feat(Instructeur::ArchivesController#*): prevent SuperAdmin to index/download archives
This commit is contained in:
Martin
mfo
parent
c2e0994e11
commit
bfd0f3379f
3 changed files with 64 additions and 17 deletions
|
|
@ -1,6 +1,8 @@
|
||||||
module Instructeurs
|
module Instructeurs
|
||||||
class ArchivesController < InstructeurController
|
class ArchivesController < InstructeurController
|
||||||
before_action :retrieve_procedure, only: [:index, :create]
|
before_action :retrieve_procedure
|
||||||
|
before_action :ensure_not_super_admin!
|
||||||
|
|
||||||
helper_method :create_archive_url
|
helper_method :create_archive_url
|
||||||
|
|
||||||
def index
|
def index
|
||||||
|
|
|
||||||
|
|
@ -5,5 +5,23 @@ module Instructeurs
|
||||||
def nav_bar_profile
|
def nav_bar_profile
|
||||||
:instructeur
|
:instructeur
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
||||||
|
def ensure_not_super_admin!
|
||||||
|
if is_super_admin_through_assign_tos_as_manager?
|
||||||
|
redirect_back fallback_location: root_url, alert: "Interdit aux super admins", status: 403
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
def is_super_admin_through_assign_tos_as_manager?
|
||||||
|
current_instructeur.assign_to
|
||||||
|
.where(instructeur: current_instructeur,
|
||||||
|
groupe_instructeur: current_instructeur.groupe_instructeurs.where(procedure_id: @procedure.id),
|
||||||
|
manager: true)
|
||||||
|
.count
|
||||||
|
.positive?
|
||||||
|
end
|
||||||
|
|
||||||
|
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
|
||||||
|
|
@ -1,17 +1,16 @@
|
||||||
describe Instructeurs::ArchivesController, type: :controller do
|
describe Instructeurs::ArchivesController, type: :controller do
|
||||||
let(:procedure1) { create(:procedure, :published, groupe_instructeurs: [gi1]) }
|
let(:procedure1) { create(:procedure, :published, groupe_instructeurs: [assign_to.groupe_instructeur]) }
|
||||||
let(:procedure2) { create(:procedure, :published, groupe_instructeurs: [gi2]) }
|
let(:procedure2) { create(:procedure, :published, groupe_instructeurs: [gi2]) }
|
||||||
let!(:instructeur) { create(:instructeur, groupe_instructeurs: [gi1, gi2]) }
|
let!(:instructeur) { create(:instructeur, groupe_instructeurs: [gi2]) }
|
||||||
let!(:archive1) { create(:archive, :generated, groupe_instructeurs: [gi1]) }
|
let!(:archive1) { create(:archive, :generated, groupe_instructeurs: [assign_to.groupe_instructeur]) }
|
||||||
let!(:archive2) { create(:archive, :generated, groupe_instructeurs: [gi2]) }
|
let!(:archive2) { create(:archive, :generated, groupe_instructeurs: [gi2]) }
|
||||||
let(:gi1) { create(:groupe_instructeur) }
|
let!(:assign_to) { create(:assign_to, instructeur: instructeur, groupe_instructeur: build(:groupe_instructeur), manager: manager) }
|
||||||
let(:gi2) { create(:groupe_instructeur) }
|
let(:gi2) { create(:groupe_instructeur) }
|
||||||
|
|
||||||
before do
|
before do
|
||||||
sign_in(instructeur.user)
|
sign_in(instructeur.user)
|
||||||
end
|
end
|
||||||
|
after { Timecop.return }
|
||||||
after { Timecop.return }
|
|
||||||
|
|
||||||
describe '#index' do
|
describe '#index' do
|
||||||
before do
|
before do
|
||||||
|
|
@ -20,25 +19,53 @@ describe Instructeurs::ArchivesController, type: :controller do
|
||||||
create_dossier_for_month(procedure1, 2021, 2)
|
create_dossier_for_month(procedure1, 2021, 2)
|
||||||
Timecop.freeze(Time.zone.local(2021, 3, 5))
|
Timecop.freeze(Time.zone.local(2021, 3, 5))
|
||||||
end
|
end
|
||||||
|
subject{get :index, params: { procedure_id: procedure1.id }}
|
||||||
|
|
||||||
it 'displays archives' do
|
context 'signed in not as manager' do
|
||||||
get :index, params: { procedure_id: procedure1.id }
|
let(:manager){ false }
|
||||||
|
|
||||||
expect(assigns(:archives)).to eq([archive1])
|
|
||||||
|
it { is_expected.to have_http_status(:success) }
|
||||||
|
it 'assigns archives' do
|
||||||
|
subject
|
||||||
|
expect(assigns(:archives)).to eq([archive1])
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
context 'signed in as manager' do
|
||||||
|
let(:manager){ true }
|
||||||
|
|
||||||
|
before do
|
||||||
|
sign_in(instructeur.user)
|
||||||
|
end
|
||||||
|
|
||||||
|
it { is_expected.to have_http_status(:forbidden) }
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
describe '#create' do
|
describe '#create' do
|
||||||
let(:month) { '21-03' }
|
|
||||||
let(:date_month) { Date.strptime(month, "%Y-%m") }
|
|
||||||
let(:subject) do
|
let(:subject) do
|
||||||
post :create, params: { procedure_id: procedure1.id, type: 'monthly', month: month }
|
post :create, params: { procedure_id: procedure1.id, type: 'monthly', month: month }
|
||||||
end
|
end
|
||||||
|
|
||||||
it "performs archive creation job" do
|
let(:month) { '21-03' }
|
||||||
expect { subject }.to have_enqueued_job(ArchiveCreationJob).with(procedure1, an_instance_of(Archive), instructeur)
|
let(:date_month) { Date.strptime(month, "%Y-%m") }
|
||||||
expect(flash.notice).to include("Votre demande a été prise en compte")
|
|
||||||
|
context 'signed in not as manager' do
|
||||||
|
let(:manager){ false }
|
||||||
|
|
||||||
|
it "performs archive creation job" do
|
||||||
|
expect { subject }.to have_enqueued_job(ArchiveCreationJob).with(procedure1, an_instance_of(Archive), instructeur)
|
||||||
|
expect(flash.notice).to include("Votre demande a été prise en compte")
|
||||||
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
context 'signed in as manager' do
|
||||||
|
let(:manager){ true }
|
||||||
|
|
||||||
|
it { is_expected.to have_http_status(:forbidden) }
|
||||||
|
end
|
||||||
|
|
||||||
end
|
end
|
||||||
|
|
||||||
private
|
private
|
||||||
|
|
|
||||||
Loading…
Add table
Reference in a new issue