[Fix #576] When user or gestionnaire has no access to dossier, he cannot create an invitation

app/controllers/invites_controller.rb

@@ -5,11 +5,12 @@ class InvitesController < ApplicationController
     email_sender = @current_devise_profil.email
 
     class_var = @current_devise_profil.class == User ? InviteUser : InviteGestionnaire
+    dossier = @current_devise_profil.dossiers.find(params[:dossier_id])
 
     email = params[:email].downcase
 
     user = User.find_by_email(email)
-    invite = class_var.create(dossier_id: params[:dossier_id], user: user, email: email, email_sender: email_sender)
+    invite = class_var.create(dossier: dossier, user: user, email: email, email_sender: email_sender)
 
     if invite.valid?
       InviteMailer.invite_user(invite).deliver_now!   unless invite.user.nil?

spec/controllers/invites_controller_spec.rb

@@ -1,102 +1,154 @@
 require 'spec_helper'
 
 describe InvitesController, type: :controller do
-  let(:dossier) { create(:dossier) }
+  let(:dossier) { create(:dossier, :replied) }
   let(:email) { 'plop@octo.com' }
 
   describe '#POST create' do
     let(:invite) { Invite.last }
 
     before do
-      sign_in create(:gestionnaire)
+      sign_in signed_in_profile
     end
 
     subject { post :create, params: {dossier_id: dossier.id, email: email} }
 
-    it { expect { subject }.to change(InviteGestionnaire, :count).by(1) }
+    context "when gestionnaire is signed_in" do
+      let(:signed_in_profile) { create(:gestionnaire) }
 
-    context 'when is a user who is loged' do
+      shared_examples_for "he can not create invitation" do
-      before do
+        it { expect { subject }.to raise_error(ActiveRecord::RecordNotFound) }
-        sign_in create(:user)
+        it { expect { subject rescue nil }.to change(InviteGestionnaire, :count).by(0) }
       end
 
-      it { expect { subject }.to change(InviteGestionnaire, :count).by(1) }
+      context 'when gestionnaire has no access to dossier' do
-    end
+        it_behaves_like "he can not create invitation"
-
-    context 'when email is assign to an user' do
-      let! (:user) { create(:user, email: email) }
-
-      before do
-        subject
       end
 
-      describe 'Invite information' do
+      context 'when gestionnaire is invited for avis on dossier' do
-        let(:email) { 'PLIP@octo.com' }
+        before { Avis.create(gestionnaire: signed_in_profile, claimant: create(:gestionnaire), dossier: dossier) }
-        let(:invite) { Invite.last }
 
-        it 'email is on lower case' do
+        it_behaves_like "he can not create invitation"
-          expect(invite.email).to eq 'plip@octo.com'
-        end
       end
 
-      it { expect(invite.user).to eq user }
+      context 'when gestionnaire has access to dossier' do
-      it { expect(flash[:notice]).to be_present }
-    end
-
-    context 'when email is not assign to an user' do
-      before do
-        subject
-      end
-
-      it { expect(invite.user).to be_nil }
-      it { expect(flash[:notice]).to be_present }
-    end
-
-    describe 'not an email' do
-      context 'when email is not valid' do
-        let(:email) { 'plip.com' }
-
         before do
-          subject
+          signed_in_profile.procedures << dossier.procedure
         end
 
-        it { expect { subject }.not_to change(Invite, :count) }
+        it { expect { subject }.to change(InviteGestionnaire, :count).by(1) }
-        it { expect(flash[:alert]).to be_present }
-      end
 
-      context 'when email is already used' do
+        context 'when is a user who is loged' do
-        let!(:invite) { create(:invite, dossier: dossier) }
+          before do
+            sign_in create(:user)
+          end
 
-        before do
+          it { expect { subject }.to change(InviteGestionnaire, :count).by(1) }
-          subject
         end
 
-        it { expect { subject }.not_to change(Invite, :count) }
+        context 'when email is assign to an user' do
-        it { expect(flash[:alert]).to be_present }
+          let! (:user) { create(:user, email: email) }
+
+          before do
+            subject
+          end
+
+          describe 'Invite information' do
+            let(:email) { 'PLIP@octo.com' }
+            let(:invite) { Invite.last }
+
+            it 'email is on lower case' do
+              expect(invite.email).to eq 'plip@octo.com'
+            end
+          end
+
+          it { expect(invite.user).to eq user }
+          it { expect(flash[:notice]).to be_present }
+        end
+
+        context 'when email is not assign to an user' do
+          before do
+            subject
+          end
+
+          it { expect(invite.user).to be_nil }
+          it { expect(flash[:notice]).to be_present }
+        end
+
+        describe 'not an email' do
+          context 'when email is not valid' do
+            let(:email) { 'plip.com' }
+
+            before do
+              subject
+            end
+
+            it { expect { subject }.not_to change(Invite, :count) }
+            it { expect(flash[:alert]).to be_present }
+          end
+
+          context 'when email is already used' do
+            let!(:invite) { create(:invite, dossier: dossier) }
+
+            before do
+              subject
+            end
+
+            it { expect { subject }.not_to change(Invite, :count) }
+            it { expect(flash[:alert]).to be_present }
+          end
+        end
+
+        describe 'send invitation email' do
+          context 'when user does not exist' do
+            it 'send email' do
+              expect(InviteMailer).to receive(:invite_guest).and_return(InviteMailer)
+              expect(InviteMailer).to receive(:deliver_now!)
+
+              subject
+            end
+          end
+
+          context 'when user exist' do
+            before do
+              create :user, email: email
+            end
+
+            it 'send email' do
+              expect(InviteMailer).to receive(:invite_user).and_return(InviteMailer)
+              expect(InviteMailer).to receive(:deliver_now!)
+
+              subject
+            end
+          end
+        end
       end
     end
 
-    describe 'send invitation email' do
+    context "when user is signed_in" do
-      context 'when user does not exist' do
+      let(:signed_in_profile) { create(:user) }
-        it 'send email' do
-          expect(InviteMailer).to receive(:invite_guest).and_return(InviteMailer)
-          expect(InviteMailer).to receive(:deliver_now!)
 
-          subject
+      shared_examples_for "he can not create a invite" do
-        end
+        it { expect { subject }.to raise_error(ActiveRecord::RecordNotFound) }
+        it { expect { subject rescue nil }.to change(InviteUser, :count).by(0) }
       end
 
-      context 'when user exist' do
+      context 'when user has no access to dossier' do
+        it_behaves_like "he can not create a invite"
+      end
+
+      context 'when user is invited on dossier' do
+        before { Invite.create(user: signed_in_profile, email: signed_in_profile.email, dossier: dossier) }
+
+        it_behaves_like "he can not create a invite"
+      end
+
+      context 'when user has access to dossier' do
         before do
-          create :user, email: email
+          dossier.update_attributes(user: signed_in_profile)
         end
 
-        it 'send email' do
+        it { expect { subject }.to change(InviteUser, :count).by(1) }
-          expect(InviteMailer).to receive(:invite_user).and_return(InviteMailer)
-          expect(InviteMailer).to receive(:deliver_now!)
-
-          subject
-        end
       end
     end
   end