Merge pull request #6990 from betagouv/US/fix-avis

fix(avis_controller#*): missing ACL
This commit is contained in:
mfo 2022-02-28 15:12:53 +01:00 committed by GitHub
commit b7da406fe4
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 69 additions and 16 deletions

View file

@ -17,7 +17,8 @@ module Experts
end
def procedure
@procedure = Procedure.find(params[:procedure_id])
@procedure = current_expert.procedures.find_by(id: params[:procedure_id])
redirect_to(expert_all_avis_path, flash: { alert: "Vous navez pas accès à cette démarche." }) and return unless @procedure
expert_avis = current_expert.avis.includes(:dossier).not_hidden_by_administration.where(dossiers: { groupe_instructeur: GroupeInstructeur.where(procedure: @procedure.id) })
@avis_a_donner = expert_avis.without_answer
@avis_donnes = expert_avis.with_answer
@ -156,7 +157,8 @@ module Experts
end
def set_avis_and_dossier
@avis = Avis.find(params[:id])
@avis = current_expert.avis.find_by(id: params[:id])
redirect_to(expert_all_avis_path, flash: { alert: "Vous navez pas accès à cet avis." }) and return unless @avis
@dossier = @avis.dossier
end

View file

@ -25,18 +25,31 @@ describe Experts::AvisController, type: :controller do
end
describe '#procedure' do
context 'without filter' do
before { get :procedure, params: { procedure_id: procedure.id } }
it { expect(response).to have_http_status(:success) }
it { expect(assigns(:avis_a_donner)).to match([avis_without_answer]) }
it { expect(assigns(:avis_donnes)).to match([avis_with_answer]) }
it { expect(assigns(:statut)).to eq('a-donner') }
end
context 'with a statut equal to donnes' do
before { get :procedure, params: { statut: 'donnes', procedure_id: procedure.id } }
it { expect(assigns(:statut)).to eq('donnes') }
end
context 'with different procedure' do
subject { get :procedure, params: { statut: 'donnes', procedure_id: procedure.id } }
it 'fails' do
sign_in(create(:expert).user)
subject
expect(response).to redirect_to(expert_all_avis_path)
expect(flash.alert).to eq("Vous navez pas accès à cette démarche.")
end
end
end
describe '#bilans_bdf' do
@ -64,22 +77,52 @@ describe Experts::AvisController, type: :controller do
expect(response).to redirect_to(root_path)
end
end
context 'with an avis that does not belongs to current_expert' do
it "refuse l'accès au dossier" do
sign_in(create(:expert).user)
subject
expect(response).to redirect_to(expert_all_avis_path)
expect(flash.alert).to eq("Vous navez pas accès à cet avis.")
end
end
end
describe '#instruction' do
before { get :instruction, params: { id: avis_without_answer.id, procedure_id: procedure.id } }
subject { get :instruction, params: { id: avis_without_answer.id, procedure_id: procedure.id } }
context 'with valid avis' do
before { subject }
it { expect(response).to have_http_status(:success) }
it { expect(assigns(:avis)).to eq(avis_without_answer) }
it { expect(assigns(:dossier)).to eq(dossier) }
end
context 'with an avis that does not belongs to current_expert' do
it "refuse l'accès au dossier" do
sign_in(create(:expert).user)
subject
expect(response).to redirect_to(expert_all_avis_path)
expect(flash.alert).to eq("Vous navez pas accès à cet avis.")
end
end
end
describe '#messagerie' do
subject { get :messagerie, params: { id: avis_without_answer.id, procedure_id: procedure.id } }
context 'with valid avis' do
before { subject }
it { expect(response).to have_http_status(:success) }
it { expect(assigns(:avis)).to eq(avis_without_answer) }
it { expect(assigns(:dossier)).to eq(dossier) }
end
describe '#messagerie' do
before { get :messagerie, params: { id: avis_without_answer.id, procedure_id: procedure.id } }
it { expect(response).to have_http_status(:success) }
it { expect(assigns(:avis)).to eq(avis_without_answer) }
it { expect(assigns(:dossier)).to eq(dossier) }
context 'with an avis that does not belongs to current_expert' do
it "refuse l'accès au dossier" do
sign_in(create(:expert).user)
subject
expect(response).to redirect_to(expert_all_avis_path)
expect(flash.alert).to eq("Vous navez pas accès à cet avis.")
end
end
end
describe '#update' do
@ -118,6 +161,14 @@ describe Experts::AvisController, type: :controller do
expect(flash.notice).to eq('Votre réponse est enregistrée.')
end
end
context 'with an avis that does not belongs to current_expert' do
it "refuse l'accès au dossier" do
sign_in(create(:expert).user)
patch :update, params: { id: avis_without_answer.id, procedure_id: procedure.id, avis: { answer: 'answer' } }
expect(response).to redirect_to(expert_all_avis_path)
expect(flash.alert).to eq("Vous navez pas accès à cet avis.")
end
end
end
describe '#create_commentaire' do