DGNum/demarches-normaliennes
13
1
Fork 0
Code Issues 1 Pull requests Projects Releases Packages Wiki Activity

Add restriction on User's URL based on Dossier state

Browse source
This commit is contained in:
Xavier J 2016-01-25 15:54:21 +01:00
parent 0c2bbc482f
commit c1ea10bd82
13 changed files with 376 additions and 18 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
app/controllers/users/carte_controller.rb
View file

@ -1,14 +1,11 @@
class Users::CarteController < UsersController class Users::CarteController < UsersController
include DossierConcern include DossierConcern
before_action :authorized_routes?, only: [:show]
def show def show
@dossier = current_user_dossier @dossier = current_user_dossier
unless @dossier.procedure.module_api_carto.use_api_carto
flash.alert = t('errors.messages.dossier_map_not_activated')
redirect_to url_for(root_path)
end
rescue ActiveRecord::RecordNotFound rescue ActiveRecord::RecordNotFound
flash.alert = t('errors.messages.dossier_not_found') flash.alert = t('errors.messages.dossier_not_found')
redirect_to url_for(root_path) redirect_to url_for(root_path)

2
app/controllers/users/description_controller.rb
View file

@ -1,4 +1,6 @@
class Users::DescriptionController < UsersController class Users::DescriptionController < UsersController
before_action :authorized_routes?, only: [:show]
def show def show
@dossier = current_user_dossier @dossier = current_user_dossier
@dossier = @dossier.decorate @dossier = @dossier.decorate

3
app/controllers/users/dossiers_controller.rb
View file

@ -5,6 +5,8 @@ class Users::DossiersController < UsersController
before_action :authenticate_user! before_action :authenticate_user!
before_action :check_siret, only: :create before_action :check_siret, only: :create
before_action :authorized_routes?, only: [:show]
def index def index
order = 'DESC' order = 'DESC'
@ -152,7 +154,6 @@ class Users::DossiersController < UsersController
def error_procedure def error_procedure
flash.alert = t('errors.messages.procedure_not_found') flash.alert = t('errors.messages.procedure_not_found')
redirect_to url_for users_dossiers_path redirect_to url_for users_dossiers_path
end end

2
app/controllers/users/recapitulatif_controller.rb
View file

@ -1,4 +1,6 @@
class Users::RecapitulatifController < UsersController class Users::RecapitulatifController < UsersController
before_action :authorized_routes?, only: [:show]
def show def show
create_dossier_facade create_dossier_facade
end end

20
app/controllers/users_controller.rb
View file

@ -2,8 +2,26 @@ class UsersController < ApplicationController
before_action :authenticate_user! before_action :authenticate_user!
def current_user_dossier dossier_id=nil def current_user_dossier dossier_id=nil
dossier_id ||= params[:dossier_id] dossier_id ||= params[:dossier_id] || params[:id]
current_user.dossiers.find(dossier_id) current_user.dossiers.find(dossier_id)
end end
def authorized_routes?
sub_path = "/users/dossiers/#{current_user_dossier.id}"
redirect_to_root_path 'Le status de votre dossier n\'autorise pas cette URL' unless UserRoutesAuthorizationService.authorized_route?(
(request.env['PATH_INFO']).gsub(sub_path, ''),
current_user_dossier.state,
current_user_dossier.procedure.use_api_carto)
rescue ActiveRecord::RecordNotFound
redirect_to_root_path 'Vous navez pas accès à ce dossier.'
end
private
def redirect_to_root_path message
flash.alert = message
redirect_to url_for root_path
end
end end

2
app/models/procedure.rb
View file

@ -7,6 +7,8 @@ class Procedure < ActiveRecord::Base
belongs_to :administrateur belongs_to :administrateur
delegate :use_api_carto, to: :module_api_carto
accepts_nested_attributes_for :types_de_champ,:reject_if => proc { |attributes| attributes['libelle'].blank? }, :allow_destroy => true accepts_nested_attributes_for :types_de_champ,:reject_if => proc { |attributes| attributes['libelle'].blank? }, :allow_destroy => true
accepts_nested_attributes_for :types_de_piece_justificative, :reject_if => proc { |attributes| attributes['libelle'].blank? }, :allow_destroy => true accepts_nested_attributes_for :types_de_piece_justificative, :reject_if => proc { |attributes| attributes['libelle'].blank? }, :allow_destroy => true
accepts_nested_attributes_for :module_api_carto accepts_nested_attributes_for :module_api_carto

