3 files changed, 81 insertions, 21 deletions

diff --git a/perllib/FixMyStreet/App/Controller/Auth.pm b/perllib/FixMyStreet/App/Controller/Auth.pm
index 83fb0554c..825066026 100644
--- a/perllib/FixMyStreet/App/Controller/Auth.pm
+++ b/perllib/FixMyStreet/App/Controller/Auth.pm
@@ -128,6 +128,18 @@ sub email_sign_in : Private {
         return;
     }
 
+    # If user registration is disabled then bail out at this point
+    # if there's not already a user with this email address.
+    # NB this uses the same template as a successful sign in to stop
+    # enumeration of valid email addresses.
+    if ( FixMyStreet->config('SIGNUPS_DISABLED')
+         && !$c->model('DB::User')->search({ email => $good_email })->count
+         && !$c->stash->{current_user} # don't break the change email flow
+    ) {
+        $c->stash->{template} = 'auth/token.html';
+        return;
+    }
+
     my $user_params = {};
     $user_params->{password} = $c->get_param('password_register')
         if $c->get_param('password_register');
@@ -199,6 +211,10 @@ sub token : Path('/M') : Args(1) {
 
     my $user = $c->model('DB::User')->find_or_new({ email => $data->{email} });
 
+    # Bail out if this is a new user and SIGNUPS_DISABLED is set
+    $c->detach( '/page_error_403_access_denied', [] )
+        if FixMyStreet->config('SIGNUPS_DISABLED') && !$user->in_storage && !$data->{old_email};
+
     if ($data->{old_email}) {
         # Were logged in as old_email, want to switch to email ($user)
         if ($user->in_storage) {
@@ -244,6 +260,8 @@ sub fb : Private {
 sub facebook_sign_in : Private {
     my ( $self, $c ) = @_;
 
+    $c->detach( '/page_error_403_access_denied', [] ) if FixMyStreet->config('SIGNUPS_DISABLED');
+
     my $fb = $c->forward('/auth/fb');
     my $url = $fb->get_authorization_url(scope => ['email']);
 
@@ -302,6 +320,8 @@ sub tw : Private {
 sub twitter_sign_in : Private {
     my ( $self, $c ) = @_;
 
+    $c->detach( '/page_error_403_access_denied', [] ) if FixMyStreet->config('SIGNUPS_DISABLED');
+
     my $twitter = $c->forward('/auth/tw');
     my $url = $twitter->get_authentication_url(callback => $c->uri_for('/auth/Twitter'));
 
diff --git a/perllib/FixMyStreet/App/Controller/Report.pm b/perllib/FixMyStreet/App/Controller/Report.pm
index c617f5733..60d373a16 100644
--- a/perllib/FixMyStreet/App/Controller/Report.pm
+++ b/perllib/FixMyStreet/App/Controller/Report.pm
@@ -316,6 +316,10 @@ sub inspect : Private {
         $c->stash->{templates_by_category} = $templates_by_category;
     }
 
+    if ($c->user->has_body_permission_to('planned_reports')) {
+        $c->stash->{post_inspect_url} = $c->req->referer;
+    }
+
     if ( $c->get_param('save') ) {
         $c->forward('/auth/check_csrf_token');
 
@@ -438,33 +442,36 @@ sub inspect : Private {
                 anonymous => 0,
                 %update_params,
             } );
-            # This problem might no longer be visible on the current cobrand,
-            # if its body has changed (e.g. by virtue of the category changing)
-            # so redirect to a cobrand where it can be seen if necessary
-            $problem->discard_changes;
+
             my $redirect_uri;
-            if ( $c->cobrand->is_council && !$c->cobrand->owns_problem($problem) ) {
+            $problem->discard_changes;
+
+            # If inspector, redirect back to the map view they came from
+            # with the right filters. If that wasn't set, go to /around at this
+            # report's location.
+            # We go here rather than the shortlist because it makes it much
+            # simpler to inspect many reports in the same location. The
+            # shortlist is always a single click away, being on the main nav.
+            if ($c->user->has_body_permission_to('planned_reports')) {
+                unless ($redirect_uri = $c->get_param("post_inspect_url")) {
+                    my $categories = join(',', @{ $c->user->categories });
+                    my $params = {
+                        lat => $problem->latitude,
+                        lon => $problem->longitude,
+                    };
+                    $params->{filter_category} = $categories if $categories;
+                    $params->{js} = 1 if $c->get_param('js');
+                    $redirect_uri = $c->uri_for( "/around", $params );
+                }
+            } elsif ( $c->cobrand->is_council && !$c->cobrand->owns_problem($problem) ) {
+                # This problem might no longer be visible on the current cobrand,
+                # if its body has changed (e.g. by virtue of the category changing)
+                # so redirect to a cobrand where it can be seen if necessary
                 $redirect_uri = $c->cobrand->base_url_for_report( $problem ) . $problem->url;
             } else {
                 $redirect_uri = $c->uri_for( $problem->url );
             }
 
-            # Or if inspector, redirect back to /around at this report's
-            # location with the right filters. We go here rather than the
-            # shortlist because it makes it much simpler to inspect many reports
-            # in the same location. The shortlist is always a single click away,
-            # being on the main nav.
-            if ($c->user->has_body_permission_to('planned_reports')) {
-                my $categories = join(',', @{ $c->user->categories });
-                my $params = {
-                    lat => $problem->latitude,
-                    lon => $problem->longitude,
-                };
-                $params->{filter_category} = $categories if $categories;
-                $params->{js} = 1 if $c->get_param('js');
-                $redirect_uri = $c->uri_for( "/around", $params );
-            }
-
             $c->log->debug( "Redirecting to: " . $redirect_uri );
             $c->res->redirect( $redirect_uri );
         }
diff --git a/perllib/FixMyStreet/App/Controller/Root.pm b/perllib/FixMyStreet/App/Controller/Root.pm
index 64d7fa6ae..7f70623ae 100644
--- a/perllib/FixMyStreet/App/Controller/Root.pm
+++ b/perllib/FixMyStreet/App/Controller/Root.pm
@@ -16,6 +16,18 @@ FixMyStreet::App::Controller::Root - Root Controller for FixMyStreet::App
 
 =head1 METHODS
 
+=head2 begin
+
+Any pre-flight checking for all requests
+
+=cut
+sub begin : Private {
+    my ( $self, $c ) = @_;
+
+    $c->forward( 'check_login_required' );
+}
+
+
 =head2 auto
 
 Set up general things for this instance
@@ -130,6 +142,27 @@ sub page_error : Private {
     $c->response->status($code);
 }
 
+sub check_login_required : Private {
+    my ($self, $c) = @_;
+
+    return if $c->user_exists || !FixMyStreet->config('LOGIN_REQUIRED');
+
+    # Whitelisted URL patterns are allowed without login
+    my $whitelist = qr{
+          ^auth(/|$)
+        | ^js/translation_strings\.(.*?)\.js
+        | ^[PACQM]/  # various tokens that log the user in
+    }x;
+    return if $c->request->path =~ $whitelist;
+
+    # Blacklisted URLs immediately 404
+    # This is primarily to work around a Safari bug where the appcache
+    # URL is requested in an infinite loop if it returns a 302 redirect.
+    $c->detach('/page_error_404_not_found', []) if $c->request->path =~ /^offline/;
+
+    $c->detach( '/auth/redirect' );
+}
+
 =head2 end
 
 Attempt to render a view, if needed.