fix(send_dossier): avoid leaking instructeur emails
This commit is contained in:
parent
ae3fb19c0e
commit
8e75b6ff77
2 changed files with 31 additions and 11 deletions
|
@ -86,14 +86,19 @@ module Instructeurs
|
||||||
|
|
||||||
def send_to_instructeurs
|
def send_to_instructeurs
|
||||||
recipients = params['recipients'].presence || [].to_json
|
recipients = params['recipients'].presence || [].to_json
|
||||||
recipients = Instructeur.find(JSON.parse(recipients))
|
# instructeurs are scoped by groupe_instructeur to avoid enumeration
|
||||||
|
recipients = dossier.groupe_instructeur.instructeurs.where(id: JSON.parse(recipients))
|
||||||
|
|
||||||
recipients.each do |recipient|
|
if recipients.present?
|
||||||
recipient.follow(dossier)
|
recipients.each do |recipient|
|
||||||
InstructeurMailer.send_dossier(current_instructeur, dossier, recipient).deliver_later
|
recipient.follow(dossier)
|
||||||
|
InstructeurMailer.send_dossier(current_instructeur, dossier, recipient).deliver_later
|
||||||
|
end
|
||||||
|
flash.notice = "Dossier envoyé"
|
||||||
|
else
|
||||||
|
flash.alert = "Instructeur inconnu ou non présent sur la procédure"
|
||||||
end
|
end
|
||||||
|
|
||||||
flash.notice = "Dossier envoyé"
|
|
||||||
redirect_to(personnes_impliquees_instructeur_dossier_path(procedure, dossier))
|
redirect_to(personnes_impliquees_instructeur_dossier_path(procedure, dossier))
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
|
@ -23,14 +23,12 @@ describe Instructeurs::DossiersController, type: :controller do
|
||||||
end
|
end
|
||||||
|
|
||||||
describe '#send_to_instructeurs' do
|
describe '#send_to_instructeurs' do
|
||||||
let(:recipient) { create(:instructeur) }
|
|
||||||
let(:instructeurs) { [instructeur, recipient] }
|
|
||||||
let(:mail) { double("mail") }
|
let(:mail) { double("mail") }
|
||||||
|
|
||||||
before do
|
before do
|
||||||
expect(mail).to receive(:deliver_later)
|
allow(mail).to receive(:deliver_later)
|
||||||
|
|
||||||
expect(InstructeurMailer)
|
allow(InstructeurMailer)
|
||||||
.to receive(:send_dossier)
|
.to receive(:send_dossier)
|
||||||
.with(instructeur, dossier, recipient)
|
.with(instructeur, dossier, recipient)
|
||||||
.and_return(mail)
|
.and_return(mail)
|
||||||
|
@ -45,8 +43,25 @@ describe Instructeurs::DossiersController, type: :controller do
|
||||||
)
|
)
|
||||||
end
|
end
|
||||||
|
|
||||||
it { expect(response).to redirect_to(personnes_impliquees_instructeur_dossier_url) }
|
context 'when the recipient belongs to the dossier groupe instructeur' do
|
||||||
it { expect(recipient.followed_dossiers).to include(dossier) }
|
let(:recipient) { instructeur }
|
||||||
|
|
||||||
|
it do
|
||||||
|
expect(InstructeurMailer).to have_received(:send_dossier)
|
||||||
|
expect(response).to redirect_to(personnes_impliquees_instructeur_dossier_url)
|
||||||
|
expect(recipient.followed_dossiers).to include(dossier)
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
context 'when the recipient is random' do
|
||||||
|
let(:recipient) { create(:instructeur) }
|
||||||
|
|
||||||
|
it do
|
||||||
|
expect(InstructeurMailer).not_to have_received(:send_dossier)
|
||||||
|
expect(response).to redirect_to(personnes_impliquees_instructeur_dossier_url)
|
||||||
|
expect(recipient.followed_dossiers).not_to include(dossier)
|
||||||
|
end
|
||||||
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
describe '#follow' do
|
describe '#follow' do
|
||||||
|
|
Loading…
Reference in a new issue