Merge pull request #2075 from betagouv/fix_2072_user_cannot_modify_a_dossier_in_instruction

[fix #2072] DossierController: check the user can update the dossier
2018-06-08 16:38:59 +02:00 · 2018-06-08 16:38:59 +02:00 · 6e1bff0d5d
commit 6e1bff0d5d
parent db4c0e11d2 e11392981d
3 changed files with 34 additions and 0 deletions
--- a/app/controllers/new_user/dossiers_controller.rb
+++ b/app/controllers/new_user/dossiers_controller.rb
@ -2,6 +2,7 @@ module NewUser
  class DossiersController < UserController
    before_action :ensure_ownership!, except: [:index, :modifier, :update]
    before_action :ensure_ownership_or_invitation!, only: [:modifier, :update]
+    before_action :ensure_dossier_can_be_updated, only: [:update_identite, :update]
    before_action :forbid_invite_submission!, only: [:update]

    def attestation
@ -109,6 +110,13 @@ module NewUser

    private

+    def ensure_dossier_can_be_updated
+      if !dossier.can_be_updated_by_the_user?
+        flash.alert = 'Votre dossier ne peut plus être modifié'
+        redirect_to users_dossiers_path
+      end
+    end
+
    def page
      [params[:page].to_i, 1].max
    end
--- a/app/models/dossier.rb
+++ b/app/models/dossier.rb
@ -171,6 +171,10 @@ class Dossier < ApplicationRecord
    !(procedure.archivee? && brouillon?)
  end

+  def can_be_updated_by_the_user?
+    brouillon? || en_construction?
+  end
+
  def text_summary
    if brouillon?
      parts = [
--- a/spec/controllers/new_user/dossiers_controller_spec.rb
+++ b/spec/controllers/new_user/dossiers_controller_spec.rb
@ -145,6 +145,17 @@ describe NewUser::DossiersController, type: :controller do
      end
    end

+    context 'when the identite cannot be updated by the user' do
+      let(:dossier) { create(:dossier, :for_individual, :en_instruction, user: user, procedure: procedure) }
+      let(:individual_params) { { gender: 'M', nom: 'Mouse', prenom: 'Mickey' } }
+      let(:dossier_params) { { autorisation_donnees: true } }
+
+      it 'redirects to user_dossiers_path' do
+        expect(response).to redirect_to(users_dossiers_path)
+        expect(flash.alert).to eq('Votre dossier ne peut plus être modifié')
+      end
+    end
+
    context 'with incorrect individual and dossier params' do
      let(:individual_params) { { gender: '', nom: '', prenom: '' } }
      let(:dossier_params) { { autorisation_donnees: nil } }
@ -211,6 +222,17 @@ describe NewUser::DossiersController, type: :controller do

    subject { patch :update, params: payload }

+    context 'when the dossier cannot be updated by the user' do
+      let!(:dossier) { create(:dossier, :en_instruction, user: user) }
+
+      it 'redirects to user_dossiers_path' do
+        subject
+
+        expect(response).to redirect_to(users_dossiers_path)
+        expect(flash.alert).to eq('Votre dossier ne peut plus être modifié')
+      end
+    end
+
    it 'updates the champs' do
      subject