1 files changed, 57 insertions, 9 deletions

diff --git a/t/app/controller/alert_new.t b/t/app/controller/alert_new.t
index ed2bc814c..7eba90530 100644
--- a/t/app/controller/alert_new.t
+++ b/t/app/controller/alert_new.t
@@ -6,6 +6,9 @@ my $mech = FixMyStreet::TestMech->new;
 my $user = FixMyStreet::App->model('DB::User')
           ->new( { email => 'test@example.com' } );
 
+my $body = $mech->create_body_ok(2651, 'Edinburgh Council');
+my ($report) = $mech->create_problems_for_body(1, $body->id, 'Existing');
+
 foreach my $test (
     {
         email      => $user->email,
@@ -51,8 +54,8 @@ foreach my $test (
         type       => 'new_updates',
         content    => 'Click the link in our confirmation email to activate your alert',
         email_text => "confirms that you'd like to receive an email",
-        uri    => '/alert/subscribe?type=updates&rznvy=' . $user->email . '&id=1',
-        param1 => 1,
+        uri    => '/alert/subscribe?type=updates&rznvy=' . $user->email . '&id=' . $report->id,
+        param1 => $report->id,
     }
   )
 {
@@ -61,7 +64,7 @@ foreach my $test (
 
         my $type = $test->{type};
 
-        $mech->get_ok('/alert/subscribe?id=1');
+        $mech->get_ok('/alert/subscribe?id=' . $report->id);
         my ($csrf) = $mech->content =~ /name="token" value="([^"]*)"/;
 
         $mech->get_ok( $test->{uri} . "&token=$csrf" );
@@ -155,7 +158,7 @@ foreach my $test (
         # clear existing data so we can be sure we're creating it
         ok $alert->delete() if $alert && !$test->{exist};
 
-        $mech->get_ok('/alert/subscribe?id=1');
+        $mech->get_ok('/alert/subscribe?id=' . $report->id);
         my ($csrf) = $mech->content =~ /name="token" value="([^"]*)"/;
 
         $mech->get_ok( '/alert/subscribe?type=local&rznvy=' . $user->email . '&feed=area:1000:A_Location&token=' . $csrf );
@@ -179,8 +182,6 @@ foreach my $test (
     };
 }
 
-my $body = $mech->create_body_ok(2651, 'Edinburgh Council');
-
 foreach my $test (
     {
         desc       => 'logged in user signing up',
@@ -231,8 +232,8 @@ for my $test (
         type       => 'new_updates',
         content    => 'Click the link in our confirmation email to activate your alert',
         email_text => 'confirm the alert',
-        uri    => '/alert/subscribe?type=updates&rznvy=' . $user->email . '&id=1',
-        param1 => 1,
+        uri    => '/alert/subscribe?type=updates&rznvy=' . $user->email . '&id=' . $report->id,
+        param1 => $report->id,
     }
   )
 {
@@ -255,7 +256,7 @@ for my $test (
           FixMyStreet::DB->resultset('Abuse')
           ->find_or_create( { email => $test->{email} } );
 
-        $mech->get_ok('/alert/subscribe?id=1');
+        $mech->get_ok('/alert/subscribe?id=' . $report->id);
         my ($csrf) = $mech->content =~ /name="token" value="([^"]*)"/;
 
         $mech->get_ok( $test->{uri} . "&token=$csrf" );
@@ -288,6 +289,53 @@ for my $test (
     };
 }
 
+subtest 'Test body user signing someone else up for alerts' => sub {
+    my $staff_user = $mech->create_user_ok('astaffuser@example.com', name => 'A staff user', from_body => $body);
+    $mech->log_in_ok($staff_user->email);
+
+    $mech->get_ok('/alert/subscribe?id=' . $report->id);
+    my ($csrf) = $mech->content =~ /name="token" value="([^"]*)"/;
+    $mech->post_ok('/alert/subscribe', { rznvy => 'someoneelse@example.org', id => $report->id, type => 'updates', token => $csrf });
+
+    my $user = FixMyStreet::DB->resultset('User')->find({ email => 'someoneelse@example.org' });
+    is $user, undef, 'No user made by bad request';
+
+    my $alert = FixMyStreet::DB->resultset('Alert')->find({
+        user       => $staff_user,
+        alert_type => 'new_updates',
+        parameter  => $report->id,
+        confirmed  => 1,
+    });
+    ok $alert, 'New alert created with logged in user';
+    $alert->delete;
+
+    $staff_user->user_body_permissions->create({ permission_type => 'contribute_as_another_user', body => $body });
+    $mech->get_ok('/alert/subscribe?id=' . $report->id);
+    $mech->submit_form_ok({ with_fields => { rznvy => 'someoneelse@example.org' } });
+    $mech->content_contains('Email alert created');
+
+    $user = FixMyStreet::DB->resultset('User')->find({ email => 'someoneelse@example.org' });
+    ok $user, 'user created for alert';
+
+    $alert = FixMyStreet::DB->resultset('Alert')->find({
+        user       => $user,
+        alert_type => 'new_updates',
+        parameter  => $report->id,
+        confirmed  => 1,
+    });
+    ok $alert, 'New alert created for another user';
+
+    $alert = FixMyStreet::DB->resultset('Alert')->find({
+        user       => $staff_user,
+        alert_type => 'new_updates',
+        parameter  => $report->id,
+        confirmed  => 1,
+    });
+    is $alert, undef, 'No alert created for staff user';
+};
+
+$report->delete; # Emails sent otherwise below
+
 my $gloucester = $mech->create_body_ok(2226, 'Gloucestershire County Council');
 $mech->create_body_ok(2326, 'Cheltenham Borough Council');