10 files changed, 35 insertions, 25 deletions

diff --git a/perllib/FixMyStreet/App/Controller/Admin.pm b/perllib/FixMyStreet/App/Controller/Admin.pm
index 592d37d4e..d8c5cdf6d 100644
--- a/perllib/FixMyStreet/App/Controller/Admin.pm
+++ b/perllib/FixMyStreet/App/Controller/Admin.pm
@@ -1006,10 +1006,9 @@ sub load_template_body : Private {
     my ($self, $c, $body_id) = @_;
 
     my $zurich_user = $c->user->from_body && $c->cobrand->moniker eq 'zurich';
-    my $has_permission = $c->user->has_body_permission_to('template_edit') &&
-                         $c->user->from_body->id eq $body_id;
+    my $has_permission = $c->user->has_body_permission_to('template_edit', $body_id);
 
-    unless ( $c->user->is_superuser || $zurich_user || $has_permission ) {
+    unless ( $zurich_user || $has_permission ) {
         $c->detach( '/page_error_404_not_found', [] );
     }
 
@@ -1235,7 +1234,7 @@ sub user_edit : Path('user_edit') : Args(1) {
     my $user = $c->cobrand->users->find( { id => $id } );
     $c->detach( '/page_error_404_not_found', [] ) unless $user;
 
-    unless ( $c->user->is_superuser || $c->user->has_body_permission_to('user_edit') || $c->cobrand->moniker eq 'zurich' ) {
+    unless ( $c->user->has_body_permission_to('user_edit') || $c->cobrand->moniker eq 'zurich' ) {
         $c->detach('/page_error_403_access_denied', []);
     }
 
diff --git a/perllib/FixMyStreet/App/Controller/Admin/ResponsePriorities.pm b/perllib/FixMyStreet/App/Controller/Admin/ResponsePriorities.pm
index 032e593c6..a6c13c117 100644
--- a/perllib/FixMyStreet/App/Controller/Admin/ResponsePriorities.pm
+++ b/perllib/FixMyStreet/App/Controller/Admin/ResponsePriorities.pm
@@ -92,10 +92,9 @@ sub edit : Path : Args(2) {
 sub load_user_body : Private {
     my ($self, $c, $body_id) = @_;
 
-    my $has_permission = $c->user->has_body_permission_to('responsepriority_edit') &&
-                         $c->user->from_body->id eq $body_id;
+    my $has_permission = $c->user->has_body_permission_to('responsepriority_edit', $body_id);
 
-    unless ( $c->user->is_superuser || $has_permission ) {
+    unless ( $has_permission ) {
         $c->detach( '/page_error_404_not_found' );
     }
 
diff --git a/perllib/FixMyStreet/App/Controller/Offline.pm b/perllib/FixMyStreet/App/Controller/Offline.pm
index 9acb33f7e..5f3b69f2e 100644
--- a/perllib/FixMyStreet/App/Controller/Offline.pm
+++ b/perllib/FixMyStreet/App/Controller/Offline.pm
@@ -11,6 +11,7 @@ FixMyStreet::App::Controller::Offline - Catalyst Controller
 =head1 DESCRIPTION
 
 Offline pages Catalyst Controller.
+On staging site, appcache only for people who want it.
 
 =head1 METHODS
 
@@ -18,6 +19,10 @@ Offline pages Catalyst Controller.
 
 sub manifest : Path("/offline/appcache.manifest") {
     my ($self, $c) = @_;
+    if (FixMyStreet->staging_flag('enable_appcache', 0)) {
+        $c->response->status(404);
+        $c->response->body('NOT FOUND');
+    }
     $c->res->content_type('text/cache-manifest; charset=utf-8');
     $c->res->header(Cache_Control => 'no-cache, no-store');
 }
@@ -25,6 +30,10 @@ sub manifest : Path("/offline/appcache.manifest") {
 sub appcache : Path("/offline/appcache") {
     my ($self, $c) = @_;
     $c->detach('/page_error_404_not_found', []) if keys %{$c->req->params};
+    if (FixMyStreet->staging_flag('enable_appcache', 0)) {
+        $c->response->status(404);
+        $c->response->body('NOT FOUND');
+    }
 }
 
