From 3a06c0b87038e5a36b6d00744cd43300a63b15ad Mon Sep 17 00:00:00 2001
From: Xavier J <xjulien@octo.com>
Date: Fri, 9 Oct 2015 14:43:19 +0200
Subject: [PATCH] secure description and carte page with only log user access

---
 app/controllers/users/carte_controller.rb        |  2 +-
 app/controllers/users/description_controller.rb  |  2 +-
 config/routes.rb                                 |  4 ++--
 spec/controllers/users/carte_controller_spec.rb  | 16 ++++++++++++++++
 .../{ => users}/description_controller_spec.rb   | 16 ++++++++++++++++
 spec/features/datepicker_spec.rb                 |  6 ++++++
 .../upload_piece_justificative_spec.rb           |  7 +++++++
 7 files changed, 49 insertions(+), 4 deletions(-)
 rename spec/controllers/{ => users}/description_controller_spec.rb (96%)

diff --git a/app/controllers/users/carte_controller.rb b/app/controllers/users/carte_controller.rb
index 67cd3498b..246eca252 100644
--- a/app/controllers/users/carte_controller.rb
+++ b/app/controllers/users/carte_controller.rb
@@ -1,4 +1,4 @@
-class Users::CarteController < ApplicationController
+class Users::CarteController < UsersController
   include DossierConcern
 
   def show
diff --git a/app/controllers/users/description_controller.rb b/app/controllers/users/description_controller.rb
index 4992f861f..0e32da2a1 100644
--- a/app/controllers/users/description_controller.rb
+++ b/app/controllers/users/description_controller.rb
@@ -1,4 +1,4 @@
-class Users::DescriptionController < ApplicationController
+class Users::DescriptionController < UsersController
   def show
     @dossier = Dossier.find(params[:dossier_id])
     @dossier = @dossier.decorate
diff --git a/config/routes.rb b/config/routes.rb
index 543666206..9b767f907 100644
--- a/config/routes.rb
+++ b/config/routes.rb
@@ -23,8 +23,8 @@ Rails.application.routes.draw do
       get '/recapitulatif' => 'recapitulatif#show'
       post '/recapitulatif/propose' => 'recapitulatif#propose'
       post '/recapitulatif/depose' => 'recapitulatif#depose'
-      get '/demande' => 'demandes#show'
-      post '/demande' => 'demandes#update'
+      # get '/demande' => 'demandes#show'
+      # post '/demande' => 'demandes#update'
       post '/commentaire' => 'commentaires#create'
 
       get '/carte/position' => 'carte#get_position'
diff --git a/spec/controllers/users/carte_controller_spec.rb b/spec/controllers/users/carte_controller_spec.rb
index fa1241243..89d20b6e2 100644
--- a/spec/controllers/users/carte_controller_spec.rb
+++ b/spec/controllers/users/carte_controller_spec.rb
@@ -11,7 +11,23 @@ RSpec.describe Users::CarteController, type: :controller do
   let(:ref_dossier_carto) { 'IATRQPQY' }
   let(:adresse) { etablissement.adresse }
 
+  before do
+    sign_in dossier.user
+  end
+
   describe 'GET #show' do
+
+    context 'user is not connected' do
+      before do
+        sign_out dossier.user
+      end
+
+      it 'redirect to users/sign_in' do
+        get :show, dossier_id: dossier_id
+        expect(response).to redirect_to('/users/sign_in')
+      end
+    end
+
     it 'returns http success' do
       get :show, dossier_id: dossier_id
       expect(response).to have_http_status(:success)
diff --git a/spec/controllers/description_controller_spec.rb b/spec/controllers/users/description_controller_spec.rb
similarity index 96%
rename from spec/controllers/description_controller_spec.rb
rename to spec/controllers/users/description_controller_spec.rb
index 648405f65..dddd0fb1c 100644
--- a/spec/controllers/description_controller_spec.rb
+++ b/spec/controllers/users/description_controller_spec.rb
@@ -6,7 +6,23 @@ describe Users::DescriptionController, type: :controller do
   let(:dossier_id) { dossier.id }
   let(:bad_dossier_id) { Dossier.count + 10 }
 
+  before do
+    sign_in dossier.user
+  end
+
   describe 'GET #show' do
+
+    context 'user is not connected' do
+      before do
+        sign_out dossier.user
+      end
+
+      it 'redirect to users/sign_in' do
+        get :show, dossier_id: dossier_id
+        expect(response).to redirect_to('/users/sign_in')
+      end
+    end
+
     it 'returns http success' do
       get :show, dossier_id: dossier_id
       expect(response).to have_http_status(:success)
diff --git a/spec/features/datepicker_spec.rb b/spec/features/datepicker_spec.rb
index 02e73ee3e..7cd23855b 100644
--- a/spec/features/datepicker_spec.rb
+++ b/spec/features/datepicker_spec.rb
@@ -4,6 +4,12 @@ feature 'On the description page' do
   let!(:dossier) { create(:dossier, :with_entreprise, :with_procedure, :with_user) }
   before do
     visit users_dossier_description_path dossier
+
+    within('#new_user') do
+      page.find_by_id('user_email').set dossier.user.email
+      page.find_by_id('user_password').set dossier.user.password
+      page.click_on 'Se connecter'
+    end
   end
   scenario 'date_previsionnelle field is present' do
     expect(page).to have_css('#date_previsionnelle')
diff --git a/spec/features/description_page/upload_piece_justificative_spec.rb b/spec/features/description_page/upload_piece_justificative_spec.rb
index 8300274fd..fa2b39a67 100644
--- a/spec/features/description_page/upload_piece_justificative_spec.rb
+++ b/spec/features/description_page/upload_piece_justificative_spec.rb
@@ -4,6 +4,13 @@ feature 'user is on description page' do
   let(:dossier) { create(:dossier, :with_entreprise, :with_procedure, :with_user) }
   before do
     visit users_dossier_description_path dossier
+
+    within('#new_user') do
+      page.find_by_id('user_email').set dossier.user.email
+      page.find_by_id('user_password').set dossier.user.password
+      page.click_on 'Se connecter'
+    end
+
   end
   it { expect(page).to have_css('#description_page') }