refacto destroy action and add spec for unauthorized user

2023-03-09 11:39:45 +01:00 · 2023-03-09 11:39:45 +01:00 · 6ba47b731b
commit 6ba47b731b
parent efcb783c8c
4 changed files with 34 additions and 4 deletions
--- a/app/controllers/users/transfers_controller.rb
+++ b/app/controllers/users/transfers_controller.rb
@ -20,11 +20,14 @@ module Users

    def destroy
      transfer = DossierTransfer.find(params[:id])
+      authorized = (transfer.email == current_user.email || transfer.dossiers.exists?(dossiers: { user: current_user }))

-      authorized_email = (transfer.email == current_user.email || transfer.dossiers.where(dossiers: { user: current_user }).present?)
-      return if !authorized_email
-
+      if authorized
        transfer.destroy_and_nullify
+        flash.notice = t("users.dossiers.transferer.destroy")
+      else
+        flash.alert = t("users.dossiers.transferer.unauthorized_destroy")
+      end
      redirect_to dossiers_path
    end

--- a/config/locales/views/users/dossier_transfer/en.yml
+++ b/config/locales/views/users/dossier_transfer/en.yml
@ -9,3 +9,5 @@ en:
        email_label: Email of the recipient account
        submit: Send transfer request
        notice_sent: The transfer request has been sent successfully
+        destroy: The transfer request has been deleted successfully
+        unauthorized_destroy: You don't have the authorization to delete this transfer request
--- a/config/locales/views/users/dossier_transfer/fr.yml
+++ b/config/locales/views/users/dossier_transfer/fr.yml
@ -9,3 +9,5 @@ fr:
        email_label: Email du compte destinataire
        submit: Envoyer la demande de transfert
        notice_sent: L'invitation au transfert a été envoyée avec succès
+        destroy: La demande de transfert a été supprimée avec succès
+        unauthorized_destroy: Vous n'avez pas l'autorisation pour supprimer cette demande de transfert
--- a/spec/controllers/users/transfers_controller_spec.rb
+++ b/spec/controllers/users/transfers_controller_spec.rb
@ -18,6 +18,8 @@ describe Users::TransfersController, type: :controller do
      it "deletes dossier transfert" do
        subject
        expect { dossier_transfert.reload }.to raise_error(ActiveRecord::RecordNotFound)
+        expect { (flash.notice).to eq('La demande de transfert a été supprimée avec succès') }
+        expect { (subject).to redirect_to dossiers_path }
      end
    end

@ -37,6 +39,27 @@ describe Users::TransfersController, type: :controller do
        expect { dossier_transfert.reload }.to raise_error(ActiveRecord::RecordNotFound)
      end
    end
+
+    context "as transfer unauthorized" do
+      let(:dossier_transfert) { DossierTransfer.initiate(recipient_user.email, [dossier]) }
+      let(:random_user) { create(:user) }
+
+      subject { delete :destroy, params: { id: dossier_transfert.id } }
+
+      before do
+        sign_in(random_user)
+      end
+
+      it { expect { subject }.not_to raise_error }
+
+      it "does not delete dossier transfert" do
+        subject
+
+        expect { dossier_transfert.reload.to eq(dossier_transfert) }
+        expect { (flash.alert).to eq("Vous n'avez pas l'autorisation pour supprimer cette demande de transfert") }
+        expect { (subject).to redirect_to dossiers_path }
+      end
+    end
  end

  describe "POST create" do