Add restriction on User's URL based on Dossier state

This commit is contained in:
Xavier J 2016-01-25 15:54:21 +01:00
parent 0c2bbc482f
commit c1ea10bd82
13 changed files with 376 additions and 18 deletions

View file

@ -1,14 +1,11 @@
class Users::CarteController < UsersController
include DossierConcern
before_action :authorized_routes?, only: [:show]
def show
@dossier = current_user_dossier
unless @dossier.procedure.module_api_carto.use_api_carto
flash.alert = t('errors.messages.dossier_map_not_activated')
redirect_to url_for(root_path)
end
rescue ActiveRecord::RecordNotFound
flash.alert = t('errors.messages.dossier_not_found')
redirect_to url_for(root_path)

View file

@ -1,4 +1,6 @@
class Users::DescriptionController < UsersController
before_action :authorized_routes?, only: [:show]
def show
@dossier = current_user_dossier
@dossier = @dossier.decorate

View file

@ -5,6 +5,8 @@ class Users::DossiersController < UsersController
before_action :authenticate_user!
before_action :check_siret, only: :create
before_action :authorized_routes?, only: [:show]
def index
order = 'DESC'
@ -152,7 +154,6 @@ class Users::DossiersController < UsersController
def error_procedure
flash.alert = t('errors.messages.procedure_not_found')
redirect_to url_for users_dossiers_path
end

View file

@ -1,4 +1,6 @@
class Users::RecapitulatifController < UsersController
before_action :authorized_routes?, only: [:show]
def show
create_dossier_facade
end

View file

@ -2,8 +2,26 @@ class UsersController < ApplicationController
before_action :authenticate_user!
def current_user_dossier dossier_id=nil
dossier_id ||= params[:dossier_id]
dossier_id ||= params[:dossier_id] || params[:id]
current_user.dossiers.find(dossier_id)
end
def authorized_routes?
sub_path = "/users/dossiers/#{current_user_dossier.id}"
redirect_to_root_path 'Le status de votre dossier n\'autorise pas cette URL' unless UserRoutesAuthorizationService.authorized_route?(
(request.env['PATH_INFO']).gsub(sub_path, ''),
current_user_dossier.state,
current_user_dossier.procedure.use_api_carto)
rescue ActiveRecord::RecordNotFound
redirect_to_root_path 'Vous navez pas accès à ce dossier.'
end
private
def redirect_to_root_path message
flash.alert = message
redirect_to url_for root_path
end
end

View file

@ -7,6 +7,8 @@ class Procedure < ActiveRecord::Base
belongs_to :administrateur
delegate :use_api_carto, to: :module_api_carto
accepts_nested_attributes_for :types_de_champ,:reject_if => proc { |attributes| attributes['libelle'].blank? }, :allow_destroy => true
accepts_nested_attributes_for :types_de_piece_justificative, :reject_if => proc { |attributes| attributes['libelle'].blank? }, :allow_destroy => true
accepts_nested_attributes_for :module_api_carto

View file

@ -0,0 +1,48 @@
class UserRoutesAuthorizationService
def self.authorized_paths
{
root: '',
carte: '/carte',
description: '/description',
recapitulatif: '/recapitulatif'
}
end
def self.authorized_states
Dossier.states
end
def self.authorized_routes
{
root: {
authorized_states: [:draft],
api_carto: false
},
carte: {
authorized_states: [:draft, :initiated, :replied, :updated],
api_carto: true
},
description: {
authorized_states: [:draft, :initiated, :replied, :updated],
api_carto: false
},
recapitulatif: {
authorized_states: [:initiated, :replied, :updated, :validated, :submitted, :closed],
api_carto: false
}
}
end
def self.authorized_route? path, state, api_carto=false
return raise 'Not a valid path' unless authorized_paths.has_value? path
return raise 'Not a valid state' unless authorized_states.has_value? state
path_key = authorized_paths.key(path)
first = authorized_routes[path_key][:authorized_states].include? state.to_sym
seconde = authorized_routes[path_key][:api_carto] ? api_carto : true
first && seconde
end
end

