5 files changed, 79 insertions, 33 deletions
diff --git a/perllib/FixMyStreet/App/Controller/Report.pm b/perllib/FixMyStreet/App/Controller/Report.pm
index b1cc5885a..b9d773f5e 100644
--- a/perllib/FixMyStreet/App/Controller/Report.pm
+++ b/perllib/FixMyStreet/App/Controller/Report.pm
@@ -76,7 +76,7 @@ sub _display : Private {
     $c->forward( 'load_updates' );
     $c->forward( 'format_problem_for_display' );
 
-    my $permissions = $c->stash->{_permissions} = $c->forward( 'check_has_permission_to',
+    my $permissions = $c->stash->{_permissions} ||= $c->forward( 'check_has_permission_to',
         [ qw/report_inspect report_edit_category report_edit_priority/ ] );
     if (any { $_ } values %$permissions) {
         $c->stash->{template} = 'report/inspect.html';
@@ -128,7 +128,11 @@ sub load_problem_or_display_error : Private {
             [ _('That report has been removed from FixMyStreet.') ]    #
         );
     } elsif ( $problem->non_public ) {
-        if ( !$c->user || $c->user->id != $problem->user->id ) {
+        # Creator, and inspection users can see non_public reports
+        $c->stash->{problem} = $problem;
+        my $permissions = $c->stash->{_permissions} = $c->forward( 'check_has_permission_to',
+            [ qw/report_inspect report_edit_category report_edit_priority/ ] );
+        if ( !$c->user || ($c->user->id != $problem->user->id && !$permissions->{report_inspect}) ) {
             $c->detach(
                 '/page_error_403_access_denied',
                 [ sprintf(_('That report cannot be viewed on %s.'), $c->stash->{site_name}) ]
@@ -337,6 +341,8 @@ sub inspect : Private {
         my %update_params = ();
 
         if ($permissions->{report_inspect}) {
+            $problem->non_public($c->get_param('non_public') ? 1 : 0);
+
             $problem->set_extra_metadata( traffic_information => $c->get_param('traffic_information') );
 
             if ( my $info = $c->get_param('detailed_information') ) {
@@ -450,22 +456,24 @@ sub inspect : Private {
             }
             $problem->lastupdate( \'current_timestamp' );
             $problem->update;
-            my $timestamp = \'current_timestamp';
-            if (my $saved_at = $c->get_param('saved_at')) {
-                $timestamp = DateTime->from_epoch( epoch => $saved_at );
+            if ($update_text || %update_params) {
+                my $timestamp = \'current_timestamp';
+                if (my $saved_at = $c->get_param('saved_at')) {
+                    $timestamp = DateTime->from_epoch( epoch => $saved_at );
+                }
+                my $name = $c->user->from_body ? $c->user->from_body->name : $c->user->name;
+                $problem->add_to_comments( {
+                    text => $update_text,
+                    created => $timestamp,
+                    confirmed => $timestamp,
+                    user_id => $c->user->id,
+                    name => $name,
+                    state => 'confirmed',
+                    mark_fixed => 0,
+                    anonymous => 0,
+                    %update_params,
+                } );
             }
-            my $name = $c->user->from_body ? $c->user->from_body->name : $c->user->name;
-            $problem->add_to_comments( {
-                text => $update_text,
-                created => $timestamp,
-                confirmed => $timestamp,
-                user_id => $c->user->id,
-                name => $name,
-                state => 'confirmed',
-                mark_fixed => 0,
-                anonymous => 0,
-                %update_params,
-            } );
 
             my $redirect_uri;
             $problem->discard_changes;
diff --git a/perllib/FixMyStreet/App/Controller/Report/New.pm b/perllib/FixMyStreet/App/Controller/Report/New.pm
index f9e07dd41..888110429 100644
--- a/perllib/FixMyStreet/App/Controller/Report/New.pm
+++ b/perllib/FixMyStreet/App/Controller/Report/New.pm
@@ -870,6 +870,7 @@ sub process_report : Private {
         'subcategory',                              #
         'partial',                               #
         'service',                               #
+        'non_public',
       );
 
     # load the report
@@ -897,6 +898,8 @@ sub process_report : Private {
         $report->anonymous( $params{may_show_name} ? 0 : 1 );
     }
 
+    $report->non_public($params{non_public} ? 1 : 0);
+
     # clean up text before setting
     $report->title( Utils::cleanup_text( $params{title} ) );
 
diff --git a/perllib/FixMyStreet/App/Controller/Reports.pm b/perllib/FixMyStreet/App/Controller/Reports.pm
index 7c3796c42..15a220644 100644
--- a/perllib/FixMyStreet/App/Controller/Reports.pm
+++ b/perllib/FixMyStreet/App/Controller/Reports.pm
@@ -544,20 +544,27 @@ sub load_and_group_problems : Private {
 
