Merge pull request #572 from sgmap/fix_anybody_can_post_a_comment_on_a_dossier

Restrict comment creation to Users/Gestionnaires allowed on dossier
This commit is contained in:
Mathieu Magnin 2017-07-11 11:30:35 +02:00 committed by GitHub
commit c2459da05b
3 changed files with 135 additions and 91 deletions

View file

@ -13,14 +13,16 @@ class CommentairesController < ApplicationController
def create def create
@commentaire = Commentaire.new @commentaire = Commentaire.new
@commentaire.dossier = Dossier.find(params['dossier_id'])
@commentaire.champ = @commentaire.dossier.champs.find(params[:champ_id]) if params[:champ_id] @commentaire.champ = @commentaire.dossier.champs.find(params[:champ_id]) if params[:champ_id]
dossier_id = params['dossier_id']
if is_gestionnaire? if is_gestionnaire?
@commentaire.email = current_gestionnaire.email @commentaire.email = current_gestionnaire.email
@commentaire.dossier = current_gestionnaire.dossiers.find_by(id: dossier_id) || current_gestionnaire.avis.find_by!(dossier_id: dossier_id).dossier
@commentaire.dossier.next_step! 'gestionnaire', 'comment' @commentaire.dossier.next_step! 'gestionnaire', 'comment'
else else
@commentaire.email = current_user.email @commentaire.email = current_user.email
@commentaire.dossier = current_user.dossiers.find_by(id: dossier_id) || current_user.invites.find_by!(dossier_id: dossier_id).dossier
@commentaire.dossier.next_step! 'user', 'comment' if current_user.email == @commentaire.dossier.user.email @commentaire.dossier.next_step! 'user', 'comment' if current_user.email == @commentaire.dossier.user.email
end end

View file

@ -1,7 +1,7 @@
require 'spec_helper' require 'spec_helper'
describe Backoffice::CommentairesController, type: :controller do describe Backoffice::CommentairesController, type: :controller do
let(:dossier) { create(:dossier) } let(:dossier) { create(:dossier, :replied) }
let(:dossier_id) { dossier.id } let(:dossier_id) { dossier.id }
let(:email_commentaire) { 'test@test.com' } let(:email_commentaire) { 'test@test.com' }
let(:texte_commentaire) { 'Commentaire de test' } let(:texte_commentaire) { 'Commentaire de test' }
@ -16,6 +16,25 @@ describe Backoffice::CommentairesController, type: :controller do
sign_in gestionnaire sign_in gestionnaire
end end
context "when gestionnaire has no access to dossier" do
subject { post :create, params: { dossier_id: dossier_id, texte_commentaire: texte_commentaire } }
it { expect { subject }.to raise_error(ActiveRecord::RecordNotFound) }
it { expect { subject rescue nil }.to change(Commentaire, :count).by(0) }
end
context "when gestionnaire is invited for avis on dossier" do
subject { post :create, params: { dossier_id: dossier_id, texte_commentaire: texte_commentaire } }
before { Avis.create(dossier: dossier, gestionnaire: gestionnaire, claimant: create(:gestionnaire)) }
it { expect{ subject }.to change(Commentaire, :count).by(1) }
end
context "when gestionnaire has access to dossier" do
before do
gestionnaire.procedures << dossier.procedure
end
context "création correct d'un commentaire" do context "création correct d'un commentaire" do
subject { post :create, params: {dossier_id: dossier_id, email_commentaire: email_commentaire, texte_commentaire: texte_commentaire} } subject { post :create, params: {dossier_id: dossier_id, email_commentaire: email_commentaire, texte_commentaire: texte_commentaire} }
@ -58,8 +77,8 @@ describe Backoffice::CommentairesController, type: :controller do
subject subject
end end
it 'Internal notification is not create' do it 'Internal notification is created' do
expect { subject }.to change(Notification, :count).by (0) expect { subject }.to change(Notification, :count).by (1)
end end
describe 'piece justificative created' do describe 'piece justificative created' do
@ -96,7 +115,7 @@ describe Backoffice::CommentairesController, type: :controller do
context 'gestionnaire is connected' do context 'gestionnaire is connected' do
context 'when dossier is at state updated' do context 'when dossier is at state updated' do
before do before do
sign_in create(:gestionnaire) sign_in gestionnaire
dossier.updated! dossier.updated!
post :create, params: {dossier_id: dossier_id, texte_commentaire: texte_commentaire} post :create, params: {dossier_id: dossier_id, texte_commentaire: texte_commentaire}
@ -130,3 +149,4 @@ describe Backoffice::CommentairesController, type: :controller do
end end
end end
end end
end

View file

@ -11,6 +11,28 @@ describe Users::CommentairesController, type: :controller do
end end
describe '#POST create' do describe '#POST create' do
context "when user has no access to dossier" do
before do
sign_in create(:user)
end
subject { post :create, params: { dossier_id: dossier_id, texte_commentaire: texte_commentaire } }
it { expect { subject }.to raise_error(ActiveRecord::RecordNotFound) }
it { expect { subject rescue nil }.to change(Commentaire, :count).by(0) }
end
context "when user is invited on dossier" do
let(:user) { create(:user) }
subject { post :create, params: { dossier_id: dossier_id, texte_commentaire: texte_commentaire } }
before do
sign_in user
InviteUser.create(dossier: dossier, user: user, email: user.email, email_sender: "test@test.com")
end
it { expect{ subject }.to change(Commentaire, :count).by(1) }
end
context 'création correct d\'un commentaire' do context 'création correct d\'un commentaire' do
subject do subject do
sign_in dossier.user sign_in dossier.user