4 files changed, 77 insertions, 15 deletions

diff --git a/app/controllers/request_controller.rb b/app/controllers/request_controller.rb
index 70151f43f..11e85764a 100644
--- a/app/controllers/request_controller.rb
+++ b/app/controllers/request_controller.rb
@@ -44,6 +44,20 @@ class RequestController < ApplicationController
     end
 
     def select_authorities
+        if !AlaveteliConfiguration::allow_batch_requests
+            raise RouteNotFound.new("Page not enabled")
+        end
+        if !authenticated?(
+                          :web => _("To make a batch request"),
+                          :email => _("Then you can make a batch request"),
+                          :email_subject => _("Make a batch request"),
+                          :user_name => "a user who has been authorised to make batch requests")
+            # do nothing - as "authenticated?" has done the redirect to signin page for us
+            return
+        end
+        if !@user.can_make_batch_requests?
+             return render_hidden('request/batch_not_allowed')
+        end
     end
 
     def show
@@ -674,7 +688,7 @@ class RequestController < ApplicationController
         end
         if !incoming_message.user_can_view?(authenticated_user)
             @incoming_message = incoming_message # used by view
-            return render_hidden_message
+            return render_hidden('request/hidden_correspondence')
         end
         # Is this a completely public request that we can cache attachments for
         # to be served up without authentication?
@@ -888,19 +902,10 @@ class RequestController < ApplicationController
 
     private
 
-    def render_hidden
-        respond_to do |format|
-            response_code = 403 # forbidden
-            format.html{ render :template => 'request/hidden', :status => response_code }
-            format.any{ render :nothing => true, :status => response_code }
-        end
-        false
-    end
-
-    def render_hidden_message
+    def render_hidden(template='request/hidden')
         respond_to do |format|
             response_code = 403 # forbidden
-            format.html{ render :template => 'request/hidden_correspondence', :status => response_code }
+            format.html{ render :template => template, :status => response_code }
             format.any{ render :nothing => true, :status => response_code }
         end
         false
diff --git a/app/views/request/batch_not_allowed.html.erb b/app/views/request/batch_not_allowed.html.erb
new file mode 100644
index 000000000..156fa9ae1
--- /dev/null
+++ b/app/views/request/batch_not_allowed.html.erb
@@ -0,0 +1 @@
+<%= _('Users cannot usually make batch requests to multiple authorities at once because we don’t want public authorities to be bombarded with large numbers of inappropriate requests.  Please <a href="{{url}}">contact us</a> if you think you have good reason to send the same request to multiple authorities at once.', :url => help_contact_path.html_safe) %>
diff --git a/app/views/request/select_authorities.html.erb b/app/views/request/select_authorities.html.erb
index e69de29bb..80bf93c8c 100644
--- a/app/views/request/select_authorities.html.erb
+++ b/app/views/request/select_authorities.html.erb
@@ -0,0 +1,4 @@
+<% @title = _("Select the authorities to write to")  %>
+
+  <h1><%= _('1. Select the authorities') %></h1>
+
diff --git a/spec/controllers/request_controller_spec.rb b/spec/controllers/request_controller_spec.rb
index 1de917bb4..1a95a5ac5 100644
--- a/spec/controllers/request_controller_spec.rb
+++ b/spec/controllers/request_controller_spec.rb
@@ -2511,9 +2511,61 @@ end
 
 describe RequestController, "#select_authorities" do
 
-    it 'should be succesful' do
-        get :select_authorities
-        response.should be_success
+    context "when batch requests is enabled" do
+
+        before do
+            AlaveteliConfiguration.stub!(:allow_batch_requests).and_return(true)
+        end
+
+        context "when the current user can make batch requests" do
+
+            before do
+                @user = FactoryGirl.create(:user, :can_make_batch_requests => true)
+            end
+
+            it 'should be successful' do
+                get :select_authorities, {}, {:user_id => @user.id}
+                response.should be_success
+            end
+
+        end
+
+        context "when the current user can't make batch requests" do
+
+            render_views
+
+            before do
+                @user = FactoryGirl.create(:user)
+            end
+
+            it 'should return a 403 with an appropriate message' do
+                get :select_authorities, {}, {:user_id => @user.id}
+                response.code.should == '403'
+                response.body.should match("Users cannot usually make batch requests to multiple authorities at once")
+            end
+
+        end
+
+        context 'when there is no logged-in user' do
+
+            it 'should return a redirect to the login page' do
+                get :select_authorities
+                post_redirect = PostRedirect.get_last_post_redirect
+                response.should redirect_to(:controller => 'user', :action => 'signin', :token => post_redirect.token)
+            end
+        end
+
+
+    end
+
+    context "when batch requests is not enabled" do
+
+        it 'should return a 404' do
+            Rails.application.config.stub!(:consider_all_requests_local).and_return(false)
+            get :select_authorities
+            response.code.should == '404'
+        end
+
     end
 
 end