fix(avis_controller): acl on instruction

app/controllers/experts/avis_controller.rb

@@ -4,7 +4,7 @@ module Experts
     include Zipline
 
     before_action :authenticate_expert!, except: [:sign_up, :update_expert]
-    before_action :check_if_avis_revoked, only: [:show]
+    before_action :check_if_avis_revoked, only: [:show, :instruction]
     before_action :redirect_if_no_sign_up_needed, only: [:sign_up, :update_expert]
     before_action :set_avis_and_dossier, only: [:show, :instruction, :messagerie, :create_commentaire, :delete_commentaire, :update, :telecharger_pjs]
 

spec/controllers/experts/avis_controller_spec.rb

@@ -115,16 +115,22 @@ describe Experts::AvisController, type: :controller do
     end
 
     describe '#instruction' do
-      subject { get :instruction, params: { id: avis_without_answer.id, procedure_id: procedure.id } }
+      subject { get :instruction, params: { id: avis_to_instruct.id, procedure_id: procedure.id } }
+
       context 'with valid avis' do
+        let(:avis_to_instruct) { avis_without_answer }
         before { subject }
+
         it do
           expect(response).to have_http_status(:success)
           expect(assigns(:avis)).to eq(avis_without_answer)
           expect(assigns(:dossier)).to eq(dossier)
         end
       end
+
       context 'with an avis that does not belongs to current_expert' do
+        let(:avis_to_instruct) { avis_without_answer }
+
         it "refuse l'accès au dossier" do
           sign_in(create(:expert).user)
           subject
@@ -132,6 +138,13 @@ describe Experts::AvisController, type: :controller do
           expect(flash.alert).to eq("Vous n’avez pas accès à cet avis.")
         end
       end
+
+      context 'with a revoked avis' do
+        let(:avis_to_instruct) { revoked_avis }
+        before { subject }
+
+        it { expect(response).to redirect_to root_path }
+      end
     end
 
     context 'with destroyed claimant' do