48
app/services/user_routes_authorization_service.rb Normal file
View file

@ -0,0 +1,48 @@
class UserRoutesAuthorizationService
def self.authorized_paths
{
root: '',
carte: '/carte',
description: '/description',
recapitulatif: '/recapitulatif'
}
end
def self.authorized_states
Dossier.states
end
def self.authorized_routes
{
root: {
authorized_states: [:draft],
api_carto: false
},
carte: {
authorized_states: [:draft, :initiated, :replied, :updated],
api_carto: true
},
description: {
authorized_states: [:draft, :initiated, :replied, :updated],
api_carto: false
},
recapitulatif: {
authorized_states: [:initiated, :replied, :updated, :validated, :submitted, :closed],
api_carto: false
}
}
end
def self.authorized_route? path, state, api_carto=false
return raise 'Not a valid path' unless authorized_paths.has_value? path
return raise 'Not a valid state' unless authorized_states.has_value? state
path_key = authorized_paths.key(path)
first = authorized_routes[path_key][:authorized_states].include? state.to_sym
seconde = authorized_routes[path_key][:api_carto] ? api_carto : true
first && seconde
end
end

26
spec/controllers/users/carte_controller_spec.rb
View file

@ -18,6 +18,32 @@ RSpec.describe Users::CarteController, type: :controller do
end end
describe 'GET #show' do describe 'GET #show' do
describe 'before_action authorized_routes?' do
context 'when dossiers procedure have api carto actived' do
context 'when dossier does not have a valid state' do
before do
dossier.state = 'validated'
dossier.save
get :show, dossier_id: dossier.id
end
it { is_expected.to redirect_to root_path}
end
end
context 'when dossiers procedure does not have api carto actived' do
let(:dossier) { create(:dossier, :with_procedure) }
before do
get :show, dossier_id: dossier.id
end
it { is_expected.to redirect_to(root_path) }
end
end
context 'user is not connected' do context 'user is not connected' do
before do before do
sign_out dossier.user sign_out dossier.user

13
spec/controllers/users/description_controller_spec.rb
View file

@ -33,6 +33,19 @@ describe Users::DescriptionController, type: :controller do
end end
it_behaves_like "not owner of dossier", :show it_behaves_like "not owner of dossier", :show
describe 'before_action authorized_routes?' do
context 'when dossier does not have a valid state' do
before do
dossier.state = 'validated'
dossier.save
get :show, dossier_id: dossier.id
end
it { is_expected.to redirect_to root_path }
end
end
end end
describe 'POST #create' do describe 'POST #create' do

15
spec/controllers/users/dossiers_controller_spec.rb
View file

@ -30,7 +30,20 @@ describe Users::DossiersController, type: :controller do
it 'redirection vers liste dossier si mauvais dossier ID' do it 'redirection vers liste dossier si mauvais dossier ID' do
get :show, id: siret_not_found get :show, id: siret_not_found
expect(response).to redirect_to('/users/dossiers') expect(response).to redirect_to root_path
end
describe 'before_action authorized_routes?' do
context 'when dossier does not have a valid state' do
before do
dossier.state = 'validated'
dossier.save
get :show, id: dossier.id
end
it { is_expected.to redirect_to root_path }
end
end end
end end

15
spec/controllers/users/recapitulatif_controller_spec.rb
View file

@ -1,7 +1,7 @@
require 'spec_helper' require 'spec_helper'
describe Users::RecapitulatifController, type: :controller do describe Users::RecapitulatifController, type: :controller do
let(:dossier) { create(:dossier, :with_procedure) } let(:dossier) { create(:dossier, :with_procedure, state:'initiated') }
let(:bad_dossier_id) { Dossier.count + 100000 } let(:bad_dossier_id) { Dossier.count + 100000 }
before do before do
@ -21,6 +21,19 @@ describe Users::RecapitulatifController, type: :controller do
it_behaves_like "not owner of dossier", :show it_behaves_like "not owner of dossier", :show
describe 'before_action authorized_routes?' do
context 'when dossier have draft state' do
before do
dossier.state = 'draft'
dossier.save
get :show, dossier_id: dossier.id
end
it { is_expected.to redirect_to root_path }
end
end
end end
describe 'POST #initiate' do describe 'POST #initiate' do

2
spec/features/users/drawing_a_zone_with_freedraw_spec.rb
View file

@ -38,7 +38,7 @@ feature 'drawing a zone with freedraw' do
end end
scenario 'alert message is present' do scenario 'alert message is present' do
expect(page).to have_content('Le dossier n\'a pas accès à la cartographie') expect(page).to have_content('Le status de votre dossier n\'autorise pas cette URL')
end end
end end

