diff options
| -rw-r--r-- | app/controllers/request_controller.rb | 7 | ||||
| -rw-r--r-- | spec/controllers/request_controller_spec.rb | 14 |
2 files changed, 21 insertions, 0 deletions
diff --git a/app/controllers/request_controller.rb b/app/controllers/request_controller.rb index f36381c51..8f5eac85c 100644 --- a/app/controllers/request_controller.rb +++ b/app/controllers/request_controller.rb @@ -490,6 +490,13 @@ class RequestController < ApplicationController def describe_state_requires_admin @info_request = InfoRequest.find_by_url_title!(params[:url_title]) + # If this is an external request, go to the request page - we don't allow + # state change from the front end interface. + if @info_request.is_external? + redirect_to request_url(@info_request) + return + end + unless Ability::can_update_request_state?(authenticated_user, @info_request) # If we got here this is always going to be false authenticated_as_user?(@info_request.user, diff --git a/spec/controllers/request_controller_spec.rb b/spec/controllers/request_controller_spec.rb index 899ce9572..4fd674b53 100644 --- a/spec/controllers/request_controller_spec.rb +++ b/spec/controllers/request_controller_spec.rb @@ -1256,6 +1256,20 @@ describe RequestController, "describe_state_requires_admin" do post_redirect = PostRedirect.get_last_post_redirect response.should redirect_to(:controller => 'user', :action => 'signin', :token => post_redirect.token) end + + context "external request" do + before (:each) { info_request.should_receive(:is_external?).and_return(true) } + + it "should not set the state" do + info_request.should_not_receive(:set_described_state) + post :describe_state_requires_admin, :message => "Something weird happened", :url_title => "info_request" + end + + it "should redirect to the request page" do + post :describe_state_requires_admin, :message => "Something weird happened", :url_title => "info_request" + response.should redirect_to request_url(info_request) + end + end end context "logged in" do |