do not give bad advice

2024-07-17 16:08:13 +02:00 · 2024-07-17 16:08:13 +02:00 · bb6c43cbb9
commit bb6c43cbb9
parent d4a9b63b00
2 changed files with 43 additions and 3 deletions
--- a/app/controllers/experts/avis_controller.rb
+++ b/app/controllers/experts/avis_controller.rb
@ -129,6 +129,14 @@ module Experts
      procedure_id = params[:procedure_id]
      avis_id = params[:id]
      email = params[:email]
+
+      avis = Avis.joins(:procedure, expert: :user)
+        .find_by(id: avis_id, procedure: { id: procedure_id }, user: { email: })
+
+      if avis.nil?
+        return redirect_to root_path, alert: "Vous n’avez pas accès à cet avis."
+      end
+
      password = params[:user][:password]

      user = User.create_or_promote_to_expert(email, password)
--- a/spec/controllers/experts/avis_controller_spec.rb
+++ b/spec/controllers/experts/avis_controller_spec.rb
@ -560,13 +560,17 @@ describe Experts::AvisController, type: :controller do
    end

    describe '#update_expert' do
+      let(:avis_id) { avis.id }
+      let(:email) { avis.expert.email }
+      let(:password) { SECURE_PASSWORD }
+
      subject do
        post :update_expert, params: {
-          id: avis.id,
+          id: avis_id,
          procedure_id:,
-          email: avis.expert.email,
+          email:,
          user: {
-            password: SECURE_PASSWORD
+            password:
          }
        }
      end
@ -588,6 +592,34 @@ describe Experts::AvisController, type: :controller do
        it { is_expected.to redirect_to expert_all_avis_path }
      end

+      context 'with a random avis, procedure and user' do
+        let(:avis_id) { create(:avis).id }
+        let(:random_user) { create(:user) }
+        let(:email) { random_user.email }
+
+        it 'doesn’t change the random user password' do
+          expect(random_user.reload.valid_password?(password)).to be false
+          subject
+          expect(random_user.reload.valid_password?(password)).to be false
+          expect(flash[:alert]).to eq("Vous n’avez pas accès à cet avis.")
+        end
+      end
+
+      context 'with a matching avis procedure, and a random user' do
+        let(:avis) { create(:avis) }
+        let(:avis_id) { avis.id }
+        let(:procedure_id) { avis.procedure.id }
+        let(:random_user) { create(:user) }
+        let(:email) { random_user.email }
+
+        it 'doesn’t change the random user password' do
+          expect(random_user.reload.valid_password?(password)).to be false
+          subject
+          expect(random_user.reload.valid_password?(password)).to be false
+          expect(flash[:alert]).to eq("Vous n’avez pas accès à cet avis.")
+        end
+      end
+
      context 'when the expert has already signed up' do
        before { expert.user.update(last_sign_in_at: Time.zone.now) }