Merge pull request #11151 from demarches-simplifiees/fix_invit_submission

ETQ Invité, je ne peux pas soumettre de correction sur un dossier déposé
2024-12-19 10:22:27 +00:00 · 2024-12-19 10:22:27 +00:00 · 8fab8986aa
commit 8fab8986aa
parent 978c5f5038 9fff0087a9
4 changed files with 123 additions and 138 deletions
--- a/app/components/dossiers/edit_footer_component.rb
+++ b/app/components/dossiers/edit_footer_component.rb
@ -27,7 +27,7 @@ class Dossiers::EditFooterComponent < ApplicationComponent
  end

  def can_submit_en_construction?
-    forked_with_changes?
+    forked_with_changes? && owner?
  end

  def submit_button_label
--- a/app/controllers/users/dossiers_controller.rb
+++ b/app/controllers/users/dossiers_controller.rb
@ -9,14 +9,13 @@ module Users
    layout 'procedure_context', only: [:identite, :update_identite, :siret, :update_siret]

    ACTIONS_ALLOWED_TO_ANY_USER = [:index, :new, :transferer_all, :deleted_dossiers]
-    ACTIONS_ALLOWED_TO_OWNER_OR_INVITE = [:show, :destroy, :demande, :messagerie, :brouillon, :submit_brouillon, :submit_en_construction, :modifier, :update, :create_commentaire, :papertrail, :restore, :champ]
+    ACTIONS_ALLOWED_TO_OWNER_OR_INVITE = [:show, :destroy, :demande, :messagerie, :brouillon, :modifier, :update, :create_commentaire, :papertrail, :restore, :champ]

    before_action :ensure_ownership!, except: ACTIONS_ALLOWED_TO_ANY_USER + ACTIONS_ALLOWED_TO_OWNER_OR_INVITE
    before_action :ensure_ownership_or_invitation!, only: ACTIONS_ALLOWED_TO_OWNER_OR_INVITE
    before_action :ensure_dossier_can_be_updated, only: [:update_identite, :update_siret, :brouillon, :submit_brouillon, :submit_en_construction, :modifier, :update, :champ]
    before_action :ensure_dossier_can_be_filled, only: [:brouillon, :modifier, :submit_brouillon, :submit_en_construction, :update]
    before_action :ensure_dossier_can_be_viewed, only: [:show]
-    before_action :forbid_invite_submission!, only: [:submit_brouillon]
    before_action :forbid_closed_submission!, only: [:submit_brouillon]
    before_action :set_dossier_as_editing_fork, only: [:submit_en_construction]
    before_action :show_demarche_en_test_banner
@ -575,12 +574,6 @@ module Users
      end
    end

-    def forbid_invite_submission!
-      if !current_user.owns?(dossier)
-        forbidden!
-      end
-    end
-
    def forbid_closed_submission!
      if !dossier.can_transition_to_en_construction?
        forbidden!
--- a/spec/controllers/users/dossiers_controller_spec.rb
+++ b/spec/controllers/users/dossiers_controller_spec.rb
@ -12,7 +12,7 @@ describe Users::DossiersController, type: :controller do
        .filter { |process_action_callbacks| process_action_callbacks.kind == :before }
        .map(&:filter)

-      expect(before_actions).to include(:ensure_ownership!, :ensure_ownership_or_invitation!, :forbid_invite_submission!)
+      expect(before_actions).to include(:ensure_ownership!, :ensure_ownership_or_invitation!)
    end
  end

@ -124,30 +124,6 @@ describe Users::DossiersController, type: :controller do
    end
  end

-  describe "#forbid_invite_submission!" do
-    let(:user) { create(:user) }
-    let(:asked_dossier) { create(:dossier) }
-    let(:ensure_authorized) { :forbid_invite_submission! }
-
-    before do
-      @controller.params = @controller.params.merge(dossier_id: asked_dossier.id)
-      allow(@controller).to receive(:current_user).and_return(user)
-      allow(@controller).to receive(:redirect_to)
-    end
-
-    context 'when a user submit their own dossier' do
-      let(:asked_dossier) { create(:dossier, user: user) }
-
-      it_behaves_like 'does not redirect nor flash'
-    end
-
-    context 'when an invite submit a dossier where they where invited' do
-      before { create(:invite, dossier: asked_dossier, user: user) }
-
-      it_behaves_like 'redirects and flashes'
-    end
-  end
-
  describe 'attestation' do
    before { sign_in(user) }

@ -525,10 +501,10 @@ describe Users::DossiersController, type: :controller do
  end

  describe '#submit_en_construction' do
-    before { sign_in(user) }
+    let(:owner) { create(:user) }
    let(:procedure) { create(:procedure, :published, types_de_champ_public:) }
    let(:types_de_champ_public) { [{ type: :text, mandatory: false }] }
-    let(:dossier) { create(:dossier, :en_construction, procedure:, user:) }
+    let(:dossier) { create(:dossier, :en_construction, procedure:, user: owner) }
    let(:first_champ) { dossier.owner_editing_fork.project_champs_public.first }
    let(:anchor_to_first_champ) { controller.helpers.link_to I18n.t('views.users.dossiers.fix_champ'), modifier_dossier_path(anchor: first_champ.labelledby_id), class: 'error-anchor' }
    let(:value) { 'beautiful value' }
@ -543,8 +519,11 @@ describe Users::DossiersController, type: :controller do
      end
    end

-    context 'when the dossier cannot be updated by the user' do
-      let!(:dossier) { create(:dossier, :en_instruction, user: user) }
+    context 'when the owner signs in' do
+      before { sign_in(owner) }
+
+      context 'when the dossier cannot be updated by the owner' do
+        let!(:dossier) { create(:dossier, :en_instruction, user: owner) }

        it 'redirects to the dossiers list' do
          subject
@ -634,7 +613,7 @@ describe Users::DossiersController, type: :controller do

        context 'when procedure has sva enabled' do
          let(:procedure) { create(:procedure, :sva) }
-        let(:dossier) { create(:dossier, :en_construction, procedure:, user:) }
+          let(:dossier) { create(:dossier, :en_construction, procedure:, user: owner) }
          let!(:correction) { create(:dossier_correction, dossier: dossier) }

          subject { post :submit_en_construction, params: { id: dossier.id, dossier: { pending_correction: pending_correction_value } } }
@ -671,6 +650,20 @@ describe Users::DossiersController, type: :controller do
      end
    end

+    context 'when a invite signs in' do
+      let(:invite_user) { create(:user) }
+      let!(:invite) { create(:invite, dossier:, user: invite_user) }
+
+      before { sign_in(invite_user) }
+      context 'and the invite tries to submit the dossier' do
+        before { subject }
+
+        it { expect(response).to redirect_to(root_path) }
+        it { expect(flash.alert).to include("Vous n’avez pas accès à ce dossier") }
+      end
+    end
+  end
+
  describe '#update brouillon' do
    before { sign_in(user) }

--- a/spec/system/users/invite_spec.rb
+++ b/spec/system/users/invite_spec.rb
@ -136,7 +136,6 @@ describe 'Invitations' do
        expect(page).to have_current_path(dossier_path(invite.dossier))
      end

-      it_behaves_like 'the user can edit the submitted demande'
      it_behaves_like 'the user can send messages to the instructeur'
    end
  end