Merge pull request #6990 from betagouv/US/fix-avis
fix(avis_controller#*): missing ACL
This commit is contained in:
commit
b7da406fe4
2 changed files with 69 additions and 16 deletions
|
@ -17,7 +17,8 @@ module Experts
|
|||
end
|
||||
|
||||
def procedure
|
||||
@procedure = Procedure.find(params[:procedure_id])
|
||||
@procedure = current_expert.procedures.find_by(id: params[:procedure_id])
|
||||
redirect_to(expert_all_avis_path, flash: { alert: "Vous n’avez pas accès à cette démarche." }) and return unless @procedure
|
||||
expert_avis = current_expert.avis.includes(:dossier).not_hidden_by_administration.where(dossiers: { groupe_instructeur: GroupeInstructeur.where(procedure: @procedure.id) })
|
||||
@avis_a_donner = expert_avis.without_answer
|
||||
@avis_donnes = expert_avis.with_answer
|
||||
|
@ -156,7 +157,8 @@ module Experts
|
|||
end
|
||||
|
||||
def set_avis_and_dossier
|
||||
@avis = Avis.find(params[:id])
|
||||
@avis = current_expert.avis.find_by(id: params[:id])
|
||||
redirect_to(expert_all_avis_path, flash: { alert: "Vous n’avez pas accès à cet avis." }) and return unless @avis
|
||||
@dossier = @avis.dossier
|
||||
end
|
||||
|
||||
|
|
|
@ -25,18 +25,31 @@ describe Experts::AvisController, type: :controller do
|
|||
end
|
||||
|
||||
describe '#procedure' do
|
||||
context 'without filter' do
|
||||
before { get :procedure, params: { procedure_id: procedure.id } }
|
||||
|
||||
it { expect(response).to have_http_status(:success) }
|
||||
it { expect(assigns(:avis_a_donner)).to match([avis_without_answer]) }
|
||||
it { expect(assigns(:avis_donnes)).to match([avis_with_answer]) }
|
||||
it { expect(assigns(:statut)).to eq('a-donner') }
|
||||
end
|
||||
|
||||
context 'with a statut equal to donnes' do
|
||||
before { get :procedure, params: { statut: 'donnes', procedure_id: procedure.id } }
|
||||
|
||||
it { expect(assigns(:statut)).to eq('donnes') }
|
||||
end
|
||||
|
||||
context 'with different procedure' do
|
||||
subject { get :procedure, params: { statut: 'donnes', procedure_id: procedure.id } }
|
||||
|
||||
it 'fails' do
|
||||
sign_in(create(:expert).user)
|
||||
subject
|
||||
expect(response).to redirect_to(expert_all_avis_path)
|
||||
expect(flash.alert).to eq("Vous n’avez pas accès à cette démarche.")
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
describe '#bilans_bdf' do
|
||||
|
@ -64,22 +77,52 @@ describe Experts::AvisController, type: :controller do
|
|||
expect(response).to redirect_to(root_path)
|
||||
end
|
||||
end
|
||||
|
||||
context 'with an avis that does not belongs to current_expert' do
|
||||
it "refuse l'accès au dossier" do
|
||||
sign_in(create(:expert).user)
|
||||
subject
|
||||
expect(response).to redirect_to(expert_all_avis_path)
|
||||
expect(flash.alert).to eq("Vous n’avez pas accès à cet avis.")
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
describe '#instruction' do
|
||||
before { get :instruction, params: { id: avis_without_answer.id, procedure_id: procedure.id } }
|
||||
subject { get :instruction, params: { id: avis_without_answer.id, procedure_id: procedure.id } }
|
||||
context 'with valid avis' do
|
||||
before { subject }
|
||||
it { expect(response).to have_http_status(:success) }
|
||||
it { expect(assigns(:avis)).to eq(avis_without_answer) }
|
||||
it { expect(assigns(:dossier)).to eq(dossier) }
|
||||
end
|
||||
context 'with an avis that does not belongs to current_expert' do
|
||||
it "refuse l'accès au dossier" do
|
||||
sign_in(create(:expert).user)
|
||||
subject
|
||||
expect(response).to redirect_to(expert_all_avis_path)
|
||||
expect(flash.alert).to eq("Vous n’avez pas accès à cet avis.")
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
describe '#messagerie' do
|
||||
subject { get :messagerie, params: { id: avis_without_answer.id, procedure_id: procedure.id } }
|
||||
context 'with valid avis' do
|
||||
before { subject }
|
||||
|
||||
it { expect(response).to have_http_status(:success) }
|
||||
it { expect(assigns(:avis)).to eq(avis_without_answer) }
|
||||
it { expect(assigns(:dossier)).to eq(dossier) }
|
||||
end
|
||||
|
||||
describe '#messagerie' do
|
||||
before { get :messagerie, params: { id: avis_without_answer.id, procedure_id: procedure.id } }
|
||||
|
||||
it { expect(response).to have_http_status(:success) }
|
||||
it { expect(assigns(:avis)).to eq(avis_without_answer) }
|
||||
it { expect(assigns(:dossier)).to eq(dossier) }
|
||||
context 'with an avis that does not belongs to current_expert' do
|
||||
it "refuse l'accès au dossier" do
|
||||
sign_in(create(:expert).user)
|
||||
subject
|
||||
expect(response).to redirect_to(expert_all_avis_path)
|
||||
expect(flash.alert).to eq("Vous n’avez pas accès à cet avis.")
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
describe '#update' do
|
||||
|
@ -118,6 +161,14 @@ describe Experts::AvisController, type: :controller do
|
|||
expect(flash.notice).to eq('Votre réponse est enregistrée.')
|
||||
end
|
||||
end
|
||||
context 'with an avis that does not belongs to current_expert' do
|
||||
it "refuse l'accès au dossier" do
|
||||
sign_in(create(:expert).user)
|
||||
patch :update, params: { id: avis_without_answer.id, procedure_id: procedure.id, avis: { answer: 'answer' } }
|
||||
expect(response).to redirect_to(expert_all_avis_path)
|
||||
expect(flash.alert).to eq("Vous n’avez pas accès à cet avis.")
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
describe '#create_commentaire' do
|
||||
|
|
Loading…
Reference in a new issue