diff --git a/app/controllers/users/carte_controller.rb b/app/controllers/users/carte_controller.rb index bb4dd8029..ff6d3f85a 100644 --- a/app/controllers/users/carte_controller.rb +++ b/app/controllers/users/carte_controller.rb @@ -1,14 +1,11 @@ class Users::CarteController < UsersController include DossierConcern + before_action :authorized_routes?, only: [:show] + def show @dossier = current_user_dossier - unless @dossier.procedure.module_api_carto.use_api_carto - flash.alert = t('errors.messages.dossier_map_not_activated') - redirect_to url_for(root_path) - end - rescue ActiveRecord::RecordNotFound flash.alert = t('errors.messages.dossier_not_found') redirect_to url_for(root_path) diff --git a/app/controllers/users/description_controller.rb b/app/controllers/users/description_controller.rb index dc8c93529..31df59c8e 100644 --- a/app/controllers/users/description_controller.rb +++ b/app/controllers/users/description_controller.rb @@ -1,4 +1,6 @@ class Users::DescriptionController < UsersController + before_action :authorized_routes?, only: [:show] + def show @dossier = current_user_dossier @dossier = @dossier.decorate diff --git a/app/controllers/users/dossiers_controller.rb b/app/controllers/users/dossiers_controller.rb index 5866911e6..900c43942 100644 --- a/app/controllers/users/dossiers_controller.rb +++ b/app/controllers/users/dossiers_controller.rb @@ -5,6 +5,8 @@ class Users::DossiersController < UsersController before_action :authenticate_user! before_action :check_siret, only: :create + before_action :authorized_routes?, only: [:show] + def index order = 'DESC' @@ -152,7 +154,6 @@ class Users::DossiersController < UsersController def error_procedure flash.alert = t('errors.messages.procedure_not_found') - redirect_to url_for users_dossiers_path end diff --git a/app/controllers/users/recapitulatif_controller.rb b/app/controllers/users/recapitulatif_controller.rb index 5163dea05..a71983a53 100644 --- a/app/controllers/users/recapitulatif_controller.rb +++ b/app/controllers/users/recapitulatif_controller.rb @@ -1,4 +1,6 @@ class Users::RecapitulatifController < UsersController + before_action :authorized_routes?, only: [:show] + def show create_dossier_facade end diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb index 0d2a1ca20..bffff2429 100644 --- a/app/controllers/users_controller.rb +++ b/app/controllers/users_controller.rb @@ -2,8 +2,26 @@ class UsersController < ApplicationController before_action :authenticate_user! def current_user_dossier dossier_id=nil - dossier_id ||= params[:dossier_id] + dossier_id ||= params[:dossier_id] || params[:id] current_user.dossiers.find(dossier_id) end + + def authorized_routes? + sub_path = "/users/dossiers/#{current_user_dossier.id}" + + redirect_to_root_path 'Le status de votre dossier n\'autorise pas cette URL' unless UserRoutesAuthorizationService.authorized_route?( + (request.env['PATH_INFO']).gsub(sub_path, ''), + current_user_dossier.state, + current_user_dossier.procedure.use_api_carto) + rescue ActiveRecord::RecordNotFound + redirect_to_root_path 'Vous n’avez pas accès à ce dossier.' + end + + private + + def redirect_to_root_path message + flash.alert = message + redirect_to url_for root_path + end end \ No newline at end of file diff --git a/app/models/procedure.rb b/app/models/procedure.rb index 8afb631fc..1e6cac78f 100644 --- a/app/models/procedure.rb +++ b/app/models/procedure.rb @@ -7,6 +7,8 @@ class Procedure < ActiveRecord::Base belongs_to :administrateur + delegate :use_api_carto, to: :module_api_carto + accepts_nested_attributes_for :types_de_champ,:reject_if => proc { |attributes| attributes['libelle'].blank? }, :allow_destroy => true accepts_nested_attributes_for :types_de_piece_justificative, :reject_if => proc { |attributes| attributes['libelle'].blank? }, :allow_destroy => true