feat(Administrateur::ExportsController#*): prevent SuperAdmin to ask/download export

2022-07-21 15:23:49 +02:00 · 2022-07-21 15:23:49 +02:00 · 5e8210b8f8
commit 5e8210b8f8
parent bfd0f3379f
2 changed files with 20 additions and 1 deletions
--- a/app/controllers/administrateurs/exports_controller.rb
+++ b/app/controllers/administrateurs/exports_controller.rb
@ -1,6 +1,7 @@
 module Administrateurs
  class ExportsController < AdministrateurController
-    before_action :retrieve_procedure, only: [:download]
+    before_action :retrieve_procedure
+    before_action :ensure_not_super_admin!

    def download
      export = Export.find_or_create_export(export_format, all_groupe_instructeurs, **export_options)
--- a/spec/controllers/administrateurs/exports_controller_spec.rb
+++ b/spec/controllers/administrateurs/exports_controller_spec.rb
@ -63,5 +63,23 @@ describe Administrateurs::ExportsController, type: :controller do
        end
      end
    end
+
+    context 'when admin is allowed present as manager' do
+      let!(:procedure) { create(:procedure) }
+      let!(:administrateur_procedure) { create(:administrateurs_procedure, procedure: procedure, administrateur: administrateur, manager: true) }
+
+      context 'get #index.html' do
+        it { is_expected.to have_http_status(:forbidden) }
+      end
+      context 'get #index.turbo_stream' do
+        it 'is forbidden' do
+          post :download,
+            params: { export_format: :csv, procedure_id: procedure.id },
+            format: :turbo_stream
+          expect(response).to have_http_status(:forbidden)
+        end
+      end
+
+    end
  end
 end