From 1de47094d7a569c0055c0d23657140772c87d93d Mon Sep 17 00:00:00 2001
From: Matthew Somerville <matthew-github@dracos.co.uk>
Date: Thu, 20 Sep 2018 08:50:05 +0100
Subject: Don't lose from_body if edited by non-superuser.

If an admin with the user_edit permission but not user_assign_body
edited a user with from_body set, the from_body field was lost.
---
 t/app/controller/admin/permissions.t | 10 ++++++++++
 1 file changed, 10 insertions(+)

(limited to 't/app/controller')

diff --git a/t/app/controller/admin/permissions.t b/t/app/controller/admin/permissions.t
index 7944cc0b1..e7f85d140 100644
--- a/t/app/controller/admin/permissions.t
+++ b/t/app/controller/admin/permissions.t
@@ -100,6 +100,16 @@ FixMyStreet::override_config {
         }
     }
 
+    subtest "Users can't edit users of their own council without permission" => sub {
+        $mech->get_ok("/admin/user_edit/$user2_id");
+        $mech->submit_form_ok( { with_fields => {
+            email => $user2->email,
+        } } );
+        $user2->discard_changes;
+        # Make sure we haven't lost the from_body info
+        is $user2->from_body->id, $oxfordshire->id;
+    };
+
     $oxfordshireuser->user_body_permissions->create({
         body => $oxfordshire,
         permission_type => 'user_assign_body',
-- 
cgit v1.2.3