From 888bbee0977e45bc72db39b699c20d3e293c1aee Mon Sep 17 00:00:00 2001
From: simon lehericey <simon.lehericey@gmail.com>
Date: Fri, 12 Oct 2018 12:11:43 +0200
Subject: [PATCH] [fix #2818] DossierController: ensure save_draft is
 authorized

---
 app/controllers/new_user/dossiers_controller.rb       | 2 +-
 spec/controllers/new_user/dossiers_controller_spec.rb | 7 +++++++
 2 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/app/controllers/new_user/dossiers_controller.rb b/app/controllers/new_user/dossiers_controller.rb
index 83fe993a8..0aff4993d 100644
--- a/app/controllers/new_user/dossiers_controller.rb
+++ b/app/controllers/new_user/dossiers_controller.rb
@@ -264,7 +264,7 @@ module NewUser
     end
 
     def save_draft?
-      params[:save_draft]
+      dossier.brouillon? && params[:save_draft]
     end
   end
 end
diff --git a/spec/controllers/new_user/dossiers_controller_spec.rb b/spec/controllers/new_user/dossiers_controller_spec.rb
index 4aa0292bf..361386ddc 100644
--- a/spec/controllers/new_user/dossiers_controller_spec.rb
+++ b/spec/controllers/new_user/dossiers_controller_spec.rb
@@ -355,6 +355,13 @@ describe NewUser::DossiersController, type: :controller do
         it { expect(response).to render_template(:brouillon) }
         it { expect(flash.notice).to eq('Votre brouillon a bien été sauvegardé.') }
         it { expect(dossier.reload.state).to eq(Dossier.states.fetch(:brouillon)) }
+
+        context 'and the dossier is in construction' do
+          let!(:dossier) { create(:dossier, :en_construction, user: user) }
+
+          it { expect(response).to render_template(:brouillon) }
+          it { expect(flash.alert).to eq(['Le champ l doit être rempli.', 'pj']) }
+        end
       end
     end