diff --git a/app/controllers/experts/avis_controller.rb b/app/controllers/experts/avis_controller.rb index c856fe2eb..393a18fae 100644 --- a/app/controllers/experts/avis_controller.rb +++ b/app/controllers/experts/avis_controller.rb @@ -17,7 +17,8 @@ module Experts end def procedure - @procedure = Procedure.find(params[:procedure_id]) + @procedure = current_expert.procedures.find_by(id: params[:procedure_id]) + redirect_to(expert_all_avis_path, flash: { alert: "Vous n’avez pas accès à cette démarche." }) and return unless @procedure expert_avis = current_expert.avis.includes(:dossier).not_hidden_by_administration.where(dossiers: { groupe_instructeur: GroupeInstructeur.where(procedure: @procedure.id) }) @avis_a_donner = expert_avis.without_answer @avis_donnes = expert_avis.with_answer @@ -156,7 +157,8 @@ module Experts end def set_avis_and_dossier - @avis = Avis.find(params[:id]) + @avis = current_expert.avis.find_by(id: params[:id]) + redirect_to(expert_all_avis_path, flash: { alert: "Vous n’avez pas accès à cet avis." }) and return unless @avis @dossier = @avis.dossier end diff --git a/spec/controllers/experts/avis_controller_spec.rb b/spec/controllers/experts/avis_controller_spec.rb index c81d0f472..f47d7607d 100644 --- a/spec/controllers/experts/avis_controller_spec.rb +++ b/spec/controllers/experts/avis_controller_spec.rb @@ -25,18 +25,31 @@ describe Experts::AvisController, type: :controller do end describe '#procedure' do - before { get :procedure, params: { procedure_id: procedure.id } } + context 'without filter' do + before { get :procedure, params: { procedure_id: procedure.id } } - it { expect(response).to have_http_status(:success) } - it { expect(assigns(:avis_a_donner)).to match([avis_without_answer]) } - it { expect(assigns(:avis_donnes)).to match([avis_with_answer]) } - it { expect(assigns(:statut)).to eq('a-donner') } + it { expect(response).to have_http_status(:success) } + it { expect(assigns(:avis_a_donner)).to match([avis_without_answer]) } + it { expect(assigns(:avis_donnes)).to match([avis_with_answer]) } + it { expect(assigns(:statut)).to eq('a-donner') } + end context 'with a statut equal to donnes' do before { get :procedure, params: { statut: 'donnes', procedure_id: procedure.id } } it { expect(assigns(:statut)).to eq('donnes') } end + + context 'with different procedure' do + subject { get :procedure, params: { statut: 'donnes', procedure_id: procedure.id } } + + it 'fails' do + sign_in(create(:expert).user) + subject + expect(response).to redirect_to(expert_all_avis_path) + expect(flash.alert).to eq("Vous n’avez pas accès à cette démarche.") + end + end end describe '#bilans_bdf' do @@ -64,22 +77,52 @@ describe Experts::AvisController, type: :controller do expect(response).to redirect_to(root_path) end end + + context 'with an avis that does not belongs to current_expert' do + it "refuse l'accès au dossier" do + sign_in(create(:expert).user) + subject + expect(response).to redirect_to(expert_all_avis_path) + expect(flash.alert).to eq("Vous n’avez pas accès à cet avis.") + end + end end describe '#instruction' do - before { get :instruction, params: { id: avis_without_answer.id, procedure_id: procedure.id } } - - it { expect(response).to have_http_status(:success) } - it { expect(assigns(:avis)).to eq(avis_without_answer) } - it { expect(assigns(:dossier)).to eq(dossier) } + subject { get :instruction, params: { id: avis_without_answer.id, procedure_id: procedure.id } } + context 'with valid avis' do + before { subject } + it { expect(response).to have_http_status(:success) } + it { expect(assigns(:avis)).to eq(avis_without_answer) } + it { expect(assigns(:dossier)).to eq(dossier) } + end + context 'with an avis that does not belongs to current_expert' do + it "refuse l'accès au dossier" do + sign_in(create(:expert).user) + subject + expect(response).to redirect_to(expert_all_avis_path) + expect(flash.alert).to eq("Vous n’avez pas accès à cet avis.") + end + end end describe '#messagerie' do - before { get :messagerie, params: { id: avis_without_answer.id, procedure_id: procedure.id } } + subject { get :messagerie, params: { id: avis_without_answer.id, procedure_id: procedure.id } } + context 'with valid avis' do + before { subject } - it { expect(response).to have_http_status(:success) } - it { expect(assigns(:avis)).to eq(avis_without_answer) } - it { expect(assigns(:dossier)).to eq(dossier) } + it { expect(response).to have_http_status(:success) } + it { expect(assigns(:avis)).to eq(avis_without_answer) } + it { expect(assigns(:dossier)).to eq(dossier) } + end + context 'with an avis that does not belongs to current_expert' do + it "refuse l'accès au dossier" do + sign_in(create(:expert).user) + subject + expect(response).to redirect_to(expert_all_avis_path) + expect(flash.alert).to eq("Vous n’avez pas accès à cet avis.") + end + end end describe '#update' do @@ -118,6 +161,14 @@ describe Experts::AvisController, type: :controller do expect(flash.notice).to eq('Votre réponse est enregistrée.') end end + context 'with an avis that does not belongs to current_expert' do + it "refuse l'accès au dossier" do + sign_in(create(:expert).user) + patch :update, params: { id: avis_without_answer.id, procedure_id: procedure.id, avis: { answer: 'answer' } } + expect(response).to redirect_to(expert_all_avis_path) + expect(flash.alert).to eq("Vous n’avez pas accès à cet avis.") + end + end end describe '#create_commentaire' do