2 files changed, 14 insertions, 3 deletions

diff --git a/app/controllers/admin_controller.rb b/app/controllers/admin_controller.rb
index 884d7e540..d8fda9c01 100644
--- a/app/controllers/admin_controller.rb
+++ b/app/controllers/admin_controller.rb
@@ -47,8 +47,6 @@ class AdminController < ApplicationController
         end
     end
 
-    private
-
     def authenticate
         if MySociety::Config.get('SKIP_ADMIN_AUTH', false)
             session[:using_admin] = 1
@@ -64,6 +62,11 @@ class AdminController < ApplicationController
                         if !@user.nil? && @user.admin_level == "super"
                             session[:using_admin] = 1
                             request.env['REMOTE_USER'] = @user.url_name
+                        else
+
+                            session[:using_admin] = nil
+                            session[:user_id] = nil
+                            self.authenticate
                         end
                     end
                 else
diff --git a/spec/controllers/admin_public_body_controller_spec.rb b/spec/controllers/admin_public_body_controller_spec.rb
index 171cb21b5..55a6649b2 100644
--- a/spec/controllers/admin_public_body_controller_spec.rb
+++ b/spec/controllers/admin_public_body_controller_spec.rb
@@ -146,7 +146,15 @@ describe AdminPublicBodyController, "when administering public bodies and paying
         session[:using_admin].should == 1
     end
 
-
+    it "doesn't allow non-superusers to do stuff" do
+        session[:user_id] = users(:robin_user).id
+        @request.env["HTTP_AUTHORIZATION"] = ""
+        n = PublicBody.count
+        post :destroy, { :id => public_bodies(:forlorn_public_body).id }
+        response.should redirect_to(:controller=>'user', :action=>'signin', :token=>PostRedirect.get_last_post_redirect.token)
+        PublicBody.count.should == n
+        session[:using_admin].should == nil
+    end
 end
 
 describe AdminPublicBodyController, "when administering public bodies with i18n" do