 __PACKAGE__->meta->make_immutable;
diff --git a/perllib/FixMyStreet/Cobrand/Default.pm b/perllib/FixMyStreet/Cobrand/Default.pm
index 27111deb2..61982c47a 100644
--- a/perllib/FixMyStreet/Cobrand/Default.pm
+++ b/perllib/FixMyStreet/Cobrand/Default.pm
@@ -646,27 +646,27 @@ sub admin_pages {
         $pages->{config} = [ _('Configuration'), 9];
     };
     # And some that need special permissions
-    if ( $user->is_superuser || $user->has_body_permission_to('category_edit') ) {
+    if ( $user->has_body_permission_to('category_edit') ) {
         my $page_title = $user->is_superuser ? _('Bodies') : _('Categories');
         $pages->{bodies} = [ $page_title, 1 ];
         $pages->{body} = [ undef, undef ];
     }
-    if ( $user->is_superuser || $user->has_body_permission_to('report_edit') ) {
+    if ( $user->has_body_permission_to('report_edit') ) {
         $pages->{reports} = [ _('Reports'), 2 ];
         $pages->{report_edit} = [ undef, undef ];
         $pages->{update_edit} = [ undef, undef ];
         $pages->{abuse_edit} = [ undef, undef ];
     }
-    if ( $user->is_superuser || $user->has_body_permission_to('template_edit') ) {
+    if ( $user->has_body_permission_to('template_edit') ) {
         $pages->{templates} = [ _('Templates'), 3 ];
         $pages->{template_edit} = [ undef, undef ];
     };
-    if ( $user->is_superuser || $user->has_body_permission_to('responsepriority_edit') ) {
+    if ( $user->has_body_permission_to('responsepriority_edit') ) {
         $pages->{responsepriorities} = [ _('Priorities'), 4 ];
         $pages->{responsepriority_edit} = [ undef, undef ];
     };
 
-    if ( $user->is_superuser || $user->has_body_permission_to('user_edit') ) {
+    if ( $user->has_body_permission_to('user_edit') ) {
         $pages->{users} = [ _('Users'), 6 ];
         $pages->{user_edit} = [ undef, undef ];
     }
diff --git a/perllib/FixMyStreet/Cobrand/FiksGataMi.pm b/perllib/FixMyStreet/Cobrand/FiksGataMi.pm
index 242735073..cf0d72f8e 100644
--- a/perllib/FixMyStreet/Cobrand/FiksGataMi.pm
+++ b/perllib/FixMyStreet/Cobrand/FiksGataMi.pm
@@ -30,7 +30,7 @@ sub disambiguate_location {
 
 sub area_types {
     my $self = shift;
-    return $self->next::method() if FixMyStreet->config('STAGING_SITE') && FixMyStreet->config('SKIP_CHECKS_ON_STAGING');
+    return $self->next::method() if FixMyStreet->staging_flag('skip_checks');
     [ 'NKO', 'NFY', 'NRA' ];
 }
 
diff --git a/perllib/FixMyStreet/Cobrand/FixaMinGata.pm b/perllib/FixMyStreet/Cobrand/FixaMinGata.pm
index 5b78b3fa1..324811008 100644
--- a/perllib/FixMyStreet/Cobrand/FixaMinGata.pm
+++ b/perllib/FixMyStreet/Cobrand/FixaMinGata.pm
@@ -31,7 +31,7 @@ sub disambiguate_location {
 
 sub area_types {
     my $self = shift;
-    return $self->next::method() if FixMyStreet->config('STAGING_SITE') && FixMyStreet->config('SKIP_CHECKS_ON_STAGING');
+    return $self->next::method() if FixMyStreet->staging_flag('skip_checks');
     [ 'KOM' ];
 }
 
diff --git a/perllib/FixMyStreet/Cobrand/UKCouncils.pm b/perllib/FixMyStreet/Cobrand/UKCouncils.pm
index c22224307..64ca7fc62 100644
--- a/perllib/FixMyStreet/Cobrand/UKCouncils.pm
+++ b/perllib/FixMyStreet/Cobrand/UKCouncils.pm
@@ -42,13 +42,13 @@ sub restriction {
 
 sub problems_restriction {
     my ($self, $rs) = @_;
-    return $rs if FixMyStreet->config('STAGING_SITE') && FixMyStreet->config('SKIP_CHECKS_ON_STAGING');
+    return $rs if FixMyStreet->staging_flag('skip_checks');
     return $rs->to_body($self->council_id);
 }
 
 sub updates_restriction {
     my ($self, $rs) = @_;
-    return $rs if FixMyStreet->config('STAGING_SITE') && FixMyStreet->config('SKIP_CHECKS_ON_STAGING');
+    return $rs if FixMyStreet->staging_flag('skip_checks');
     return $rs->to_body($self->council_id);
 }
 
