From 3c95273d6f868b71d069f5eb50325f39c48400de Mon Sep 17 00:00:00 2001
From: simon lehericey <simon.lehericey@gmail.com>
Date: Wed, 26 Sep 2018 16:38:35 +0200
Subject: [PATCH] ProcedureController: use new token validation

---
 app/controllers/api/v1/procedures_controller.rb | 17 ++++++++++++++---
 .../api/v1/procedures_controller_spec.rb        |  4 ++--
 2 files changed, 16 insertions(+), 5 deletions(-)

diff --git a/app/controllers/api/v1/procedures_controller.rb b/app/controllers/api/v1/procedures_controller.rb
index 817b5e882..8734cdca9 100644
--- a/app/controllers/api/v1/procedures_controller.rb
+++ b/app/controllers/api/v1/procedures_controller.rb
@@ -1,4 +1,6 @@
 class API::V1::ProceduresController < APIController
+  before_action :fetch_procedure_and_check_token
+
   resource_description do
     description AUTHENTICATION_TOKEN_DESCRIPTION
   end
@@ -9,11 +11,20 @@ class API::V1::ProceduresController < APIController
   error code: 404, desc: "Démarche inconnue"
 
   def show
-    procedure = administrateur.procedures.find(params[:id]).decorate
+    render json: { procedure: ProcedureSerializer.new(@procedure.decorate).as_json }
+  end
+
+  private
+
+  def fetch_procedure_and_check_token
+    @procedure = Procedure.includes(:administrateur).find(params[:id])
+
+    if !valid_token_for_administrateur?(@procedure.administrateur)
+      render json: {}, status: :unauthorized
+    end
 
-    render json: { procedure: ProcedureSerializer.new(procedure).as_json }
   rescue ActiveRecord::RecordNotFound => e
     Rails.logger.error(e.message)
-    render json: {}, status: 404
+    render json: {}, status: :not_found
   end
 end
diff --git a/spec/controllers/api/v1/procedures_controller_spec.rb b/spec/controllers/api/v1/procedures_controller_spec.rb
index c237261b2..6eee811ab 100644
--- a/spec/controllers/api/v1/procedures_controller_spec.rb
+++ b/spec/controllers/api/v1/procedures_controller_spec.rb
@@ -13,10 +13,10 @@ describe API::V1::ProceduresController, type: :controller do
       it { is_expected.to have_http_status(404) }
     end
 
-    context 'when procedure does not belong to administrateur' do
+    context 'when procedure belongs to administrateur without token' do
       let(:procedure_id) { create(:procedure).id }
 
-      it { is_expected.to have_http_status(404) }
+      it { is_expected.to have_http_status(401) }
     end
 
     context 'when procedure exist' do