Don't allow status updates on external requests from the front end interface (they can still be changed from the admin interface).

Final part of fix for #562.

1 files changed, 14 insertions, 1 deletions

diff --git a/app/controllers/request_controller.rb b/app/controllers/request_controller.rb
index 540ed5f3d..6e983a014 100644
--- a/app/controllers/request_controller.rb
+++ b/app/controllers/request_controller.rb
@@ -77,7 +77,13 @@ class RequestController < ApplicationController
             @info_request_events = @info_request.info_request_events
             @status = @info_request.calculate_status
             @collapse_quotes = params[:unfold] ? false : true
-            @update_status = params[:update_status] ? true : false
+
+            # Don't allow status update on external requests, otherwise accept param
+            if @info_request.is_external?
+                @update_status = false
+            else
+                @update_status = params[:update_status] ? true : false
+            end
             @old_unclassified = @info_request.is_old_unclassified? && !authenticated_user.nil?
             @is_owning_user = @info_request.is_owning_user?(authenticated_user)
 
@@ -378,6 +384,13 @@ class RequestController < ApplicationController
             return
         end
 
+        # If this is an external request, go to the request page - we don't allow
+        # state change from the front end interface.
+        if @info_request.is_external?
+            redirect_to request_url(@info_request)
+            return
+        end
+
         @is_owning_user = @info_request.is_owning_user?(authenticated_user)
         @last_info_request_event_id = @info_request.last_event_id_needing_description
         @old_unclassified = @info_request.is_old_unclassified? && !authenticated_user.nil?