fix(send_dossier): avoid leaking instructeur emails
This commit is contained in:
parent
ae3fb19c0e
commit
8e75b6ff77
2 changed files with 31 additions and 11 deletions
|
@ -86,14 +86,19 @@ module Instructeurs
|
|||
|
||||
def send_to_instructeurs
|
||||
recipients = params['recipients'].presence || [].to_json
|
||||
recipients = Instructeur.find(JSON.parse(recipients))
|
||||
# instructeurs are scoped by groupe_instructeur to avoid enumeration
|
||||
recipients = dossier.groupe_instructeur.instructeurs.where(id: JSON.parse(recipients))
|
||||
|
||||
recipients.each do |recipient|
|
||||
recipient.follow(dossier)
|
||||
InstructeurMailer.send_dossier(current_instructeur, dossier, recipient).deliver_later
|
||||
if recipients.present?
|
||||
recipients.each do |recipient|
|
||||
recipient.follow(dossier)
|
||||
InstructeurMailer.send_dossier(current_instructeur, dossier, recipient).deliver_later
|
||||
end
|
||||
flash.notice = "Dossier envoyé"
|
||||
else
|
||||
flash.alert = "Instructeur inconnu ou non présent sur la procédure"
|
||||
end
|
||||
|
||||
flash.notice = "Dossier envoyé"
|
||||
redirect_to(personnes_impliquees_instructeur_dossier_path(procedure, dossier))
|
||||
end
|
||||
|
||||
|
|
|
@ -23,14 +23,12 @@ describe Instructeurs::DossiersController, type: :controller do
|
|||
end
|
||||
|
||||
describe '#send_to_instructeurs' do
|
||||
let(:recipient) { create(:instructeur) }
|
||||
let(:instructeurs) { [instructeur, recipient] }
|
||||
let(:mail) { double("mail") }
|
||||
|
||||
before do
|
||||
expect(mail).to receive(:deliver_later)
|
||||
allow(mail).to receive(:deliver_later)
|
||||
|
||||
expect(InstructeurMailer)
|
||||
allow(InstructeurMailer)
|
||||
.to receive(:send_dossier)
|
||||
.with(instructeur, dossier, recipient)
|
||||
.and_return(mail)
|
||||
|
@ -45,8 +43,25 @@ describe Instructeurs::DossiersController, type: :controller do
|
|||
)
|
||||
end
|
||||
|
||||
it { expect(response).to redirect_to(personnes_impliquees_instructeur_dossier_url) }
|
||||
it { expect(recipient.followed_dossiers).to include(dossier) }
|
||||
context 'when the recipient belongs to the dossier groupe instructeur' do
|
||||
let(:recipient) { instructeur }
|
||||
|
||||
it do
|
||||
expect(InstructeurMailer).to have_received(:send_dossier)
|
||||
expect(response).to redirect_to(personnes_impliquees_instructeur_dossier_url)
|
||||
expect(recipient.followed_dossiers).to include(dossier)
|
||||
end
|
||||
end
|
||||
|
||||
context 'when the recipient is random' do
|
||||
let(:recipient) { create(:instructeur) }
|
||||
|
||||
it do
|
||||
expect(InstructeurMailer).not_to have_received(:send_dossier)
|
||||
expect(response).to redirect_to(personnes_impliquees_instructeur_dossier_url)
|
||||
expect(recipient.followed_dossiers).not_to include(dossier)
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
describe '#follow' do
|
||||
|
|
Loading…
Reference in a new issue