Merge pull request #231 from sgmap/fix-162

[Fix #162] Deny dossier access for an unauthorized accompagnateur

app/controllers/backoffice/dossiers_controller.rb

@@ -1,6 +1,8 @@
 class Backoffice::DossiersController < Backoffice::DossiersListController
   respond_to :html, :xlsx, :ods, :csv
 
+  before_action :ensure_gestionnaire_is_authorized, only: :show
+
   def index
     procedure = current_gestionnaire.procedure_filter
 
@@ -185,6 +187,14 @@ class Backoffice::DossiersController < Backoffice::DossiersListController
 
   private
 
+  def ensure_gestionnaire_is_authorized
+    current_gestionnaire.dossiers.find(params[:id])
+
+  rescue ActiveRecord::RecordNotFound
+    flash.alert = t('errors.messages.dossier_not_found')
+    redirect_to url_for(controller: '/backoffice')
+  end
+
   def create_dossier_facade dossier_id
     @facade = DossierFacades.new dossier_id, current_gestionnaire.email
 

spec/features/backoffice/add_commentaire_spec.rb

@@ -1,7 +1,8 @@
 require 'spec_helper'
 
 feature 'add commentaire on backoffice' do
-  let(:dossier) { create(:dossier, :with_entreprise) }
+  let(:procedure) { create(:procedure) }
+  let(:dossier) { create(:dossier, :with_entreprise, procedure: procedure, state: 'updated') }
   let(:dossier_id) { dossier.id }
   let!(:commentaire) { create(:commentaire, dossier: dossier, email: 'toto@toto.com') }
   let(:email_commentaire) { 'test@test.com' }
@@ -10,6 +11,7 @@ feature 'add commentaire on backoffice' do
   let(:body) { 'Commentaire de test' }
 
   before do
+    create :assign_to, gestionnaire: gestionnaire, procedure: procedure
     login_as gestionnaire, scope: :gestionnaire
     visit backoffice_dossier_path(dossier)
   end

spec/features/backoffice/flux_de_commentaires_spec.rb

@@ -1,12 +1,13 @@
 require 'spec_helper'
 
 feature 'backoffice: flux de commentaires' do
+  let(:procedure) { create(:procedure) }
   let(:gestionnaire) { create(:gestionnaire) }
-  let(:dossier) { create(:dossier, :with_entreprise) }
+  let(:dossier) { create(:dossier, :with_entreprise, procedure: procedure, state: 'updated') }
   let(:dossier_id) { dossier.id }
 
-  let(:champ1) { dossier.champs.first }
-  let(:champ2) { create(:champ, dossier: dossier, type_de_champ: create(:type_de_champ_public, libelle: "subtitle")) }
+  let(:champ1) { create(:champ, dossier: dossier, type_de_champ: create(:type_de_champ_public, libelle: "subtitle1")) }
+  let(:champ2) { create(:champ, dossier: dossier, type_de_champ: create(:type_de_champ_public, libelle: "subtitle2")) }
 
   let!(:commentaire1) { create(:commentaire, dossier: dossier, champ: champ1) }
   let!(:commentaire2) { create(:commentaire, dossier: dossier) }
@@ -14,6 +15,7 @@ feature 'backoffice: flux de commentaires' do
   let!(:commentaire4) { create(:commentaire, dossier: dossier, champ: champ1) }
 
   before do
+    create :assign_to, gestionnaire: gestionnaire, procedure: procedure
     login_as gestionnaire, scope: :gestionnaire
     visit backoffice_dossier_path(dossier)
   end

spec/features/backoffice/navigate_to_dossier_spec.rb

@@ -32,6 +32,18 @@ feature 'on backoffice page', js: true do
         expect(page).to have_css('#backoffice-dossier-show')
       end
     end
+
+    context "and goes to the page of a dossier he hasn't access to" do
+      let!(:unauthorized_dossier) { create(:dossier, :with_entreprise, state: 'updated') }
+
+      before do
+        visit backoffice_dossier_path(unauthorized_dossier)
+      end
+
+      scenario "it shows an error message" do
+        expect(page).to have_content("Le dossier n'existe pas ou vous n'y avez pas accès.")
+      end
+    end
   end
 
   context 'when gestionnaire have enterprise and individual dossier in his inbox', js: true do