accepts_nested_attributes_for :module_api_carto diff --git a/app/services/user_routes_authorization_service.rb b/app/services/user_routes_authorization_service.rb new file mode 100644 index 000000000..9e6a98e7c --- /dev/null +++ b/app/services/user_routes_authorization_service.rb @@ -0,0 +1,48 @@ +class UserRoutesAuthorizationService + + def self.authorized_paths + { + root: '', + carte: '/carte', + description: '/description', + recapitulatif: '/recapitulatif' + } + end + + def self.authorized_states + Dossier.states + end + + def self.authorized_routes + { + root: { + authorized_states: [:draft], + api_carto: false + }, + carte: { + authorized_states: [:draft, :initiated, :replied, :updated], + api_carto: true + }, + description: { + authorized_states: [:draft, :initiated, :replied, :updated], + api_carto: false + }, + recapitulatif: { + authorized_states: [:initiated, :replied, :updated, :validated, :submitted, :closed], + api_carto: false + } + } + end + + def self.authorized_route? path, state, api_carto=false + return raise 'Not a valid path' unless authorized_paths.has_value? path + return raise 'Not a valid state' unless authorized_states.has_value? state + + path_key = authorized_paths.key(path) + + first = authorized_routes[path_key][:authorized_states].include? state.to_sym + seconde = authorized_routes[path_key][:api_carto] ? api_carto : true + + first && seconde + end +end \ No newline at end of file diff --git a/spec/controllers/users/carte_controller_spec.rb b/spec/controllers/users/carte_controller_spec.rb index cb8e1290c..c26a3b879 100644 --- a/spec/controllers/users/carte_controller_spec.rb +++ b/spec/controllers/users/carte_controller_spec.rb @@ -5,9 +5,9 @@ RSpec.describe Users::CarteController, type: :controller do let(:module_api_carto) { create(:module_api_carto, :with_api_carto) } let(:procedure) { create(:procedure, module_api_carto: module_api_carto) } - let(:dossier) { create(:dossier, procedure: procedure) } + let(:dossier) { create(:dossier, procedure: procedure) } - let(:dossier_with_no_carto) { create(:dossier, :with_procedure) } + let(:dossier_with_no_carto) { create(:dossier, :with_procedure) } let!(:entreprise) { create(:entreprise, dossier: dossier) } let!(:etablissement) { create(:etablissement, dossier: dossier) } let(:bad_dossier_id) { Dossier.count + 1000 } @@ -18,6 +18,32 @@ RSpec.describe Users::CarteController, type: :controller do end describe 'GET #show' do + + describe 'before_action authorized_routes?' do + context 'when dossier’s procedure have api carto actived' do + context 'when dossier does not have a valid state' do + before do + dossier.state = 'validated' + dossier.save + + get :show, dossier_id: dossier.id + end + + it { is_expected.to redirect_to root_path} + end + end + + context 'when dossier’s procedure does not have api carto actived' do + let(:dossier) { create(:dossier, :with_procedure) } + + before do + get :show, dossier_id: dossier.id + end + + it { is_expected.to redirect_to(root_path) } + end + end + context 'user is not connected' do before do sign_out dossier.user @@ -60,7 +86,7 @@ RSpec.describe Users::CarteController, type: :controller do end context 'En train de modifier la localisation' do - let(:dossier) { create(:dossier, :with_procedure, state: 'initiated') } + let(:dossier) { create(:dossier, :with_procedure, state: 'initiated') } before do post :save, dossier_id: dossier.id, json_latlngs: '' end @@ -99,7 +125,7 @@ RSpec.describe Users::CarteController, type: :controller do context 'when json_latlngs params is empty' do context 'when dossier have quartier prioritaire in database' do - let!(:dossier) { create(:dossier, :with_procedure, :with_two_quartier_prioritaires) } + let!