DGNum/demarches-normaliennes
15
1
Fork 0
Code Issues 1 Pull requests Projects Releases Packages Wiki Activity

policies: fix champ policy for guest users

Browse source
This commit is contained in:
Pierre de La Morinerie 2020-04-01 16:10:45 +02:00
parent c17ceb4440
commit 059e11601b
2 changed files with 21 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

14
app/policies/champ_policy.rb
View file

@ -6,13 +6,25 @@ class ChampPolicy < ApplicationPolicy
end end
# The join must be the same for all elements of the WHERE clause. # The join must be the same for all elements of the WHERE clause.
#
# NB: here we want to do `.left_outer_joins(dossier: [:invites, { :groupe_instructeur: :instructeurs }]))`,
# but for some reasons ActiveRecord <= 5.2 generates bogus SQL. Hence the manual version of it below.
joined_scope = scope joined_scope = scope
.left_outer_joins(dossier: { groupe_instructeur: [:instructeurs] }) .joins('LEFT OUTER JOIN dossiers ON dossiers.id = champs.dossier_id')
.joins('LEFT OUTER JOIN invites ON invites.dossier_id = dossiers.id')
.joins('LEFT OUTER JOIN groupe_instructeurs ON groupe_instructeurs.id = dossiers.groupe_instructeur_id')
.joins('LEFT OUTER JOIN assign_tos ON assign_tos.groupe_instructeur_id = groupe_instructeurs.id')
.joins('LEFT OUTER JOIN instructeurs ON instructeurs.id = assign_tos.instructeur_id')
# Users can access public champs on their own dossiers. # Users can access public champs on their own dossiers.
resolved_scope = joined_scope resolved_scope = joined_scope
.where('dossiers.user_id': user.id, private: false) .where('dossiers.user_id': user.id, private: false)
# Invited users can access public champs on dossiers they are invited to
invite_clause = joined_scope
.where('invites.user_id': user.id, private: false)
resolved_scope = resolved_scope.or(invite_clause)
if instructeur.present? if instructeur.present?
# Additionnaly, instructeurs can access private champs # Additionnaly, instructeurs can access private champs
# on dossiers they are allowed to instruct. # on dossiers they are allowed to instruct.

8
spec/policies/champ_policy_spec.rb
View file

@ -35,6 +35,14 @@ describe ChampPolicy do
it_behaves_like 'they cant access a private champ' it_behaves_like 'they cant access a private champ'
end end
context 'as a person invited on the dossier' do
let(:invite) { create(:invite, :with_user, dossier: dossier) }
let(:signed_in_user) { invite.user }
it_behaves_like 'they can access a public champ'
it_behaves_like 'they cant access a private champ'
end
context 'as another user' do context 'as another user' do
let(:signed_in_user) { create(:user) } let(:signed_in_user) { create(:user) }