Merge pull request #572 from sgmap/fix_anybody_can_post_a_comment_on_a_dossier

Restrict comment creation to Users/Gestionnaires allowed on dossier
This commit is contained in:
Mathieu Magnin 2017-07-11 11:30:35 +02:00 committed by GitHub
commit c2459da05b
3 changed files with 135 additions and 91 deletions

View file

@ -13,14 +13,16 @@ class CommentairesController < ApplicationController
def create
@commentaire = Commentaire.new
@commentaire.dossier = Dossier.find(params['dossier_id'])
@commentaire.champ = @commentaire.dossier.champs.find(params[:champ_id]) if params[:champ_id]
dossier_id = params['dossier_id']
if is_gestionnaire?
@commentaire.email = current_gestionnaire.email
@commentaire.dossier = current_gestionnaire.dossiers.find_by(id: dossier_id) || current_gestionnaire.avis.find_by!(dossier_id: dossier_id).dossier
@commentaire.dossier.next_step! 'gestionnaire', 'comment'
else
@commentaire.email = current_user.email
@commentaire.dossier = current_user.dossiers.find_by(id: dossier_id) || current_user.invites.find_by!(dossier_id: dossier_id).dossier
@commentaire.dossier.next_step! 'user', 'comment' if current_user.email == @commentaire.dossier.user.email
end

View file

@ -1,7 +1,7 @@
require 'spec_helper'
describe Backoffice::CommentairesController, type: :controller do
let(:dossier) { create(:dossier) }
let(:dossier) { create(:dossier, :replied) }
let(:dossier_id) { dossier.id }
let(:email_commentaire) { 'test@test.com' }
let(:texte_commentaire) { 'Commentaire de test' }
@ -16,6 +16,25 @@ describe Backoffice::CommentairesController, type: :controller do
sign_in gestionnaire
end
context "when gestionnaire has no access to dossier" do
subject { post :create, params: { dossier_id: dossier_id, texte_commentaire: texte_commentaire } }
it { expect { subject }.to raise_error(ActiveRecord::RecordNotFound) }
it { expect { subject rescue nil }.to change(Commentaire, :count).by(0) }
end
context "when gestionnaire is invited for avis on dossier" do
subject { post :create, params: { dossier_id: dossier_id, texte_commentaire: texte_commentaire } }
before { Avis.create(dossier: dossier, gestionnaire: gestionnaire, claimant: create(:gestionnaire)) }
it { expect{ subject }.to change(Commentaire, :count).by(1) }
end
context "when gestionnaire has access to dossier" do
before do
gestionnaire.procedures << dossier.procedure
end
context "création correct d'un commentaire" do
subject { post :create, params: {dossier_id: dossier_id, email_commentaire: email_commentaire, texte_commentaire: texte_commentaire} }
@ -58,8 +77,8 @@ describe Backoffice::CommentairesController, type: :controller do
subject
end
it 'Internal notification is not create' do
expect { subject }.to change(Notification, :count).by (0)
it 'Internal notification is created' do
expect { subject }.to change(Notification, :count).by (1)
end
describe 'piece justificative created' do
@ -96,7 +115,7 @@ describe Backoffice::CommentairesController, type: :controller do
context 'gestionnaire is connected' do
context 'when dossier is at state updated' do
before do
sign_in create(:gestionnaire)
sign_in gestionnaire
dossier.updated!
post :create, params: {dossier_id: dossier_id, texte_commentaire: texte_commentaire}
@ -130,3 +149,4 @@ describe Backoffice::CommentairesController, type: :controller do
end
end
end
end

View file

@ -11,6 +11,28 @@ describe Users::CommentairesController, type: :controller do
end
describe '#POST create' do
context "when user has no access to dossier" do
before do
sign_in create(:user)
end
subject { post :create, params: { dossier_id: dossier_id, texte_commentaire: texte_commentaire } }
it { expect { subject }.to raise_error(ActiveRecord::RecordNotFound) }
it { expect { subject rescue nil }.to change(Commentaire, :count).by(0) }
end
context "when user is invited on dossier" do
let(:user) { create(:user) }
subject { post :create, params: { dossier_id: dossier_id, texte_commentaire: texte_commentaire } }
before do
sign_in user
InviteUser.create(dossier: dossier, user: user, email: user.email, email_sender: "test@test.com")
end
it { expect{ subject }.to change(Commentaire, :count).by(1) }
end
context 'création correct d\'un commentaire' do
subject do
sign_in dossier.user