diff options
Diffstat (limited to 'perllib')
| -rw-r--r-- | perllib/FixMyStreet/App/Controller/Report.pm | 11 | ||||
| -rw-r--r-- | perllib/FixMyStreet/App/Controller/Tokens.pm | 4 | ||||
| -rw-r--r-- | perllib/FixMyStreet/DB/Result/Problem.pm | 25 |
3 files changed, 36 insertions, 4 deletions
diff --git a/perllib/FixMyStreet/App/Controller/Report.pm b/perllib/FixMyStreet/App/Controller/Report.pm index 7168e8379..72f96013a 100644 --- a/perllib/FixMyStreet/App/Controller/Report.pm +++ b/perllib/FixMyStreet/App/Controller/Report.pm @@ -160,7 +160,16 @@ sub load_problem_or_display_error : Private { $c->stash->{problem} = $problem; my $permissions = $c->stash->{_permissions} = $c->forward( 'check_has_permission_to', [ qw/report_inspect report_edit_category report_edit_priority report_mark_private / ] ); - if ( !$c->user || ($c->user->id != $problem->user->id && !($permissions->{report_inspect} || $permissions->{report_mark_private})) ) { + + # If someone has clicked a unique token link in an email to them + my $from_email = $c->sessionid && $c->flash->{alert_to_reporter} && $c->flash->{alert_to_reporter} == $problem->id; + + my $allowed = 0; + $allowed = 1 if $from_email; + $allowed = 1 if $c->user_exists && $c->user->id == $problem->user->id; + $allowed = 1 if $permissions->{report_inspect} || $permissions->{report_mark_private}; + + unless ($allowed) { my $url = '/auth?r=report/' . $problem->id; $c->detach( '/page_error_403_access_denied', diff --git a/perllib/FixMyStreet/App/Controller/Tokens.pm b/perllib/FixMyStreet/App/Controller/Tokens.pm index 659d763de..c4e601a85 100644 --- a/perllib/FixMyStreet/App/Controller/Tokens.pm +++ b/perllib/FixMyStreet/App/Controller/Tokens.pm @@ -185,9 +185,7 @@ sub alert_to_reporter : Path('/R') { my $problem = $c->model('DB::Problem')->find( { id => $problem_id } ) || $c->detach('token_error'); - $c->detach('token_too_old') if $auth_token->created < DateTime->now->subtract( months => 1 ); - - $c->flash->{alert_to_reporter} = 1; + $c->flash->{alert_to_reporter} = $problem->id; my $report_uri = $c->cobrand->base_url_for_report( $problem ) . $problem->url; $c->res->redirect($report_uri); } diff --git a/perllib/FixMyStreet/DB/Result/Problem.pm b/perllib/FixMyStreet/DB/Result/Problem.pm index f10f1f7ec..b68c228b9 100644 --- a/perllib/FixMyStreet/DB/Result/Problem.pm +++ b/perllib/FixMyStreet/DB/Result/Problem.pm @@ -525,6 +525,31 @@ sub tokenised_url { return "/M/". $token->token; } +has view_token => ( + is => 'ro', + lazy => 1, + default => sub { + my $self = shift; + my $token = FixMyStreet::App->model('DB::Token')->create({ + scope => 'alert_to_reporter', + data => { id => $self->id } + }); + }, +); + +=head2 view_url + +Return a url for this problem report that will always show it +(even if e.g. a private report) but does not log the user in. + +=cut + +sub view_url { + my $self = shift; + return $self->url unless $self->non_public; + return "/R/" . $self->view_token->token; +} + =head2 is_hidden Returns 1 if the problem is in an hidden state otherwise 0. |