policies: fix champ policy for guest users

2020-04-01 16:10:45 +02:00 · 2020-04-01 16:10:45 +02:00 · 059e11601b
commit 059e11601b
parent c17ceb4440
2 changed files with 21 additions and 1 deletions
--- a/app/policies/champ_policy.rb
+++ b/app/policies/champ_policy.rb
@ -6,13 +6,25 @@ class ChampPolicy < ApplicationPolicy
      end

      # The join must be the same for all elements of the WHERE clause.
+      #
+      # NB: here we want to do `.left_outer_joins(dossier: [:invites, { :groupe_instructeur: :instructeurs }]))`,
+      # but for some reasons ActiveRecord <= 5.2 generates bogus SQL. Hence the manual version of it below.
      joined_scope = scope
-        .left_outer_joins(dossier: { groupe_instructeur: [:instructeurs] })
+        .joins('LEFT OUTER JOIN dossiers ON dossiers.id = champs.dossier_id')
+        .joins('LEFT OUTER JOIN invites ON invites.dossier_id = dossiers.id')
+        .joins('LEFT OUTER JOIN groupe_instructeurs ON groupe_instructeurs.id = dossiers.groupe_instructeur_id')
+        .joins('LEFT OUTER JOIN assign_tos ON assign_tos.groupe_instructeur_id = groupe_instructeurs.id')
+        .joins('LEFT OUTER JOIN instructeurs ON instructeurs.id = assign_tos.instructeur_id')

      # Users can access public champs on their own dossiers.
      resolved_scope = joined_scope
        .where('dossiers.user_id': user.id, private: false)

+      # Invited users can access public champs on dossiers they are invited to
+      invite_clause = joined_scope
+        .where('invites.user_id': user.id, private: false)
+      resolved_scope = resolved_scope.or(invite_clause)
+
      if instructeur.present?
        # Additionnaly, instructeurs can access private champs
        # on dossiers they are allowed to instruct.
--- a/spec/policies/champ_policy_spec.rb
+++ b/spec/policies/champ_policy_spec.rb
@ -35,6 +35,14 @@ describe ChampPolicy do
      it_behaves_like 'they can’t access a private champ'
    end

+    context 'as a person invited on the dossier' do
+      let(:invite) { create(:invite, :with_user, dossier: dossier) }
+      let(:signed_in_user) { invite.user }
+
+      it_behaves_like 'they can access a public champ'
+      it_behaves_like 'they can’t access a private champ'
+    end
+
    context 'as another user' do
      let(:signed_in_user) { create(:user) }