Add restriction on User's URL based on Dossier state

2016-01-25 15:54:21 +01:00 · 2016-01-25 15:54:21 +01:00 · c1ea10bd82
commit c1ea10bd82
parent 0c2bbc482f
13 changed files with 376 additions and 18 deletions
--- a/app/controllers/users/carte_controller.rb
+++ b/app/controllers/users/carte_controller.rb
@ -1,14 +1,11 @@
 class Users::CarteController < UsersController
  include DossierConcern

+  before_action :authorized_routes?, only: [:show]
+
  def show
    @dossier = current_user_dossier

-    unless @dossier.procedure.module_api_carto.use_api_carto
-      flash.alert = t('errors.messages.dossier_map_not_activated')
-      redirect_to url_for(root_path)
-    end
-
  rescue ActiveRecord::RecordNotFound
    flash.alert = t('errors.messages.dossier_not_found')
    redirect_to url_for(root_path)
--- a/app/controllers/users/description_controller.rb
+++ b/app/controllers/users/description_controller.rb
@ -1,4 +1,6 @@
 class Users::DescriptionController < UsersController
+  before_action :authorized_routes?, only: [:show]
+
  def show
    @dossier = current_user_dossier
    @dossier = @dossier.decorate
--- a/app/controllers/users/dossiers_controller.rb
+++ b/app/controllers/users/dossiers_controller.rb
@ -5,6 +5,8 @@ class Users::DossiersController < UsersController
  before_action :authenticate_user!
  before_action :check_siret, only: :create

+  before_action :authorized_routes?, only: [:show]
+
  def index
    order = 'DESC'

@ -152,7 +154,6 @@ class Users::DossiersController < UsersController

  def error_procedure
    flash.alert = t('errors.messages.procedure_not_found')
-
    redirect_to url_for users_dossiers_path
  end

--- a/app/controllers/users/recapitulatif_controller.rb
+++ b/app/controllers/users/recapitulatif_controller.rb
@ -1,4 +1,6 @@
 class Users::RecapitulatifController < UsersController
+  before_action :authorized_routes?, only: [:show]
+
  def show
    create_dossier_facade
  end
--- a/app/controllers/users_controller.rb
+++ b/app/controllers/users_controller.rb
@ -2,8 +2,26 @@ class UsersController < ApplicationController
  before_action :authenticate_user!

  def current_user_dossier dossier_id=nil
-    dossier_id ||= params[:dossier_id]
+    dossier_id ||= params[:dossier_id] || params[:id]

    current_user.dossiers.find(dossier_id)
  end
+
+  def authorized_routes?
+    sub_path = "/users/dossiers/#{current_user_dossier.id}"
+
+    redirect_to_root_path 'Le status de votre dossier n\'autorise pas cette URL' unless UserRoutesAuthorizationService.authorized_route?(
+        (request.env['PATH_INFO']).gsub(sub_path, ''),
+        current_user_dossier.state,
+        current_user_dossier.procedure.use_api_carto)
+  rescue ActiveRecord::RecordNotFound
+    redirect_to_root_path 'Vous n’avez pas accès à ce dossier.'
+  end
+
+  private
+
+  def redirect_to_root_path message
+    flash.alert = message
+    redirect_to url_for root_path
+  end
 end
--- a/app/models/procedure.rb
+++ b/app/models/procedure.rb
@ -7,6 +7,8 @@ class Procedure < ActiveRecord::Base

  belongs_to :administrateur

+  delegate :use_api_carto, to: :module_api_carto
+
  accepts_nested_attributes_for :types_de_champ,:reject_if => proc { |attributes| attributes['libelle'].blank? }, :allow_destroy => true
  accepts_nested_attributes_for :types_de_piece_justificative, :reject_if => proc { |attributes| attributes['libelle'].blank? }, :allow_destroy => true
  accepts_nested_attributes_for :module_api_carto
--- a/app/services/user_routes_authorization_service.rb
+++ b/app/services/user_routes_authorization_service.rb
@ -0,0 +1,48 @@
+class UserRoutesAuthorizationService
+
+  def self.authorized_paths
+    {
+        root: '',
+        carte: '/carte',
+        description: '/description',
+        recapitulatif: '/recapitulatif'
+    }
+  end
+
+  def self.authorized_states
+    Dossier.states
+  end
+
+  def self.authorized_routes
+    {
+        root: {
+            authorized_states: [:draft],
+            api_carto: false
+        },
+        carte: {
+            authorized_states: [:draft, :initiated, :replied, :updated],
+            api_carto: true
+        },
+        description: {
+            authorized_states: [:draft, :initiated, :replied, :updated],
+            api_carto: false
+        },
+        recapitulatif: {
+            authorized_states: [:initiated, :replied, :updated, :validated, :submitted, :closed],
+            api_carto: false
+        }
+    }
+  end
+
+  def self.authorized_route? path, state, api_carto=false
+    return raise 'Not a valid path' unless authorized_paths.has_value? path
+    return raise 'Not a valid state' unless authorized_states.has_value? state
+
+    path_key = authorized_paths.key(path)
+
+    first = authorized_routes[path_key][:authorized_states].include? state.to_sym
+    seconde = authorized_routes[path_key][:api_carto] ? api_carto : true
+
+    first && seconde
+  end
+end