[#2579] Fix injection SQL dans le filtrage instructeur

2018-09-18 15:53:11 +02:00 · 2018-09-18 15:53:11 +02:00 · b8f88ece5c
commit b8f88ece5c
parent 21d1788018
2 changed files with 56 additions and 8 deletions
--- a/spec/services/dossier_field_service_spec.rb
+++ b/spec/services/dossier_field_service_spec.rb
@ -2,7 +2,37 @@ require 'spec_helper'

 describe DossierFieldService do
  describe '#filtered_ids' do
-    let(:procedure) { create(:procedure) }
+    let(:procedure) { create(:procedure, :with_type_de_champ, :with_type_de_champ_private) }
+
+    context 'for type_de_champ table' do
+      let(:kept_dossier) { create(:dossier, procedure: procedure) }
+      let(:discarded_dossier) { create(:dossier, procedure: procedure) }
+      let(:type_de_champ) { procedure.types_de_champ.first }
+
+      before do
+        type_de_champ.champ.create(dossier: kept_dossier, value: 'keep me')
+        type_de_champ.champ.create(dossier: discarded_dossier, value: 'discard me')
+      end
+
+      subject { described_class.filtered_ids(procedure.dossiers, [{ 'table' => 'type_de_champ', 'column' => type_de_champ.id, 'value' => 'keep' }]) }
+
+      it { is_expected.to contain_exactly(kept_dossier.id) }
+    end
+
+    context 'for type_de_champ_private table' do
+      let(:kept_dossier) { create(:dossier, procedure: procedure) }
+      let(:discarded_dossier) { create(:dossier, procedure: procedure) }
+      let(:type_de_champ_private) { procedure.types_de_champ_private.first }
+
+      before do
+        type_de_champ_private.champ.create(dossier: kept_dossier, value: 'keep me')
+        type_de_champ_private.champ.create(dossier: discarded_dossier, value: 'discard me')
+      end
+
+      subject { described_class.filtered_ids(procedure.dossiers, [{ 'table' => 'type_de_champ_private', 'column' => type_de_champ_private.id, 'value' => 'keep' }]) }
+
+      it { is_expected.to contain_exactly(kept_dossier.id) }
+    end

    context 'for etablissement table' do
      context 'for entreprise_date_creation column' do
@ -25,5 +55,14 @@ describe DossierFieldService do
        it { is_expected.to contain_exactly(kept_dossier.id) }
      end
    end
+
+    context 'for user table' do
+      let!(:kept_dossier) { create(:dossier, procedure: procedure, user: create(:user, email: 'me@keepmail.com')) }
+      let!(:discarded_dossier) { create(:dossier, procedure: procedure, user: create(:user, email: 'me@discard.com')) }
+
+      subject { described_class.filtered_ids(procedure.dossiers, [{ 'table' => 'user', 'column' => 'email', 'value' => 'keepmail' }]) }
+
+      it { is_expected.to contain_exactly(kept_dossier.id) }
+    end
  end
 end