DossierController: use new token validation

2018-09-26 16:49:21 +02:00 · 2018-09-26 16:49:21 +02:00 · 912371fbd6
commit 912371fbd6
parent 8dd4a1ca4e
2 changed files with 17 additions and 6 deletions
--- a/app/controllers/api/v1/dossiers_controller.rb
+++ b/app/controllers/api/v1/dossiers_controller.rb
@ -1,4 +1,6 @@
 class API::V1::DossiersController < APIController
+  before_action :fetch_procedure_and_check_token
+
  DEFAULT_PAGE_SIZE = 100

  resource_description do
@ -13,8 +15,7 @@ class API::V1::DossiersController < APIController
  error code: 404, desc: "Démarche inconnue"

  def index
-    procedure = administrateur.procedures.find(params[:procedure_id])
-    dossiers = procedure.dossiers.state_not_brouillon.page(params[:page]).per(per_page)
+    dossiers = @procedure.dossiers.state_not_brouillon.page(params[:page]).per(per_page)

    render json: { dossiers: dossiers.map{ |dossier| DossiersSerializer.new(dossier) }, pagination: pagination(dossiers) }, status: 200
  rescue ActiveRecord::RecordNotFound
@ -28,8 +29,7 @@ class API::V1::DossiersController < APIController
  error code: 404, desc: "Démarche ou dossier inconnu"

  def show
-    procedure = administrateur.procedures.find(params[:procedure_id])
-    dossier = procedure.dossiers.find(params[:id])
+    dossier = @procedure.dossiers.find(params[:id])

    respond_to do |format|
      format.json { render json: { dossier: DossierSerializer.new(dossier).as_json }, status: 200 }
@ -49,4 +49,15 @@ class API::V1::DossiersController < APIController
  def per_page # inherited value from will_paginate
    [params[:resultats_par_page]&.to_i || DEFAULT_PAGE_SIZE, 1000].min
  end
+
+  def fetch_procedure_and_check_token
+    @procedure = Procedure.includes(:administrateur).find(params[:procedure_id])
+
+    if !valid_token_for_administrateur?(@procedure.administrateur)
+      render json: {}, status: :unauthorized
+    end
+
+  rescue ActiveRecord::RecordNotFound
+    render json: {}, status: :not_found
+  end
 end
--- a/spec/controllers/api/v1/dossiers_controller_spec.rb
+++ b/spec/controllers/api/v1/dossiers_controller_spec.rb
@ -35,7 +35,7 @@ describe API::V1::DossiersController do

    context 'when procedure does not belong to admin' do
      let(:procedure_id) { wrong_procedure.id }
-      it { expect(subject.code).to eq('404') }
+      it { expect(subject.code).to eq('401') }
    end

    context 'when procedure is found and belongs to admin' do
@ -115,7 +115,7 @@ describe API::V1::DossiersController do
    context 'when procedure exists and does not belong to current admin' do
      let(:procedure_id) { wrong_procedure.id }
      let(:dossier_id) { 1 }
-      it { expect(subject.code).to eq('404') }
+      it { expect(subject.code).to eq('401') }
    end

    context 'when procedure is found and belongs to current admin' do