edit_category report_edit_priority/ ] );
-        if ( !$c->user || ($c->user->id != $problem->user->id && !$permissions->{report_inspect}) ) {
+            [ qw/report_inspect report_edit_category report_edit_priority report_mark_private / ] );
+        if ( !$c->user || ($c->user->id != $problem->user->id && !($permissions->{report_inspect} || $permissions->{report_mark_private})) ) {
             $c->detach(
                 '/page_error_403_access_denied',
                 [ sprintf(_('That report cannot be viewed on %s.'), $c->stash->{site_name}) ]
diff --git a/perllib/FixMyStreet/App/Controller/Reports.pm b/perllib/FixMyStreet/App/Controller/Reports.pm
index 1ca4cbb09..2508b822f 100644
--- a/perllib/FixMyStreet/App/Controller/Reports.pm
+++ b/perllib/FixMyStreet/App/Controller/Reports.pm
@@ -556,13 +556,9 @@ sub load_and_group_problems : Private {
         state      => [ keys %$states ]
     };
 
-    my $body = $c->stash->{body}; # Might be undef
+    $c->forward('check_non_public_reports_permission', [ $where ] );
 
-    if ($c->user_exists && ($c->user->is_superuser || ($body && $c->user->has_permission_to('report_inspect', $body->id)))) {
-        # See all reports, no restriction
-    } else {
-        $where->{non_public} = 0;
-    }
+    my $body = $c->stash->{body}; # Might be undef
 
     my $filter = {
         order_by => $c->stash->{sort_order},
@@ -653,6 +649,26 @@ sub load_and_group_problems : Private {
     return 1;
 }
 
+
+sub check_non_public_reports_permission : Private {
+    my ($self, $c, $where) = @_;
+
+    if ( $c->user_exists ) {
+        return if $c->user->is_super_user;
+
+        my $body = $c->stash->{body};
+
+        my $user_has_permission = $body && (
+            $c->user->has_permission_to('report_inspect', $body->id) ||
+            $c->user->has_permission_to('report_mark_private', $body->id)
+        );
+
+        $where->{non_public} = 0 unless $user_has_permission;
+    } else {
+        $where->{non_public} = 0;
+    }
+}
+
 sub redirect_index : Private {
     my ( $self, $c ) = @_;
     my $url = '/reports';