View file

@ -18,6 +18,32 @@ RSpec.describe Users::CarteController, type: :controller do
end
describe 'GET #show' do
describe 'before_action authorized_routes?' do
context 'when dossiers procedure have api carto actived' do
context 'when dossier does not have a valid state' do
before do
dossier.state = 'validated'
dossier.save
get :show, dossier_id: dossier.id
end
it { is_expected.to redirect_to root_path}
end
end
context 'when dossiers procedure does not have api carto actived' do
let(:dossier) { create(:dossier, :with_procedure) }
before do
get :show, dossier_id: dossier.id
end
it { is_expected.to redirect_to(root_path) }
end
end
context 'user is not connected' do
before do
sign_out dossier.user
@ -139,7 +165,7 @@ RSpec.describe Users::CarteController, type: :controller do
before do
allow_any_instance_of(CARTO::SGMAP::Cadastre::Adapter).
to receive(:to_params).
and_return([{:surface_intersection=>"0.0006", :surface_parcelle=>11252.692583090324, :numero=>"0013", :feuille=>1, :section=>"CD", :code_dep=>"30", :nom_com=>"Le Grau-du-Roi", :code_com=>"133", :code_arr=>"000", :geometry=>{:type=>"MultiPolygon", :coordinates=>[[[[4.134084, 43.5209193], [4.1346615, 43.5212035], [4.1346984, 43.521189], [4.135096, 43.5213848], [4.1350839, 43.5214122], [4.1352697, 43.521505], [4.1356278, 43.5211065], [4.1357402, 43.5207188], [4.1350935, 43.5203936], [4.135002, 43.5204366], [4.1346051, 43.5202412], [4.134584, 43.5202472], [4.1345572, 43.5202551], [4.134356, 43.5203137], [4.1342488, 43.5203448], [4.134084, 43.5209193]]]]}}])
and_return([{:surface_intersection => "0.0006", :surface_parcelle => 11252.692583090324, :numero => "0013", :feuille => 1, :section => "CD", :code_dep => "30", :nom_com => "Le Grau-du-Roi", :code_com => "133", :code_arr => "000", :geometry => {:type => "MultiPolygon", :coordinates => [[[[4.134084, 43.5209193], [4.1346615, 43.5212035], [4.1346984, 43.521189], [4.135096, 43.5213848], [4.1350839, 43.5214122], [4.1352697, 43.521505], [4.1356278, 43.5211065], [4.1357402, 43.5207188], [4.1350935, 43.5203936], [4.135002, 43.5204366], [4.1346051, 43.5202412], [4.134584, 43.5202472], [4.1345572, 43.5202551], [4.134356, 43.5203137], [4.1342488, 43.5203448], [4.134084, 43.5209193]]]]}}])
post :save, dossier_id: dossier.id, json_latlngs: json_latlngs
end
@ -181,7 +207,7 @@ RSpec.describe Users::CarteController, type: :controller do
it { expect(subject.nom_com).to eq('Le Grau-du-Roi') }
it { expect(subject.code_com).to eq('133') }
it { expect(subject.code_arr).to eq('000') }
it { expect(subject.geometry).to eq({"type"=>"MultiPolygon", "coordinates"=>[[[[4.134084, 43.5209193], [4.1346615, 43.5212035], [4.1346984, 43.521189], [4.135096, 43.5213848], [4.1350839, 43.5214122], [4.1352697, 43.521505], [4.1356278, 43.5211065], [4.1357402, 43.5207188], [4.1350935, 43.5203936], [4.135002, 43.5204366], [4.1346051, 43.5202412], [4.134584, 43.5202472], [4.1345572, 43.5202551], [4.134356, 43.5203137], [4.1342488, 43.5203448], [4.134084, 43.5209193]]]]}) }
it { expect(subject.geometry).to eq({"type" => "MultiPolygon", "coordinates" => [[[[4.134084, 43.5209193], [4.1346615, 43.5212035], [4.1346984, 43.521189], [4.135096, 43.5213848], [4.1350839, 43.5214122], [4.1352697, 43.521505], [4.1356278, 43.5211065], [4.1357402, 43.5207188], [4.1350935, 43.5203936], [4.135002, 43.5204366], [4.1346051, 43.5202412], [4.134584, 43.5202472], [4.1345572, 43.5202551], [4.134356, 43.5203137], [4.1342488, 43.5203448], [4.134084, 43.5209193]]]]}) }
end
end
end

View file

@ -33,6 +33,19 @@ describe Users::DescriptionController, type: :controller do
end
it_behaves_like "not owner of dossier", :show
describe 'before_action authorized_routes?' do
context 'when dossier does not have a valid state' do
before do
dossier.state = 'validated'
dossier.save
get :show, dossier_id: dossier.id
end
it { is_expected.to redirect_to root_path }
end
end
end
describe 'POST #create' do

View file

@ -30,7 +30,20 @@ describe Users::DossiersController, type: :controller do
it 'redirection vers liste dossier si mauvais dossier ID' do
get :show, id: siret_not_found
expect(response).to redirect_to('/users/dossiers')
expect(response).to redirect_to root_path
end
describe 'before_action authorized_routes?' do
context 'when dossier does not have a valid state' do
before do
dossier.state = 'validated'
dossier.save
get :show, id: dossier.id
end
it { is_expected.to redirect_to root_path }
end
end
end

View file

@ -1,7 +1,7 @@
require 'spec_helper'
describe Users::RecapitulatifController, type: :controller do
let(:dossier) { create(:dossier, :with_procedure) }
let(:dossier) { create(:dossier, :with_procedure, state:'initiated') }
let(:bad_dossier_id) { Dossier.count + 100000 }
before do
@ -21,6 +21,19 @@ describe Users::RecapitulatifController, type: :controller do
it_behaves_like "not owner of dossier", :show
describe 'before_action authorized_routes?' do
context 'when dossier have draft state' do
before do
dossier.state = 'draft'
dossier.save
get :show, dossier_id: dossier.id
end
it { is_expected.to redirect_to root_path }
end
end
end
describe 'POST #initiate' do

