From bc583e0fe2b0bf177d4b41d790e7973b24b9211c Mon Sep 17 00:00:00 2001
From: simon lehericey <mail@simon.lehericey.net>
Date: Tue, 30 Jan 2024 09:57:30 +0100
Subject: [PATCH] can add a demarche

---
 .../administrateurs/api_tokens_controller.rb  | 12 ++++++++
 .../administrateurs/api_tokens/edit.html.haml | 23 +++++++++++++++
 .../api_tokens_controller_spec.rb             | 28 ++++++++++++++++++-
 3 files changed, 62 insertions(+), 1 deletion(-)

diff --git a/app/controllers/administrateurs/api_tokens_controller.rb b/app/controllers/administrateurs/api_tokens_controller.rb
index 32ca47b16..9d6403e9b 100644
--- a/app/controllers/administrateurs/api_tokens_controller.rb
+++ b/app/controllers/administrateurs/api_tokens_controller.rb
@@ -55,6 +55,14 @@ module Administrateurs
 
         h[:authorized_networks] = networks
       end
+
+      if procedure_to_add.present?
+        to_add = current_administrateur
+          .procedure_ids
+          .intersection([procedure_to_add])
+
+        h[:allowed_procedure_ids] =
+          (Array.wrap(@api_token.allowed_procedure_ids) + to_add).uniq
       end
 
       if params[:name].present?
@@ -133,6 +141,10 @@ module Administrateurs
       params[:name]
     end
 
+    def procedure_to_add
+      params[:procedure_to_add]&.to_i
+    end
+
     def write_access
       params[:access] == "read_write"
     end
diff --git a/app/views/administrateurs/api_tokens/edit.html.haml b/app/views/administrateurs/api_tokens/edit.html.haml
index 47f1ac7d4..1d8e607a9 100644
--- a/app/views/administrateurs/api_tokens/edit.html.haml
+++ b/app/views/administrateurs/api_tokens/edit.html.haml
@@ -47,6 +47,29 @@
         - if @invalid_network_message.present?
           %p.fr-error-text= @invalid_network_message
 
+    = form_with url: admin_api_token_path(@api_token), method: :patch, html: { class: 'fr-mt-2w' } do |f|
+      .fr-mb-4w
+        - if @api_token.full_access?
+          %p Votre jeton d'API a accès à toutes vos démarches.
+          = hidden_field_tag :procedure_to_add, '[]'
+          %button.fr-btn.fr-btn--secondary.fr-btn--sm Restreindre l'accès à certaines les démarches
+        - else
+          .fr-select-group
+            %label.fr-label{ for: 'procedure_to_add' } Ajouter des démarches autorisées
+            .flex
+              = f.select :value,
+                options_for_select(@libelle_id_procedures),
+                { include_blank: true },
+                { class: 'fr-select width-33',
+                  name: 'procedure_to_add'}
+
+              %button.fr-btn.fr-btn--secondary.fr-ml-1w Ajouter
+
+        %ul.fr-mb-4w
+          - @api_token.procedures.each do |procedure|
+            %li{ id: dom_id(procedure, :authorized) }
+              = procedure.libelle
+
   %ul.fr-btns-group.fr-btns-group--inline
     %li
       = link_to 'Revenir', profil_path, class: "fr-btn fr-btn--secondary"
diff --git a/spec/controllers/administrateurs/api_tokens_controller_spec.rb b/spec/controllers/administrateurs/api_tokens_controller_spec.rb
index 551cdfcbd..ae359aa2f 100644
--- a/spec/controllers/administrateurs/api_tokens_controller_spec.rb
+++ b/spec/controllers/administrateurs/api_tokens_controller_spec.rb
@@ -98,9 +98,10 @@ describe Administrateurs::APITokensController, type: :controller do
 
   describe 'update' do
     let(:token) { APIToken.generate(admin).first }
-    let(:params) { { name:, networks: } }
+    let(:params) { { name:, networks:, procedure_to_add: } }
     let(:name) { 'new name' }
     let(:networks) { '118.218.200.200' }
+    let(:procedure_to_add) { nil }
 
     subject { patch :update, params: params.merge(id: token.id) }
 
@@ -138,5 +139,30 @@ describe Administrateurs::APITokensController, type: :controller do
         expect(assigns(:invalid_network_message)).to eq("Vous ne pouvez pas supprimer les restrictions d'accès à l'API d'un jeton permanent.")
       end
     end
+
+    context 'with a legitime procedure to add' do
+      let(:params) { { procedure_to_add: procedure.id } }
+
+      before { subject; token.reload }
+
+      it { expect(token.allowed_procedure_ids).to eq([procedure.id]) }
+    end
+
+    context 'with a procedure to add not owned by the admin' do
+      let(:another_procedure) { create(:procedure, administrateurs: [create(:administrateur)]) }
+      let(:params) { { procedure_to_add: another_procedure.id } }
+
+      before { subject; token.reload }
+
+      it { expect(token.allowed_procedure_ids).to eq([]) }
+    end
+
+    context 'with an empty procedure to add' do
+      let(:params) { { procedure_to_add: '' } }
+
+      before { subject; token.reload }
+
+      it { expect(token.allowed_procedure_ids).to eq([]) }
+    end
   end
 end