     my $states = $c->stash->{filter_problem_states};
     my $where = {
-        non_public => 0,
         state      => [ keys %$states ]
     };
+
+    my $body = $c->stash->{body}; # Might be undef
+
+    if ($c->user_exists && ($c->user->is_superuser || ($body && $c->user->has_permission_to('report_inspect', $body->id)))) {
+        # See all reports, no restriction
+    } else {
+        $where->{non_public} = 0;
+    }
+
     my $filter = {
         order_by => $c->stash->{sort_order},
         rows => $c->cobrand->reports_per_page,
     };
-    if ($c->user_exists && $c->stash->{body}) {
-        my $bid = $c->stash->{body}->id;
+    if ($c->user_exists && $body) {
         my $prefetch = [];
-        if ($c->user->has_permission_to('planned_reports', $bid)) {
+        if ($c->user->has_permission_to('planned_reports', $body->id)) {
             push @$prefetch, 'user_planned_reports';
         }
-        if ($c->user->has_permission_to('report_edit_priority', $bid) || $c->user->has_permission_to('report_inspect', $bid)) {
+        if ($c->user->has_permission_to('report_edit_priority', $body->id) || $c->user->has_permission_to('report_inspect', $body->id)) {
             push @$prefetch, 'response_priority';
         }
         $prefetch = $prefetch->[0] if @$prefetch == 1;
@@ -589,9 +596,9 @@ sub load_and_group_problems : Private {
         $where->{areas} = [
             map { { 'like', '%,' . $_->{id} . ',%' } } @{$c->stash->{wards}}
         ];
-        $problems = $problems->to_body($c->stash->{body});
-    } elsif ($c->stash->{body}) {
-        $problems = $problems->to_body($c->stash->{body});
+        $problems = $problems->to_body($body);
+    } elsif ($body) {
+        $problems = $problems->to_body($body);
     }
 
     if (my $bbox = $c->get_param('bbox')) {
@@ -609,7 +616,7 @@ sub load_and_group_problems : Private {
 
     my ( %problems, @pins );
     while ( my $problem = $problems->next ) {
-        if ( !$c->stash->{body} ) {
+        if ( !$body ) {
             add_row( $c, $problem, 0, \%problems, \@pins );
             next;
         }
@@ -623,7 +630,7 @@ sub load_and_group_problems : Private {
             # Add to bodies it was sent to
             my $bodies = $problem->bodies_str_ids;
             foreach ( @$bodies ) {
-                next if $_ != $c->stash->{body}->id;
+                next if $_ != $body->id;
                 add_row( $c, $problem, $_, \%problems, \@pins );
             }
         }
diff --git a/perllib/FixMyStreet/DB/ResultSet/Nearby.pm b/perllib/FixMyStreet/DB/ResultSet/Nearby.pm
index 6e5e0220f..ab554eb9d 100644
--- a/perllib/FixMyStreet/DB/ResultSet/Nearby.pm
+++ b/perllib/FixMyStreet/DB/ResultSet/Nearby.pm
@@ -17,13 +17,14 @@ sub nearby {
     }
 
     my $params = {
-        non_public => 0,
         state => [ keys %$states ],
     };
     $params->{id} = { -not_in => $ids }
         if $ids;
     $params->{category} = $categories if $categories && @$categories;
 
+    FixMyStreet::DB::ResultSet::Problem->non_public_if_possible($params, $c);
+
     $rs = $c->cobrand->problems_restriction($rs);
 
     my $attrs = {
diff --git a/perllib/FixMyStreet/DB/ResultSet/Problem.pm b/perllib/FixMyStreet/DB/ResultSet/Problem.pm
index 3f083c073..458efa179 100644
--- a/perllib/FixMyStreet/DB/ResultSet/Problem.pm
+++ b/perllib/FixMyStreet/DB/ResultSet/Problem.pm
@@ -15,15 +15,41 @@ sub set_restriction {
     $site_key = $key;
 }
 
-sub to_body {
-    my ($rs, $bodies, $join) = @_;
-    return $rs unless $bodies;
+sub body_query {
+    my ($rs, $bodies) = @_;
     unless (ref $bodies eq 'ARRAY') {
         $bodies = [ map { ref $_ ? $_->id : $_ } $bodies ];
     }
+    \[ "regexp_split_to_array(bodies_str, ',') && ?", [ {} => $bodies ] ]
+}
+
+# Edits PARAMS in place to either hide non_public reports, or show them
+# if user is superuser (all) or inspector (correct body)
+sub non_public_if_possible {
+    my ($rs, $params, $c) = @_;
+    if ($c->user_exists) {
+        if ($c->user->is_superuser) {
+            # See all reports, no restriction
+        } elsif ($c->user->has_body_permission_to('report_inspect')) {
+            $params->{'-or'} = [
+                non_public => 0,
+                $rs->body_query($c->user->from_body->id),
+            ];
+        } else {
+            $params->{non_public} = 0;
+        }
+    } else {
+        $params->{non_public} = 0;
+    }
+}
+
+sub to_body {
+    my ($rs, $bodies, $join) = @_;
+    return $rs unless $bodies;
     $join = { join => 'problem' } if $join;
     $rs = $rs->search(
-        \[ "regexp_split_to_array(bodies_str, ',') && ?", [ {} => $bodies ] ],
+        # This isn't using $rs->body_query because $rs might be Problem, Comment, or Nearby
+        FixMyStreet::DB::ResultSet::Problem->body_query($bodies),
         $join
     );
     return $rs;
@@ -151,13 +177,14 @@ sub around_map {
     }
 
     my $q = {
-            non_public => 0,
             state => [ keys %{$p{states}} ],
             latitude => { '>=', $p{min_lat}, '<', $p{max_lat} },
             longitude => { '>=', $p{min_lon}, '<', $p{max_lon} },
     };
     $q->{category} = $p{categories} if $p{categories} && @{$p{categories}};
 
+    $rs->non_public_if_possible($q, $c);
+
     my $problems = mySociety::Locale::in_gb_locale {
         $rs->search( $q, $attr )->include_comment_counts->page($p{page});
     };