View file

@ -38,7 +38,7 @@ feature 'drawing a zone with freedraw' do
end
scenario 'alert message is present' do
expect(page).to have_content('Le dossier n\'a pas accès à la cartographie')
expect(page).to have_content('Le status de votre dossier n\'autorise pas cette URL')
end
end

View file

@ -0,0 +1,223 @@
require 'spec_helper'
describe UserRoutesAuthorizationService do
describe '#authorize_route?' do
let(:api_carto) { false }
subject { described_class.authorized_route? path, state, api_carto }
context 'when path is not recognized' do
let(:state) { 'blabla' }
let(:path) { 'blabla' }
it { expect { subject }.to raise_error 'Not a valid path' }
end
context 'when state is not recognized' do
let(:state) { 'blabla' }
let(:path) { '' }
it { expect { subject }.to raise_error 'Not a valid state' }
end
context 'when path and state are recognized' do
describe 'root' do
let(:path) { '' }
describe 'draft' do
let(:state) { 'draft' }
it { is_expected.to be_truthy }
end
describe 'initiated' do
let(:state) { 'initiated' }
it { is_expected.to be_falsey }
end
describe 'replied' do
let(:state) { 'replied' }
it { is_expected.to be_falsey }
end
describe 'updated' do
let(:state) { 'updated' }
it { is_expected.to be_falsey }
end
describe 'validated' do
let(:state) { 'validated' }
it { is_expected.to be_falsey }
end
describe 'submitted' do
let(:state) { 'submitted' }
it { is_expected.to be_falsey }
end
describe 'closed' do
let(:state) { 'closed' }
it { is_expected.to be_falsey }
end
end
describe 'carte' do
let(:path) { '/carte' }
context 'when use_api_carto is false' do
describe 'draft' do
let(:state) { 'draft' }
it { is_expected.to be_falsey }
end
describe 'initiated' do
let(:state) { 'initiated' }
it { is_expected.to be_falsey }
end
describe 'replied' do
let(:state) { 'replied' }
it { is_expected.to be_falsey }
end
describe 'updated' do
let(:state) { 'updated' }
it { is_expected.to be_falsey }
end
describe 'validated' do
let(:state) { 'validated' }
it { is_expected.to be_falsey }
end
describe 'submitted' do
let(:state) { 'submitted' }
it { is_expected.to be_falsey }
end
describe 'closed' do
let(:state) { 'closed' }
it { is_expected.to be_falsey }
end
end
context 'when use_api_carto is true' do
let(:api_carto) { true }
describe 'draft' do
let(:state) { 'draft' }
it { is_expected.to be_truthy }
end
describe 'initiated' do
let(:state) { 'initiated' }
it { is_expected.to be_truthy }
end
describe 'replied' do
let(:state) { 'replied' }
it { is_expected.to be_truthy }
end
describe 'updated' do
let(:state) { 'updated' }
it { is_expected.to be_truthy }
end
describe 'validated' do
let(:state) { 'validated' }
it { is_expected.to be_falsey }
end
describe 'submitted' do
let(:state) { 'submitted' }
it { is_expected.to be_falsey }
end
describe 'closed' do
let(:state) { 'closed' }
it { is_expected.to be_falsey }
end
end
end
describe 'description' do
let(:path) { '/description' }
describe 'draft' do
let(:state) { 'draft' }
it { is_expected.to be_truthy }
end
describe 'initiated' do
let(:state) { 'initiated' }
it { is_expected.to be_truthy }
end
describe 'replied' do
let(:state) { 'replied' }
it { is_expected.to be_truthy }
end
describe 'updated' do
let(:state) { 'updated' }
it { is_expected.to be_truthy }
end
describe 'validated' do
let(:state) { 'validated' }
it { is_expected.to be_falsey }
end
describe 'submitted' do
let(:state) { 'submitted' }
it { is_expected.to be_falsey }
end
describe 'closed' do
let(:state) { 'closed' }
it { is_expected.to be_falsey }
end
end
describe 'recapitulatif' do
let(:path) { '/recapitulatif' }
describe 'draft' do
let(:state) { 'draft' }
it { is_expected.to be_falsey }
end
describe 'initiated' do
let(:state) { 'initiated' }
it { is_expected.to be_truthy }
end
describe 'replied' do
let(:state) { 'replied' }
it { is_expected.to be_truthy }
end
describe 'updated' do
let(:state) { 'updated' }
it { is_expected.to be_truthy }
end
describe 'validated' do
let(:state) { 'validated' }
it { is_expected.to be_truthy }
end
describe 'submitted' do
let(:state) { 'submitted' }
it { is_expected.to be_truthy }
end
describe 'closed' do
let(:state) { 'closed' }
it { is_expected.to be_truthy }
end
end
end
end
end