2 files changed, 15 insertions, 1 deletions

diff --git a/app/controllers/request_controller.rb b/app/controllers/request_controller.rb
index 74a310712..1698635e8 100644
--- a/app/controllers/request_controller.rb
+++ b/app/controllers/request_controller.rb
@@ -507,7 +507,7 @@ class RequestController < ApplicationController
     def describe_state_requires_admin
         @info_request = InfoRequest.find_by_url_title!(params[:url_title])
 
-        if !authenticated?(
+        if !authenticated_as_user?(@info_request.user,
             :web => _("To classify the response to this FOI request"),
             :email => _("Then you can classify the FOI response you have got from ") + @info_request.public_body.name + ".",
             :email_subject => _("Classify an FOI response from ") + @info_request.public_body.name)
diff --git a/spec/controllers/request_controller_spec.rb b/spec/controllers/request_controller_spec.rb
index be9df90c4..6adba4464 100644
--- a/spec/controllers/request_controller_spec.rb
+++ b/spec/controllers/request_controller_spec.rb
@@ -1254,6 +1254,20 @@ describe RequestController, "describe_state_requires_admin" do
         end
     end
 
+    context "logged in but not owner of request" do
+        it "should not allow you to change the state" do
+            info_request = info_requests(:fancy_dog_request)
+            session[:user_id] = users(:silly_name_user).id
+            info_request.user_id.should_not == users(:silly_name_user).id
+
+            InfoRequest.should_receive(:find_by_url_title!).with("info_request").and_return(info_request)
+            info_request.should_not_receive(:set_described_state)
+
+            post :describe_state_requires_admin, :message => "Something weird happened", :url_title => "info_request"
+            response.should render_template('user/wrong_user')
+        end
+    end
+
     context "logged out" do
         it "should redirect to the login page" do
             info_request = info_requests(:fancy_dog_request)