experts: protect password update as well as sign-up

2021-06-29 12:42:18 +02:00 · 2021-06-29 12:42:18 +02:00 · 1faf91bdbe
commit 1faf91bdbe
parent 6f7a2fde57
2 changed files with 13 additions and 4 deletions
--- a/app/controllers/experts/avis_controller.rb
+++ b/app/controllers/experts/avis_controller.rb
@ -4,7 +4,7 @@ module Experts

    before_action :authenticate_expert!, except: [:sign_up, :update_expert]
    before_action :check_if_avis_revoked, only: [:show]
-    before_action :redirect_if_no_sign_up_needed, only: [:sign_up]
+    before_action :redirect_if_no_sign_up_needed, only: [:sign_up, :update_expert]
    before_action :set_avis_and_dossier, only: [:show, :instruction, :messagerie, :create_commentaire, :update]

    A_DONNER_STATUS = 'a-donner'
@ -127,11 +127,9 @@ module Experts

      if current_expert.present?
        # an expert is authenticated ... lets see if it can view the dossier
-
        redirect_to expert_avis_url(avis.procedure, avis)
-
      elsif avis.expert&.email == params[:email] && avis.expert.user.active?.present?
-
+        # The expert already used the sign-in page to change their password: ask them to sign-in instead.
        redirect_to new_user_session_url
      end
    end
--- a/spec/controllers/experts/avis_controller_spec.rb
+++ b/spec/controllers/experts/avis_controller_spec.rb
@ -367,6 +367,17 @@ describe Experts::AvisController, type: :controller do

        it { is_expected.to redirect_to expert_all_avis_path }
      end
+
+      context 'when the expert has already signed up' do
+        before { expert.user.update(last_sign_in_at: Time.zone.now) }
+
+        it 'doesn’t change the expert password' do
+          subject
+          expect(expert.user.reload.valid_password?('my-s3cure-p4ssword')).to be false
+        end
+
+        it { is_expected.to redirect_to new_user_session_url }
+      end
    end
  end
 end