From 1d0734dda250ae7041b0f477ec11216a5e02d58d Mon Sep 17 00:00:00 2001
From: Mathieu Magnin <mathieu.magnin@gmail.com>
Date: Thu, 20 Jul 2017 14:44:54 +0200
Subject: [PATCH] Admin should be owner of procedure to hide it

---
 .../admin/procedures_controller.rb            |  2 +-
 .../admin/procedures_controller_spec.rb       | 21 +++++++++++++++++++
 2 files changed, 22 insertions(+), 1 deletion(-)

diff --git a/app/controllers/admin/procedures_controller.rb b/app/controllers/admin/procedures_controller.rb
index a45d358e5..0da920bd1 100644
--- a/app/controllers/admin/procedures_controller.rb
+++ b/app/controllers/admin/procedures_controller.rb
@@ -43,7 +43,7 @@ class Admin::ProceduresController < AdminController
   end
 
   def hide
-    procedure = Procedure.find(params[:id])
+    procedure = current_administrateur.procedures.find(params[:id])
     procedure.hide!
 
     flash.notice = "Procédure supprimée, en cas d'erreur contactez nous : contact@tps.apientreprise.fr"
diff --git a/spec/controllers/admin/procedures_controller_spec.rb b/spec/controllers/admin/procedures_controller_spec.rb
index c2bfd9ee7..8426df604 100644
--- a/spec/controllers/admin/procedures_controller_spec.rb
+++ b/spec/controllers/admin/procedures_controller_spec.rb
@@ -535,4 +535,25 @@ describe Admin::ProceduresController, type: :controller do
       end
     end
   end
+
+  describe "POST hide" do
+    subject { post :hide, params: { id: procedure.id } }
+
+    context "when procedure is not owned by administrateur" do
+      let!(:procedure) { create :procedure, administrateur: create(:administrateur) }
+
+      it { expect{ subject }.to raise_error(ActiveRecord::RecordNotFound) }
+    end
+
+    context "when procedure is owned by administrateur" do
+      let!(:procedure) { create :procedure, administrateur: admin }
+
+      before do
+         subject
+         procedure.reload
+       end
+
+      it { expect(procedure.hidden_at).to_not eq nil }
+    end
+  end
 end