3 files changed, 10 insertions, 19 deletions

diff --git a/app/controllers/request_controller.rb b/app/controllers/request_controller.rb
index a018d76c9..e12c408ea 100644
--- a/app/controllers/request_controller.rb
+++ b/app/controllers/request_controller.rb
@@ -682,19 +682,15 @@ class RequestController < ApplicationController
 
     def report_request
         info_request = InfoRequest.find_by_url_title!(params[:url_title])
-        return if !authenticated?(
-                :web => _("To report this FOI request"),
-                :email => _("Then you can report the request '{{title}}'", :title => info_request.title),
-                :email_subject => _("Report an offensive or unsuitable request")
-            )
-
-        if !info_request.attention_requested
+        if !authenticated_user
+            flash[:notice] = _("You need to be logged in to report a request for administrator attention")
+        elsif info_request.attention_requested
+            flash[:notice] = _("This request has already been reported for administrator attention")
+        else
             info_request.set_described_state('attention_requested', @user, "Reason: #{params[:reason]}\n\n#{params[:message]}")
             info_request.attention_requested = true # tells us if attention has ever been requested
             info_request.save!
             flash[:notice] = _("This request has been reported for administrator attention")
-        else
-            flash[:notice] = _("This request has already been reported for administrator attention")
         end
         redirect_to request_url(info_request)
     end
diff --git a/config/routes.rb b/config/routes.rb
index 60e33b3cf..4869990e3 100644
--- a/config/routes.rb
+++ b/config/routes.rb
@@ -59,14 +59,8 @@ Alaveteli::Application.routes.draw do
     match '/upload/request/:url_title' => 'request#upload_response', :as => :upload_response
     match '/request/:url_title/download' => 'request#download_entire_request', :as => :download_entire_request
 
-    # It would be nice to add :conditions => { :method => :post } to this next one,
-    # because it ought not really to be available as a GET request since it changes
-    # the server state. Unfortunately this doesn’t play well with the PostRedirect
-    # mechanism, which assumes all post-login actions are available via GET, so we
-    # refrain.
-    match '/request/:url_title/report' => 'request#report_request', :as => :report
+    match '/request/:url_title/report' => 'request#report_request', :as => :report, :via => :post
     match '/request/:url_title/report/new' => 'request#new_report_request', :as => :new_report_request
-
     ####
 
     #### User controller
diff --git a/spec/controllers/request_controller_spec.rb b/spec/controllers/request_controller_spec.rb
index d73fb89c7..260fbb9fa 100644
--- a/spec/controllers/request_controller_spec.rb
+++ b/spec/controllers/request_controller_spec.rb
@@ -2294,9 +2294,10 @@ end
 
 describe RequestController, "when reporting a request when not logged in" do
     it "should only allow logged-in users to report requests" do
-        get :report_request, :url_title => info_requests(:badger_request).url_title
-        post_redirect = PostRedirect.get_last_post_redirect
-        response.should redirect_to(:controller => 'user', :action => 'signin', :token => post_redirect.token)
+        post :report_request, :url_title => info_requests(:badger_request).url_title
+
+        flash[:notice].should =~ /You need to be logged in/
+        response.should redirect_to show_request_path(:url_title => info_requests(:badger_request).url_title)
     end
 end