[Fix #576] When user or gestionnaire has no access to dossier, he cannot create an invitation

2017-07-10 14:44:26 +02:00 · 2017-07-10 14:44:26 +02:00 · 065719ea06
commit 065719ea06
parent fa4ade0872
2 changed files with 116 additions and 63 deletions
--- a/app/controllers/invites_controller.rb
+++ b/app/controllers/invites_controller.rb
@ -5,11 +5,12 @@ class InvitesController < ApplicationController
    email_sender = @current_devise_profil.email

    class_var = @current_devise_profil.class == User ? InviteUser : InviteGestionnaire
+    dossier = @current_devise_profil.dossiers.find(params[:dossier_id])

    email = params[:email].downcase

    user = User.find_by_email(email)
-    invite = class_var.create(dossier_id: params[:dossier_id], user: user, email: email, email_sender: email_sender)
+    invite = class_var.create(dossier: dossier, user: user, email: email, email_sender: email_sender)

    if invite.valid?
      InviteMailer.invite_user(invite).deliver_now!   unless invite.user.nil?
--- a/spec/controllers/invites_controller_spec.rb
+++ b/spec/controllers/invites_controller_spec.rb
@ -1,18 +1,41 @@
 require 'spec_helper'

 describe InvitesController, type: :controller do
-  let(:dossier) { create(:dossier) }
+  let(:dossier) { create(:dossier, :replied) }
  let(:email) { 'plop@octo.com' }

  describe '#POST create' do
    let(:invite) { Invite.last }

    before do
-      sign_in create(:gestionnaire)
+      sign_in signed_in_profile
    end

    subject { post :create, params: {dossier_id: dossier.id, email: email} }

+    context "when gestionnaire is signed_in" do
+      let(:signed_in_profile) { create(:gestionnaire) }
+
+      shared_examples_for "he can not create invitation" do
+        it { expect { subject }.to raise_error(ActiveRecord::RecordNotFound) }
+        it { expect { subject rescue nil }.to change(InviteGestionnaire, :count).by(0) }
+      end
+
+      context 'when gestionnaire has no access to dossier' do
+        it_behaves_like "he can not create invitation"
+      end
+
+      context 'when gestionnaire is invited for avis on dossier' do
+        before { Avis.create(gestionnaire: signed_in_profile, claimant: create(:gestionnaire), dossier: dossier) }
+
+        it_behaves_like "he can not create invitation"
+      end
+
+      context 'when gestionnaire has access to dossier' do
+        before do
+          signed_in_profile.procedures << dossier.procedure
+        end
+
        it { expect { subject }.to change(InviteGestionnaire, :count).by(1) }

        context 'when is a user who is loged' do
@ -100,4 +123,33 @@ describe InvitesController, type: :controller do
          end
        end
      end
+    end
+
+    context "when user is signed_in" do
+      let(:signed_in_profile) { create(:user) }
+
+      shared_examples_for "he can not create a invite" do
+        it { expect { subject }.to raise_error(ActiveRecord::RecordNotFound) }
+        it { expect { subject rescue nil }.to change(InviteUser, :count).by(0) }
+      end
+
+      context 'when user has no access to dossier' do
+        it_behaves_like "he can not create a invite"
+      end
+
+      context 'when user is invited on dossier' do
+        before { Invite.create(user: signed_in_profile, email: signed_in_profile.email, dossier: dossier) }
+
+        it_behaves_like "he can not create a invite"
+      end
+
+      context 'when user has access to dossier' do
+        before do
+          dossier.update_attributes(user: signed_in_profile)
+        end
+
+        it { expect { subject }.to change(InviteUser, :count).by(1) }
+      end
+    end
+  end
 end