[#1677] Allow invites to edit dossiers

2018-03-29 15:25:05 +02:00 · 2018-03-29 15:25:05 +02:00 · 839a5d43f6
commit 839a5d43f6
parent 13d7149b5c
2 changed files with 82 additions and 19 deletions
--- a/app/controllers/new_user/dossiers_controller.rb
+++ b/app/controllers/new_user/dossiers_controller.rb
@ -1,6 +1,7 @@
 module NewUser
  class DossiersController < UserController
-    before_action :ensure_ownership!, except: [:index]
+    before_action :ensure_ownership!, except: [:index, :modifier, :update]
+    before_action :ensure_ownership_or_invitation!, only: [:modifier, :update]

    def attestation
      send_data(dossier.attestation.pdf.read, filename: 'attestation.pdf', type: 'application/pdf')
@ -99,16 +100,26 @@ module NewUser
    end

    def dossier_with_champs
-      @dossier_with_champs ||= current_user.dossiers.with_ordered_champs.find(params[:id])
+      @dossier_with_champs ||= Dossier.with_ordered_champs.find(params[:id])
    end

    def ensure_ownership!
      if dossier.user_id != current_user.id
-        flash[:alert] = "Vous n'avez pas accès à ce dossier"
-        redirect_to root_path
+        forbidden!
      end
    end

+    def ensure_ownership_or_invitation!
+      if !dossier.owner_or_invite?(current_user)
+        forbidden!
+      end
+    end
+
+    def forbidden!
+      flash[:alert] = "Vous n'avez pas accès à ce dossier"
+      redirect_to root_path
+    end
+
    def individual_params
      params.require(:individual).permit(:gender, :nom, :prenom, :birthdate)
    end
--- a/spec/controllers/new_user/dossiers_controller_spec.rb
+++ b/spec/controllers/new_user/dossiers_controller_spec.rb
@ -3,44 +3,96 @@ require 'spec_helper'
 describe NewUser::DossiersController, type: :controller do
  let(:user) { create(:user) }

-  describe 'before_action: ensure_ownership!' do
+  describe 'before_actions: ensure_ownership, ensure_ownership_or_invitation!' do
    it 'is present' do
      before_actions = NewUser::DossiersController
        ._process_action_callbacks
        .find_all{ |process_action_callbacks| process_action_callbacks.kind == :before }
        .map(&:filter)

-      expect(before_actions).to include(:ensure_ownership!)
+      expect(before_actions).to include(:ensure_ownership!, :ensure_ownership_or_invitation!)
    end
  end

-  describe 'ensure_ownership!' do
+  shared_examples_for 'does not redirect nor flash' do
+    before { @controller.send(ensure_authorized) }
+
+    it { expect(@controller).not_to have_received(:redirect_to) }
+    it { expect(flash.alert).to eq(nil) }
+  end
+
+  shared_examples_for 'redirects and flashes' do
+    before { @controller.send(ensure_authorized) }
+
+    it { expect(@controller).to have_received(:redirect_to).with(root_path) }
+    it { expect(flash.alert).to eq("Vous n'avez pas accès à ce dossier") }
+  end
+
+  describe '#ensure_ownership!' do
    let(:user) { create(:user) }
+    let(:asked_dossier) { create(:dossier) }
+    let(:ensure_authorized) { :ensure_ownership! }

    before do
      @controller.params = @controller.params.merge(dossier_id: asked_dossier.id)
      expect(@controller).to receive(:current_user).and_return(user)
      allow(@controller).to receive(:redirect_to)
-
-      @controller.send(:ensure_ownership!)
    end

-    context 'when a user asks for its dossier' do
+    context 'when a user asks for their own dossier' do
      let(:asked_dossier) { create(:dossier, user: user) }

-      it 'does not redirects nor flash' do
-        expect(@controller).not_to have_received(:redirect_to)
-        expect(flash.alert).to eq(nil)
-      end
+      it_behaves_like 'does not redirect nor flash'
    end

    context 'when a user asks for another dossier' do
-      let(:asked_dossier) { create(:dossier) }
+      it_behaves_like 'redirects and flashes'
+    end

-      it 'redirects and flash' do
-        expect(@controller).to have_received(:redirect_to).with(root_path)
-        expect(flash.alert).to eq("Vous n'avez pas accès à ce dossier")
-      end
+    context 'when an invite asks for a dossier where they were invited' do
+      before { create(:invite, dossier: asked_dossier, user: user, type: 'InviteUser') }
+
+      it_behaves_like 'redirects and flashes'
+    end
+
+    context 'when an invite asks for another dossier' do
+      before { create(:invite, dossier: create(:dossier), user: user, type: 'InviteUser') }
+
+      it_behaves_like 'redirects and flashes'
+    end
+  end
+
+  describe '#ensure_ownership_or_invitation!' do
+    let(:user) { create(:user) }
+    let(:asked_dossier) { create(:dossier) }
+    let(:ensure_authorized) { :ensure_ownership_or_invitation! }
+
+    before do
+      @controller.params = @controller.params.merge(dossier_id: asked_dossier.id)
+      expect(@controller).to receive(:current_user).and_return(user)
+      allow(@controller).to receive(:redirect_to)
+    end
+
+    context 'when a user asks for their own dossier' do
+      let(:asked_dossier) { create(:dossier, user: user) }
+
+      it_behaves_like 'does not redirect nor flash'
+    end
+
+    context 'when a user asks for another dossier' do
+      it_behaves_like 'redirects and flashes'
+    end
+
+    context 'when an invite asks for a dossier where they were invited' do
+      before { create(:invite, dossier: asked_dossier, user: user, type: 'InviteUser') }
+
+      it_behaves_like 'does not redirect nor flash'
+    end
+
+    context 'when an invite asks for another dossier' do
+      before { create(:invite, dossier: create(:dossier), user: user, type: 'InviteUser') }
+
+      it_behaves_like 'redirects and flashes'
    end
  end