Don't allow external requests to have their state changed

author: Matthew Landauer <matthew@openaustralia.org> 2013-03-04 16:10:23 +1100
committer: Matthew Landauer <matthew@openaustralia.org> 2013-03-04 16:10:23 +1100
commit: 25aad2807e04e2f0bc5dc339140915d6ca8ef3c7 (patch)
tree: 4a96536f9cf6a03cc382e2345701951a0359eb67 /app/controllers/request_controller.rb
parent: 65deec2c6a9388d87a66e40a7b3a38adf16af6a4 (diff)
1 files changed, 7 insertions, 0 deletions
diff --git a/app/controllers/request_controller.rb b/app/controllers/request_controller.rb
index f36381c51..8f5eac85c 100644
--- a/app/controllers/request_controller.rb
+++ b/app/controllers/request_controller.rb
@@ -490,6 +490,13 @@ class RequestController < ApplicationController
     def describe_state_requires_admin
         @info_request = InfoRequest.find_by_url_title!(params[:url_title])
 
+        # If this is an external request, go to the request page - we don't allow
+        # state change from the front end interface.
+        if @info_request.is_external?
+            redirect_to request_url(@info_request)
+            return
+        end
+
         unless Ability::can_update_request_state?(authenticated_user, @info_request)
             # If we got here this is always going to be false
             authenticated_as_user?(@info_request.user,
author	Matthew Landauer <matthew@openaustralia.org>	2013-03-04 16:10:23 +1100
committer	Matthew Landauer <matthew@openaustralia.org>	2013-03-04 16:10:23 +1100
commit	25aad2807e04e2f0bc5dc339140915d6ca8ef3c7 (patch)
tree	4a96536f9cf6a03cc382e2345701951a0359eb67 /app/controllers/request_controller.rb
parent	65deec2c6a9388d87a66e40a7b3a38adf16af6a4 (diff)