(:dossier) { create(:dossier, :with_procedure, :with_two_quartier_prioritaires) } before do dossier.reload @@ -139,14 +165,14 @@ RSpec.describe Users::CarteController, type: :controller do before do allow_any_instance_of(CARTO::SGMAP::Cadastre::Adapter). to receive(:to_params). - and_return([{:surface_intersection=>"0.0006", :surface_parcelle=>11252.692583090324, :numero=>"0013", :feuille=>1, :section=>"CD", :code_dep=>"30", :nom_com=>"Le Grau-du-Roi", :code_com=>"133", :code_arr=>"000", :geometry=>{:type=>"MultiPolygon", :coordinates=>[[[[4.134084, 43.5209193], [4.1346615, 43.5212035], [4.1346984, 43.521189], [4.135096, 43.5213848], [4.1350839, 43.5214122], [4.1352697, 43.521505], [4.1356278, 43.5211065], [4.1357402, 43.5207188], [4.1350935, 43.5203936], [4.135002, 43.5204366], [4.1346051, 43.5202412], [4.134584, 43.5202472], [4.1345572, 43.5202551], [4.134356, 43.5203137], [4.1342488, 43.5203448], [4.134084, 43.5209193]]]]}}]) + and_return([{:surface_intersection => "0.0006", :surface_parcelle => 11252.692583090324, :numero => "0013", :feuille => 1, :section => "CD", :code_dep => "30", :nom_com => "Le Grau-du-Roi", :code_com => "133", :code_arr => "000", :geometry => {:type => "MultiPolygon", :coordinates => [[[[4.134084, 43.5209193], [4.1346615, 43.5212035], [4.1346984, 43.521189], [4.135096, 43.5213848], [4.1350839, 43.5214122], [4.1352697, 43.521505], [4.1356278, 43.5211065], [4.1357402, 43.5207188], [4.1350935, 43.5203936], [4.135002, 43.5204366], [4.1346051, 43.5202412], [4.134584, 43.5202472], [4.1345572, 43.5202551], [4.134356, 43.5203137], [4.1342488, 43.5203448], [4.134084, 43.5209193]]]]}}]) post :save, dossier_id: dossier.id, json_latlngs: json_latlngs end context 'when json_latlngs params is empty' do context 'when dossier have cadastres in database' do - let!(:dossier) { create(:dossier, :with_procedure, :with_two_cadastres) } + let!(:dossier) { create(:dossier, :with_procedure, :with_two_cadastres) } before do dossier.reload @@ -181,7 +207,7 @@ RSpec.describe Users::CarteController, type: :controller do it { expect(subject.nom_com).to eq('Le Grau-du-Roi') } it { expect(subject.code_com).to eq('133') } it { expect(subject.code_arr).to eq('000') } - it { expect(subject.geometry).to eq({"type"=>"MultiPolygon", "coordinates"=>[[[[4.134084, 43.5209193], [4.1346615, 43.5212035], [4.1346984, 43.521189], [4.135096, 43.5213848], [4.1350839, 43.5214122], [4.1352697, 43.521505], [4.1356278, 43.5211065], [4.1357402, 43.5207188], [4.1350935, 43.5203936], [4.135002, 43.5204366], [4.1346051, 43.5202412], [4.134584, 43.5202472], [4.1345572, 43.5202551], [4.134356, 43.5203137], [4.1342488, 43.5203448], [4.134084, 43.5209193]]]]}) } + it { expect(subject.geometry).to eq({"type" => "MultiPolygon", "coordinates" => [[[[4.134084, 43.5209193], [4.1346615, 43.5212035], [4.1346984, 43.521189], [4.135096, 43.5213848], [4.1350839, 43.5214122], [4.1352697, 43.521505], [4.1356278, 43.5211065], [4.1357402, 43.5207188], [4.1350935, 43.5203936], [4.135002, 43.5204366], [4.1346051, 43.5202412], [4.134584, 43.5202472], [4.1345572, 43.5202551], [4.134356, 43.5203137], [4.1342488, 43.5203448], [4.134084, 43.5209193]]]]}) } end end end @@ -190,7 +216,7 @@ RSpec.describe Users::CarteController, type: :controller do describe '#get_position' do context 'Geocodeur renvoie des positions nil' do let(:etablissement) { create(:etablissement, adresse: bad_adresse, numero_voie: 'dzj', type_voie: 'fzjfk', nom_voie: 'hdidjkz', complement_adresse: 'fjef', code_postal: 'fjeiefk', localite: 'zjfkfz') } - let(:dossier) { create(:dossier, :with_procedure, etablissement: etablissement) } + let(:dossier) { create(:dossier, :with_procedure, etablissement: etablissement) } before do stub_request(:get, /http:\/\/api-adresse[.]data[.]gouv[.]fr\/search[?]limit=1&q=/) .to_return(status: 200, body: '{"query": "babouba", "version": "draft", "licence": "ODbL 1.0", "features": [], "type": "FeatureCollection", "attribution": "BAN"}', headers: {}) diff --git a/spec/controllers/users/description_controller_spec.rb b/spec/controllers/users/description_controller_spec.rb index c3d074dac..cafeca6d3 100644 --- a/spec/controllers/users/description_controller_spec.rb +++ b/spec/controllers/users/description_controller_spec.rb @@ -33,6 +33,19 @@ describe Users::DescriptionController, type: :controller do end it_behaves_like "not owner of dossier", :show + + describe 'before_action authorized_routes?' do + context 'when dossier does not have a valid state' do + before do + dossier.state = 'validated' + dossier.save + + get :show, dossier_id: dossier.id + end + + it { is_expected.to redirect_to root_path } + end + end end describe 'POST #create' do diff --git a/spec/controllers/users/dossiers_controller_spec.rb b/spec/controllers/users/dossiers_controller_spec.rb index 7d8f4d230..605310df6 100644 --- a/spec/controllers/users/dossiers_controller_spec.rb +++ b/spec/controllers/users/dossiers_controller_spec.rb @@ -30,7 +30,20 @@ describe Users::DossiersController, type: :controller do it 'redirection vers liste dossier si mauvais dossier ID' do get :show, id: siret_not_found - expect(response).to redirect_to('/users/dossiers') + expect(response).to redirect_to root_path + end + + describe 'before_action authorized_routes?' do + context 'when dossier does not have a valid state' do + before do + dossier.state = 'validated' + dossier.save + + get :show, id: dossier.id + end + + it { is_expected.to redirect_to root_path } + end end end diff --git a/spec/controllers/users/recapitulatif_controller_spec.rb b/spec/controllers/users/recapitulatif_controller_spec.rb index 001c3ae7b..c2e4aee4d 100644 --- a/spec/controllers/users/recapitulatif_controller_spec.rb +++ b/spec/controllers/users/recapitulatif_controller_spec.rb @@ -1,7 +1,7 @@ require 'spec_helper' describe Users::RecapitulatifController, type: :controller do - let(:dossier) { create(:dossier, :with_procedure) } + let(:dossier) { create(:dossier, :with_procedure, state:'initiated') } let(:bad_dossier_id) { Dossier.count + 100000 } before do @@ -21,6 +21,19 @@ describe Users::RecapitulatifController, type: :controller do it_behaves_like "not owner of dossier", :show + describe 'before_action authorized_routes?' do + context 'when dossier have draft state' do + before do + dossier.state = 'draft' + dossier.save + + get :show, dossier_id: dossier.id + end + + it { is_expected.to redirect_to root_path } + end + end + end describe 'POST #initiate' do diff --git a/spec/features/users/drawing_a_zone_with_freedraw_spec.rb b/spec/features/users/drawing_a_zone_with_freedraw_spec.rb index 373788e1f..dc3c5f164 100644 --- a/spec/features/users/drawing_a_zone_with_freedraw_spec.rb +++ b/spec/features/users/drawing_a_zone_with_freedraw_spec.rb @@ -38,7 +38,7 @@ feature 'drawing a zone with freedraw' do end scenario 'alert message is present' do - expect(page).to have_content('Le dossier n\'a pas accès à la cartographie') + expect(page).to have_content('Le status de votre dossier n\'autorise pas cette URL') end end diff --git a/spec/services/user_routes_authorization_service_spec.rb b/spec/services/user_routes_authorization_service_spec.rb new file mode 100644 index 000000000..fe17fc96a --- /dev/null +++ b/spec/services/user_routes_authorization_service_spec.rb @@ -0,0 +1,223 @@ +require 'spec_helper' + +describe UserRoutesAuthorizationService do + + describe '#authorize_route?' do + let(:api_carto) { false } + + subject { described_class.authorized_route? path, state, api_carto } + + context 'when path is not recognized' do + let(:state) { 'blabla' } + let(:path) { 'blabla' } + + it { expect { subject }.to raise_error 'Not a valid path' } + end + + context 'when state is not recognized' do + let(:state) { 'blabla' } + let(:path) { '' } + + it { expect { subject }.to raise_error 'Not a valid state' } + end + + context 'when path and state are recognized' do + describe 'root' do + let(:path) { '' } + + describe 'draft' do + let(:state) { 'draft' } + it { is_expected.to be_truthy } + end + + describe 'initiated' do + let(:state) { 'initiated' } + it { is_expected.to be_falsey } + end + + describe 'replied' do + let(:state) { 'replied' } + it { is_expected.to be_falsey } + end + + describe 'updated' do + let(:state) { 'updated' } + it { is_expected.to be_falsey } + end + + describe 'validated' do + let(:state) { 'validated' } + it { is_expected.to be_falsey } + end + + describe 'submitted' do + let(:state) { 'submitted' } + it { is_expected.to be_falsey } + end + + describe 'closed' do + let(:state) { 'closed' } + it { is_expected.to be_falsey } + end + end + + describe 'carte' do + let(:path) { '/carte' } + context 'when use_api_carto is false' do + + describe 'draft' do + let(:state) { 'draft' } + it { is_expected.to be_falsey } + end + + describe 'initiated' do + let(:state) { 'initiated' } + it { is_expected.to be_falsey } + end + + describe 'replied' do + let(:state) { 'replied' } + it { is_expected.to be_falsey } + end + + describe 'updated' do + let(:state) { 'updated' } + it { is_expected.to be_falsey } + end + + describe 'validated' do + let(:state) { 'validated' } + it { is_expected.to be_falsey } + end + + describe 'submitted' do + let(:state) { 'submitted' } + it { is_expected.to be_falsey } + end + + describe 'closed' do + let(:state) { 'closed' } + it { is_expected.to be_falsey } + end + end + + context 'when use_api_carto is true' do + let(:api_carto) { true } + + describe 'draft' do + let(:state) { 'draft' } + it { is_expected.to be_truthy } + end + + describe 'initiated' do + let(:state) { 'initiated' } + it { is_expected.to be_truthy } + end + + describe 'replied' do + let(:state) { 'replied' } + it { is_expected.to be_truthy } + end + + describe 'updated' do + let(:state) { 'updated' } + it { is_expected.to be_truthy } + end + + describe 'validated' do + let(:state) { 'validated' } + it { is_expected.to be_falsey } + end + + describe 'submitted' do + let(:state) { 'submitted' } + it { is_expected.to be_falsey } + end + + describe 'closed' do + let(:state) { 'closed' } + it { is_expected.to be_falsey } + end + end + end + + describe 'description' do + let(:path) { '/description' } + + describe 'draft' do + let(:state) { 'draft' } + it { is_expected.to be_truthy } + end + + describe 'initiated' do + let(:state) { 'initiated' } + it { is_expected.to be_truthy } + end + + describe 'replied' do + let(:state) { 'replied' } + it { is_expected.to be_truthy } + end + + describe 'updated' do + let(:state) { 'updated' } + it { is_expected.to be_truthy } + end + + describe 'validated' do + let(:state) { 'validated' } + it { is_expected.to be_falsey } + end + + describe 'submitted' do + let(:state) { 'submitted' } + it { is_expected.to be_falsey } + end + + describe 'closed' do + let(:state) { 'closed' } + it { is_expected.to be_falsey } + end + end + + describe 'recapitulatif' do + let(:path) { '/recapitulatif' } + + describe 'draft' do + let(:state) { 'draft' } + it { is_expected.to be_falsey } + end + + describe 'initiated' do + let(:state) { 'initiated' } + it { is_expected.to be_truthy } + end + + describe 'replied' do + let(:state) { 'replied' } + it { is_expected.to be_truthy } + end + + describe 'updated' do + let(:state) { 'updated' } + it { is_expected.to be_truthy } + end + + describe 'validated' do + let(:state) { 'validated' } + it { is_expected.to be_truthy } + end + + describe 'submitted' do + let(:state) { 'submitted' } + it { is_expected.to be_truthy } + end + + describe 'closed' do + let(:state) { 'closed' } + it { is_expected.to be_truthy } + end + end + end + end +end \ No newline at end of file