@@ -105,7 +105,7 @@ sub enter_postcode_text {
 sub area_check {
     my ( $self, $params, $context ) = @_;
 
-    return 1 if FixMyStreet->config('STAGING_SITE') && FixMyStreet->config('SKIP_CHECKS_ON_STAGING');
+    return 1 if FixMyStreet->staging_flag('skip_checks');
 
     my $councils = $params->{all_areas};
     my $council_match = defined $councils->{$self->council_id};
diff --git a/perllib/FixMyStreet/DB/Result/User.pm b/perllib/FixMyStreet/DB/Result/User.pm
index b34be674a..cf6de9a76 100644
--- a/perllib/FixMyStreet/DB/Result/User.pm
+++ b/perllib/FixMyStreet/DB/Result/User.pm
@@ -287,23 +287,26 @@ sub has_permission_to {
 
 =head2 has_body_permission_to
 
-Checks if the User has a from_body set, and the specified permission on that body.
+Checks if the User has a from_body set, the specified permission on that body,
+and optionally that their from_body is one particular body.
 
 Instead of saying:
 
-    ($user->from_body && $user->has_permission_to('user_edit', $user->from_body->id))
+    ($user->from_body && $user->from_body->id == $body_id && $user->has_permission_to('user_edit', $body_id))
 
 You can just say:
 
-    $user->has_body_permission_to('user_edit')
-
-NB unlike has_permission_to, this doesn't blindly return 1 if the user is a superuser.
+    $user->has_body_permission_to('user_edit', $body_id)
 
 =cut
 
 sub has_body_permission_to {
-    my ($self, $permission_type) = @_;
+    my ($self, $permission_type, $body_id) = @_;
+
+    return 1 if $self->is_superuser;
+
     return unless $self->from_body;
+    return if $body_id && $self->from_body->id != $body_id;
 
     return $self->has_permission_to($permission_type, $self->from_body->id);
 }
diff --git a/perllib/FixMyStreet/Script/Reports.pm b/perllib/FixMyStreet/Script/Reports.pm
index 7d614bc30..193c5fa41 100644
--- a/perllib/FixMyStreet/Script/Reports.pm
+++ b/perllib/FixMyStreet/Script/Reports.pm
@@ -211,7 +211,7 @@ sub send(;$) {
               . " ]\n\n";
         }
 
-        if (FixMyStreet->config('STAGING_SITE') && !FixMyStreet->config('SEND_REPORTS_ON_STAGING')) {
+        if (FixMyStreet->staging_flag('send_reports', 0)) {
             # on a staging server send emails to ourselves rather than the bodies
             %reporters = map { $_ => $reporters{$_} } grep { /FixMyStreet::SendReport::Email/ } keys %reporters;
             unless (%reporters) {
diff --git a/perllib/FixMyStreet/SendReport/Email.pm b/perllib/FixMyStreet/SendReport/Email.pm
index 2eab1c754..4cee58d42 100644
--- a/perllib/FixMyStreet/SendReport/Email.pm
+++ b/perllib/FixMyStreet/SendReport/Email.pm
@@ -67,7 +67,7 @@ sub send {
     my $recips = $self->build_recipient_list( $row, $h );
 
     # on a staging server send emails to ourselves rather than the bodies
-    if (FixMyStreet->config('STAGING_SITE') && !FixMyStreet->config('SEND_REPORTS_ON_STAGING') && !FixMyStreet->test_mode) {
+    if (FixMyStreet->staging_flag('send_reports', 0) && !FixMyStreet->test_mode) {
         $recips = 1;
         @{$self->to} = [ $row->user->email, $self->to->[0][1] || $row->name ];
     }