New Routes: add new_user/dossier_controller

app/controllers/new_user/dossiers_controller.rb

@@ -0,0 +1,18 @@
+module NewUser
+  class DossiersController < UserController
+    before_action :ensure_ownership!
+
+    private
+
+    def dossier
+      Dossier.find(params[:dossier_id])
+    end
+
+    def ensure_ownership!
+      if dossier.user != current_user
+        flash[:alert] = "Vous n'avez pas accès à ce dossier"
+        redirect_to root_path
+      end
+    end
+  end
+end

spec/controllers/new_user/dossiers_controller_spec.rb

@@ -0,0 +1,46 @@
+require 'spec_helper'
+
+describe NewUser::DossiersController, type: :controller do
+  let(:user) { create(:user) }
+
+  describe 'before_action: ensure_ownership!' do
+    it 'is present' do
+      before_actions = NewUser::DossiersController
+        ._process_action_callbacks
+        .find_all{|process_action_callbacks| process_action_callbacks.kind == :before}
+        .map(&:filter)
+
+      expect(before_actions).to include(:ensure_ownership!)
+    end
+  end
+
+  describe 'ensure_ownership!' do
+    let(:user) { create(:user) }
+
+    before do
+      @controller.params[:dossier_id] = asked_dossier.id
+      expect(@controller).to receive(:current_user).and_return(user)
+      allow(@controller).to receive(:redirect_to)
+
+      @controller.send(:ensure_ownership!)
+    end
+
+    context 'when a user asks for its dossier' do
+      let(:asked_dossier) { create(:dossier, user: user) }
+
+      it 'does not redirects nor flash' do
+        expect(@controller).not_to have_received(:redirect_to)
+        expect(flash.alert).to eq(nil)
+      end
+    end
+
+    context 'when a user asks for another dossier' do
+      let(:asked_dossier) { create(:dossier) }
+
+      it 'redirects and flash' do
+        expect(@controller).to have_received(:redirect_to).with(root_path)
+        expect(flash.alert).to eq("Vous n'avez pas accès à ce dossier")
+      end
+    end
+  end
+end