diff options
| -rw-r--r-- | app/controllers/request_controller.rb | 17 |
1 files changed, 15 insertions, 2 deletions
diff --git a/app/controllers/request_controller.rb b/app/controllers/request_controller.rb index c382a55f1..24dbbeba0 100644 --- a/app/controllers/request_controller.rb +++ b/app/controllers/request_controller.rb @@ -9,8 +9,8 @@ require 'zip/zip' require 'open-uri' class RequestController < ApplicationController - before_filter :check_read_only, :only => [ :new, :show_response, :describe_state, :upload_response ] - protect_from_forgery :only => [ :new, :show_response, :describe_state, :upload_response ] # See ActionController::RequestForgeryProtection for details + before_filter :check_read_only, :only => [ :new, :show_response, :describe_state, :describe_state_requires_admin, :upload_response ] + protect_from_forgery :only => [ :new, :show_response, :describe_state, :describe_state_requires_admin, :upload_response ] # See ActionController::RequestForgeryProtection for details MAX_RESULTS = 500 PER_PAGE = 25 @@ -506,6 +506,19 @@ class RequestController < ApplicationController def describe_state_requires_admin @info_request = InfoRequest.find(params[:id]) + + # Check authenticated. We check is_owning_user + # to get admin overrides (see is_owning_user? above) + if !@info_request.is_owning_user?(authenticated_user) && + !authenticated_as_user?(@info_request.user, + :web => _("To classify the response to this FOI request"), + :email => _("Then you can classify the FOI response you have got from ") + @info_request.public_body.name + ".", + :email_subject => _("Classify an FOI response from ") + @info_request.public_body.name + ) + # do nothing - as "authenticated?" has done the redirect to signin page for us + return + end + @info_request.set_described_state("requires_admin", nil, params[:message]) end |