223
spec/services/user_routes_authorization_service_spec.rb Normal file
View file

@ -0,0 +1,223 @@
require 'spec_helper'
describe UserRoutesAuthorizationService do
describe '#authorize_route?' do
let(:api_carto) { false }
subject { described_class.authorized_route? path, state, api_carto }
context 'when path is not recognized' do
let(:state) { 'blabla' }
let(:path) { 'blabla' }
it { expect { subject }.to raise_error 'Not a valid path' }
end
context 'when state is not recognized' do
let(:state) { 'blabla' }
let(:path) { '' }
it { expect { subject }.to raise_error 'Not a valid state' }
end
context 'when path and state are recognized' do
describe 'root' do
let(:path) { '' }
describe 'draft' do
let(:state) { 'draft' }
it { is_expected.to be_truthy }
end
describe 'initiated' do
let(:state) { 'initiated' }
it { is_expected.to be_falsey }
end
describe 'replied' do
let(:state) { 'replied' }
it { is_expected.to be_falsey }
end
describe 'updated' do
let(:state) { 'updated' }
it { is_expected.to be_falsey }
end
describe 'validated' do
let(:state) { 'validated' }
it { is_expected.to be_falsey }
end
describe 'submitted' do
let(:state) { 'submitted' }
it { is_expected.to be_falsey }
end
describe 'closed' do
let(:state) { 'closed' }
it { is_expected.to be_falsey }
end
end
describe 'carte' do
let(:path) { '/carte' }
context 'when use_api_carto is false' do
describe 'draft' do
let(:state) { 'draft' }
it { is_expected.to be_falsey }
end
describe 'initiated' do
let(:state) { 'initiated' }
it { is_expected.to be_falsey }
end
describe 'replied' do
let(:state) { 'replied' }
it { is_expected.to be_falsey }
end
describe 'updated' do
let(:state) { 'updated' }
it { is_expected.to be_falsey }
end
describe 'validated' do
let(:state) { 'validated' }
it { is_expected.to be_falsey }
end
describe 'submitted' do
let(:state) { 'submitted' }
it { is_expected.to be_falsey }
end
describe 'closed' do
let(:state) { 'closed' }
it { is_expected.to be_falsey }
end
end
context 'when use_api_carto is true' do
let(:api_carto) { true }
describe 'draft' do
let(:state) { 'draft' }
it { is_expected.to be_truthy }
end
describe 'initiated' do
let(:state) { 'initiated' }
it { is_expected.to be_truthy }
end
describe 'replied' do
let(:state) { 'replied' }
it { is_expected.to be_truthy }
end
describe 'updated' do
let(:state) { 'updated' }
it { is_expected.to be_truthy }
end
describe 'validated' do
let(:state) { 'validated' }
it { is_expected.to be_falsey }
end
describe 'submitted' do
let(:state) { 'submitted' }
it { is_expected.to be_falsey }
end
describe 'closed' do
let(:state) { 'closed' }
it { is_expected.to be_falsey }
end
end
end
describe 'description' do
let(:path) { '/description' }
describe 'draft' do
let(:state) { 'draft' }
it { is_expected.to be_truthy }
end
describe 'initiated' do
let(:state) { 'initiated' }
it { is_expected.to be_truthy }
end
describe 'replied' do
let(:state) { 'replied' }
it { is_expected.to be_truthy }
end
describe 'updated' do
let(:state) { 'updated' }
it { is_expected.to be_truthy }
end
describe 'validated' do
let(:state) { 'validated' }
it { is_expected.to be_falsey }
end
describe 'submitted' do
let(:state) { 'submitted' }
it { is_expected.to be_falsey }
end
describe 'closed' do
let(:state) { 'closed' }
it { is_expected.to be_falsey }
end
end
describe 'recapitulatif' do
let(:path) { '/recapitulatif' }
describe 'draft' do
let(:state) { 'draft' }
it { is_expected.to be_falsey }
end
describe 'initiated' do
let(:state) { 'initiated' }
it { is_expected.to be_truthy }
end
describe 'replied' do
let(:state) { 'replied' }
it { is_expected.to be_truthy }
end
describe 'updated' do
let(:state) { 'updated' }
it { is_expected.to be_truthy }
end
describe 'validated' do
let(:state) { 'validated' }
it { is_expected.to be_truthy }
end
describe 'submitted' do
let(:state) { 'submitted' }
it { is_expected.to be_truthy }
end
describe 'closed' do
let(:state) { 'closed' }
it { is_expected.to be_truthy }
end
end
end
end
end