Merge pull request #6990 from betagouv/US/fix-avis

fix(avis_controller#*): missing ACL
2022-02-28 15:12:53 +01:00 · 2022-02-28 15:12:53 +01:00 · b7da406fe4
commit b7da406fe4
parent 43f8bbfb11 4346775169
2 changed files with 69 additions and 16 deletions
--- a/app/controllers/experts/avis_controller.rb
+++ b/app/controllers/experts/avis_controller.rb
@ -17,7 +17,8 @@ module Experts
    end

    def procedure
-      @procedure = Procedure.find(params[:procedure_id])
+      @procedure = current_expert.procedures.find_by(id: params[:procedure_id])
+      redirect_to(expert_all_avis_path, flash: { alert: "Vous n’avez pas accès à cette démarche." }) and return unless @procedure
      expert_avis = current_expert.avis.includes(:dossier).not_hidden_by_administration.where(dossiers: { groupe_instructeur: GroupeInstructeur.where(procedure: @procedure.id) })
      @avis_a_donner = expert_avis.without_answer
      @avis_donnes = expert_avis.with_answer
@ -156,7 +157,8 @@ module Experts
    end

    def set_avis_and_dossier
-      @avis = Avis.find(params[:id])
+      @avis = current_expert.avis.find_by(id: params[:id])
+      redirect_to(expert_all_avis_path, flash: { alert: "Vous n’avez pas accès à cet avis." }) and return unless @avis
      @dossier = @avis.dossier
    end

--- a/spec/controllers/experts/avis_controller_spec.rb
+++ b/spec/controllers/experts/avis_controller_spec.rb
@ -25,18 +25,31 @@ describe Experts::AvisController, type: :controller do
    end

    describe '#procedure' do
-      before { get :procedure, params: { procedure_id: procedure.id } }
+      context 'without filter' do
+        before { get :procedure, params: { procedure_id: procedure.id } }

-      it { expect(response).to have_http_status(:success) }
-      it { expect(assigns(:avis_a_donner)).to match([avis_without_answer]) }
-      it { expect(assigns(:avis_donnes)).to match([avis_with_answer]) }
-      it { expect(assigns(:statut)).to eq('a-donner') }
+        it { expect(response).to have_http_status(:success) }
+        it { expect(assigns(:avis_a_donner)).to match([avis_without_answer]) }
+        it { expect(assigns(:avis_donnes)).to match([avis_with_answer]) }
+        it { expect(assigns(:statut)).to eq('a-donner') }
+      end

      context 'with a statut equal to donnes' do
        before { get :procedure, params: { statut: 'donnes', procedure_id: procedure.id } }

        it { expect(assigns(:statut)).to eq('donnes') }
      end
+
+      context 'with different procedure' do
+        subject { get :procedure, params: { statut: 'donnes', procedure_id: procedure.id } }
+
+        it 'fails' do
+          sign_in(create(:expert).user)
+          subject
+          expect(response).to redirect_to(expert_all_avis_path)
+          expect(flash.alert).to eq("Vous n’avez pas accès à cette démarche.")
+        end
+      end
    end

    describe '#bilans_bdf' do
@ -64,22 +77,52 @@ describe Experts::AvisController, type: :controller do
          expect(response).to redirect_to(root_path)
        end
      end
+
+      context 'with an avis that does not belongs to current_expert' do
+        it "refuse l'accès au dossier" do
+          sign_in(create(:expert).user)
+          subject
+          expect(response).to redirect_to(expert_all_avis_path)
+          expect(flash.alert).to eq("Vous n’avez pas accès à cet avis.")
+        end
+      end
    end

    describe '#instruction' do
-      before { get :instruction, params: { id: avis_without_answer.id, procedure_id: procedure.id } }
-
-      it { expect(response).to have_http_status(:success) }
-      it { expect(assigns(:avis)).to eq(avis_without_answer) }
-      it { expect(assigns(:dossier)).to eq(dossier) }
+      subject { get :instruction, params: { id: avis_without_answer.id, procedure_id: procedure.id } }
+      context 'with valid avis' do
+        before { subject }
+        it { expect(response).to have_http_status(:success) }
+        it { expect(assigns(:avis)).to eq(avis_without_answer) }
+        it { expect(assigns(:dossier)).to eq(dossier) }
+      end
+      context 'with an avis that does not belongs to current_expert' do
+        it "refuse l'accès au dossier" do
+          sign_in(create(:expert).user)
+          subject
+          expect(response).to redirect_to(expert_all_avis_path)
+          expect(flash.alert).to eq("Vous n’avez pas accès à cet avis.")
+        end
+      end
    end

    describe '#messagerie' do
-      before { get :messagerie, params: { id: avis_without_answer.id, procedure_id: procedure.id } }
+      subject { get :messagerie, params: { id: avis_without_answer.id, procedure_id: procedure.id } }
+      context 'with valid avis' do
+        before { subject }

-      it { expect(response).to have_http_status(:success) }
-      it { expect(assigns(:avis)).to eq(avis_without_answer) }
-      it { expect(assigns(:dossier)).to eq(dossier) }
+        it { expect(response).to have_http_status(:success) }
+        it { expect(assigns(:avis)).to eq(avis_without_answer) }
+        it { expect(assigns(:dossier)).to eq(dossier) }
+      end
+      context 'with an avis that does not belongs to current_expert' do
+        it "refuse l'accès au dossier" do
+          sign_in(create(:expert).user)
+          subject
+          expect(response).to redirect_to(expert_all_avis_path)
+          expect(flash.alert).to eq("Vous n’avez pas accès à cet avis.")
+        end
+      end
    end

    describe '#update' do
@ -118,6 +161,14 @@ describe Experts::AvisController, type: :controller do
          expect(flash.notice).to eq('Votre réponse est enregistrée.')
        end
      end
+      context 'with an avis that does not belongs to current_expert' do
+        it "refuse l'accès au dossier" do
+          sign_in(create(:expert).user)
+          patch :update, params: { id: avis_without_answer.id, procedure_id: procedure.id, avis: { answer: 'answer' } }
+          expect(response).to redirect_to(expert_all_avis_path)
+          expect(flash.alert).to eq("Vous n’avez pas accès à cet avis.")
+        end
+      end
    end

    describe '#create_commentaire' do