aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMatthew Landauer <matthew@openaustralia.org>2013-03-04 16:10:23 +1100
committerMatthew Landauer <matthew@openaustralia.org>2013-03-04 16:10:23 +1100
commit25aad2807e04e2f0bc5dc339140915d6ca8ef3c7 (patch)
tree4a96536f9cf6a03cc382e2345701951a0359eb67
parent65deec2c6a9388d87a66e40a7b3a38adf16af6a4 (diff)
Don't allow external requests to have their state changed
Diffstat
-rw-r--r--app/controllers/request_controller.rb7
-rw-r--r--spec/controllers/request_controller_spec.rb14
2 files changed, 21 insertions, 0 deletions
diff --git a/app/controllers/request_controller.rb b/app/controllers/request_controller.rb
index f36381c51..8f5eac85c 100644
--- a/app/controllers/request_controller.rb
+++ b/app/controllers/request_controller.rb
@@ -490,6 +490,13 @@ class RequestController < ApplicationController
def describe_state_requires_admin
@info_request = InfoRequest.find_by_url_title!(params[:url_title])
+ # If this is an external request, go to the request page - we don't allow
+ # state change from the front end interface.
+ if @info_request.is_external?
+ redirect_to request_url(@info_request)
+ return
+ end
+
unless Ability::can_update_request_state?(authenticated_user, @info_request)
# If we got here this is always going to be false
authenticated_as_user?(@info_request.user,
diff --git a/spec/controllers/request_controller_spec.rb b/spec/controllers/request_controller_spec.rb
index 899ce9572..4fd674b53 100644
--- a/spec/controllers/request_controller_spec.rb
+++ b/spec/controllers/request_controller_spec.rb
@@ -1256,6 +1256,20 @@ describe RequestController, "describe_state_requires_admin" do
post_redirect = PostRedirect.get_last_post_redirect
response.should redirect_to(:controller => 'user', :action => 'signin', :token => post_redirect.token)
end
+
+ context "external request" do
+ before (:each) { info_request.should_receive(:is_external?).and_return(true) }
+
+ it "should not set the state" do
+ info_request.should_not_receive(:set_described_state)
+ post :describe_state_requires_admin, :message => "Something weird happened", :url_title => "info_request"
+ end
+
+ it "should redirect to the request page" do
+ post :describe_state_requires_admin, :message => "Something weird happened", :url_title => "info_request"
+ response.should redirect_to request_url(info_request)
+ end
+ end
end
context "logged in" do
generated by cgit v1.2.3 (git 2.25.1) at 2025-07-23 06:17:39 +0000