From 6be048030b5235c574005ddb9c42583d460535c1 Mon Sep 17 00:00:00 2001
From: Andrew Williams <andy@tensixtyone.com>
Date: Fri, 27 May 2011 11:51:32 +0100
Subject: [PATCH] Stop apps from changing status that shouldnt be allowed

---
 app/hr/views.py | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/app/hr/views.py b/app/hr/views.py
index e50640e..0f0034c 100644
--- a/app/hr/views.py
+++ b/app/hr/views.py
@@ -187,11 +187,12 @@ def update_application(request, applicationid, status):
 
     app = get_object_or_404(Application, id=applicationid)
 
-    perm = check_permissions(request.user, app)
-    if perm == HR_ADMIN or (perm == HR_VIEWONLY and int(status) <= 1):
-        if not app.status == status:
-            app.status = status
-            app.save(user=request.user)
+    if not app.status in [APPLICATION_STATUS_REJECTED, APPLICATION_STATUS_COMPLETED]:
+        perm = check_permissions(request.user, app)
+        if perm == HR_ADMIN or (perm == HR_VIEWONLY and int(status) <= 1):
+            if not app.status == status:
+                app.status = status
+                app.save(user=request.user)
     return HttpResponseRedirect(reverse('hr.views.view_application', args=[applicationid]))
 
 @login_required