From 25aad2807e04e2f0bc5dc339140915d6ca8ef3c7 Mon Sep 17 00:00:00 2001
From: Matthew Landauer <matthew@openaustralia.org>
Date: Mon, 4 Mar 2013 16:10:23 +1100
Subject: Don't allow external requests to have their state changed

---
 app/controllers/request_controller.rb | 7 +++++++
 1 file changed, 7 insertions(+)

(limited to 'app/controllers/request_controller.rb')

diff --git a/app/controllers/request_controller.rb b/app/controllers/request_controller.rb
index f36381c51..8f5eac85c 100644
--- a/app/controllers/request_controller.rb
+++ b/app/controllers/request_controller.rb
@@ -490,6 +490,13 @@ class RequestController < ApplicationController
     def describe_state_requires_admin
         @info_request = InfoRequest.find_by_url_title!(params[:url_title])
 
+        # If this is an external request, go to the request page - we don't allow
+        # state change from the front end interface.
+        if @info_request.is_external?
+            redirect_to request_url(@info_request)
+            return
+        end
+
         unless Ability::can_update_request_state?(authenticated_user, @info_request)
             # If we got here this is always going to be false
             authenticated_as_user?(@info_request.user,
-- 
cgit v1.2.3