From b6fc30fd620e7a872f085af55268346e0030f1aa Mon Sep 17 00:00:00 2001
From: Simon Lehericey <simon.lehericey@gmail.com>
Date: Mon, 20 Feb 2017 18:07:33 +0100
Subject: [PATCH] Search: see only its own files

---
 .../backoffice/dossiers_controller.rb         |  5 +-
 .../backoffice/dossiers_controller_spec.rb    | 49 ++++++++++++++++---
 2 files changed, 46 insertions(+), 8 deletions(-)

diff --git a/app/controllers/backoffice/dossiers_controller.rb b/app/controllers/backoffice/dossiers_controller.rb
index 3df8eadf7..9237e091a 100644
--- a/app/controllers/backoffice/dossiers_controller.rb
+++ b/app/controllers/backoffice/dossiers_controller.rb
@@ -56,7 +56,10 @@ class Backoffice::DossiersController < Backoffice::DossiersListController
     @search_terms = params[:q]
 
     # exact id match?
-    @dossiers = Dossier.where(id: @search_terms.to_i) if @search_terms.to_i < 2147483647
+    if @search_terms.to_i != 0
+      @dossiers = current_gestionnaire.dossiers.where(id: @search_terms.to_i)
+    end
+
     @dossiers = Dossier.none if @dossiers.nil?
 
     # full text search
diff --git a/spec/controllers/backoffice/dossiers_controller_spec.rb b/spec/controllers/backoffice/dossiers_controller_spec.rb
index a5316274b..a5b3aa418 100644
--- a/spec/controllers/backoffice/dossiers_controller_spec.rb
+++ b/spec/controllers/backoffice/dossiers_controller_spec.rb
@@ -5,16 +5,24 @@ describe Backoffice::DossiersController, type: :controller do
     @request.env['HTTP_REFERER'] = TPS::Application::URL
   end
   let(:procedure) { create :procedure }
+  let(:procedure2) { create :procedure }
 
   let(:dossier) { create(:dossier, :with_entreprise, procedure: procedure, state: :initiated) }
+  let(:dossier2) { create(:dossier, :with_entreprise, procedure: procedure2, state: :initiated) }
   let(:dossier_archived) { create(:dossier, :with_entreprise, archived: true) }
 
   let(:dossier_id) { dossier.id }
   let(:bad_dossier_id) { Dossier.count + 10 }
+
   let(:gestionnaire) { create(:gestionnaire, administrateurs: [create(:administrateur)]) }
+  let!(:gestionnaire2) { create(:gestionnaire, administrateurs: [create(:administrateur)]) }
 
   before do
     create :assign_to, procedure: procedure, gestionnaire: gestionnaire
+    create :assign_to, procedure: procedure2, gestionnaire: gestionnaire2
+
+    procedure.dossiers << dossier
+    procedure2.dossiers << dossier2
   end
 
   describe 'GET #index' do
@@ -166,15 +174,42 @@ describe Backoffice::DossiersController, type: :controller do
   end
 
   describe 'POST #search' do
-    before do
-      sign_in gestionnaire
-    end
+    describe 'by id' do
+      context 'when I am logged as a gestionnaire' do
+        before do
+          sign_in gestionnaire
+        end
 
-    it 'returns http success' do
-      post :search, params: {search_terms: 'test'}
-      expect(response).to have_http_status(200)
-    end
+        context 'when I own the dossier' do
+          before :each do
+            post :search, params: { q: dossier_id }
+          end
 
+          it 'returns http success' do
+            expect(response).to have_http_status(200)
+          end
+
+          it 'returns the expected dossier' do
+            expect(assigns(:dossiers).count).to eq(1)
+            expect(assigns(:dossiers).first.id).to eq(dossier_id)
+          end
+        end
+
+        context 'when I do not own the dossier' do
+          before :each do
+            post :search, params: { q: dossier2_id }
+          end
+
+          it 'returns http success' do
+            expect(response).to have_http_status(200)
+          end
+
+          it 'returns nothing' do
+            expect(assigns(:dossiers).count).to eq(0)
+          end
+        end
+      end
+    end
   end
 
   describe 'POST #valid' do