From c2e0994e1154fd351bb377c9604fd4b5f945db8e Mon Sep 17 00:00:00 2001
From: Martin <martin@sharypic.com>
Date: Thu, 21 Jul 2022 13:44:21 +0200
Subject: [PATCH] feat(Administrateur::ArchivesController#*): prevent
 SuperAdmin to index/download archives

---
 .../administrateur_controller.rb              | 14 ++++++-
 .../administrateurs/archives_controller.rb    |  5 ++-
 app/models/assign_to.rb                       |  2 +-
 ...0220712141913_add_manager_to_assign_tos.rb |  8 +++-
 db/schema.rb                                  |  2 +-
 .../archives_controller_spec.rb               | 39 +++++++++++++++++--
 6 files changed, 61 insertions(+), 9 deletions(-)

diff --git a/app/controllers/administrateurs/administrateur_controller.rb b/app/controllers/administrateurs/administrateur_controller.rb
index f9d3ffdef..9f182bc6c 100644
--- a/app/controllers/administrateurs/administrateur_controller.rb
+++ b/app/controllers/administrateurs/administrateur_controller.rb
@@ -6,12 +6,24 @@ module Administrateurs
       id = params[:procedure_id] || params[:id]
 
       @procedure = current_administrateur.procedures.find(id)
-
     rescue ActiveRecord::RecordNotFound
       flash.alert = 'Démarche inexistante'
       redirect_to admin_procedures_path, status: 404
     end
 
+    def retrieve_procedure_administration
+      id = params[:procedure_id] || params[:id]
+
+      @procedure_administration = current_administrateur.administrateurs_procedures.find_by(procedure_id: id)
+    end
+
+    def ensure_not_super_admin!
+      procedure_administration = retrieve_procedure_administration
+      if procedure_administration.manager?
+        redirect_back fallback_location: root_url, alert: "Interdit aux super admins", status: 403
+      end
+    end
+
     def procedure_locked?
       if @procedure.locked?
         flash.alert = 'Démarche verrouillée'
diff --git a/app/controllers/administrateurs/archives_controller.rb b/app/controllers/administrateurs/archives_controller.rb
index 762bc6dca..a7e3db280 100644
--- a/app/controllers/administrateurs/archives_controller.rb
+++ b/app/controllers/administrateurs/archives_controller.rb
@@ -1,6 +1,9 @@
 module Administrateurs
   class ArchivesController < AdministrateurController
-    before_action :retrieve_procedure, only: [:index, :create]
+    before_action :retrieve_procedure
+    before_action :retrieve_procedure_administration
+    before_action :ensure_not_super_admin!
+
     helper_method :create_archive_url
 
     def index
diff --git a/app/models/assign_to.rb b/app/models/assign_to.rb
index 675e416e4..d457f766e 100644
--- a/app/models/assign_to.rb
+++ b/app/models/assign_to.rb
@@ -6,7 +6,7 @@
 #  daily_email_notifications_enabled           :boolean          default(FALSE), not null
 #  instant_email_dossier_notifications_enabled :boolean          default(FALSE), not null
 #  instant_email_message_notifications_enabled :boolean          default(FALSE), not null
-#  manager                                     :boolean          default(TRUE)
+#  manager                                     :boolean          default(FALSE)
 #  weekly_email_notifications_enabled          :boolean          default(TRUE), not null
 #  created_at                                  :datetime
 #  updated_at                                  :datetime
diff --git a/db/migrate/20220712141913_add_manager_to_assign_tos.rb b/db/migrate/20220712141913_add_manager_to_assign_tos.rb
index 09d5a1906..06d644572 100644
--- a/db/migrate/20220712141913_add_manager_to_assign_tos.rb
+++ b/db/migrate/20220712141913_add_manager_to_assign_tos.rb
@@ -1,6 +1,10 @@
 class AddManagerToAssignTos < ActiveRecord::Migration[6.1]
-  def change
+  def up
     add_column :assign_tos, :manager, :boolean
-    change_column_default :assign_tos, :manager, default: false
+    change_column_default :assign_tos, :manager, false
+  end
+
+  def down
+    remove_column :assign_tos, :manager
   end
 end
diff --git a/db/schema.rb b/db/schema.rb
index 372c927c7..7157e7fe5 100644
--- a/db/schema.rb
+++ b/db/schema.rb
@@ -112,7 +112,7 @@ ActiveRecord::Schema.define(version: 2022_07_28_084804) do
     t.boolean "instant_email_dossier_notifications_enabled", default: false, null: false
     t.boolean "instant_email_message_notifications_enabled", default: false, null: false
     t.integer "instructeur_id"
-    t.boolean "manager", default: true
+    t.boolean "manager", default: false
     t.datetime "updated_at"
     t.boolean "weekly_email_notifications_enabled", default: true, null: false
     t.index ["groupe_instructeur_id", "instructeur_id"], name: "unique_couple_groupe_instructeur_instructeur", unique: true
diff --git a/spec/controllers/administrateurs/archives_controller_spec.rb b/spec/controllers/administrateurs/archives_controller_spec.rb
index fd0fe767e..659393f27 100644
--- a/spec/controllers/administrateurs/archives_controller_spec.rb
+++ b/spec/controllers/administrateurs/archives_controller_spec.rb
@@ -1,6 +1,7 @@
 describe Administrateurs::ArchivesController, type: :controller do
   let(:admin) { create(:administrateur) }
-  let(:procedure) { create :procedure, administrateur: admin, groupe_instructeurs: [groupe_instructeur1, groupe_instructeur2] }
+  let(:procedure) { create :procedure, groupe_instructeurs: [groupe_instructeur1, groupe_instructeur2] }
+  let(:administrateur_procedure) { create(:administrateurs_procedure, procedure: procedure, administrateur: admin, manager: manager) }
   let(:groupe_instructeur1) { create(:groupe_instructeur) }
   let(:groupe_instructeur2) { create(:groupe_instructeur) }
 
@@ -10,8 +11,11 @@ describe Administrateurs::ArchivesController, type: :controller do
     context 'when logged out' do
       it { is_expected.to have_http_status(302) }
     end
-    context 'when logged in' do
+
+    context 'when logged in as administrateur_procedure.manager=false' do
+      let(:manager) { false }
       before do
+        administrateur_procedure
         sign_in(admin.user)
       end
 
@@ -22,15 +26,30 @@ describe Administrateurs::ArchivesController, type: :controller do
         subject
       end
     end
+    context 'when logged in as administrateur_procedure.manager=true' do
+      let(:manager) { true }
+
+      before do
+        administrateur_procedure
+        sign_in(admin.user)
+      end
+
+      it { is_expected.to have_http_status(403) }
+    end
   end
+
   describe 'GET #create' do
     subject { post :create, params: { procedure_id: procedure.id, month: '22-06', type: 'monthly' } }
 
     context 'when logged out' do
       it { is_expected.to have_http_status(302) }
     end
-    context 'when logged in' do
+
+    context 'when logged in  in as administrateur_procedure.manager=false' do
+      let(:manager) { false }
+
       before do
+        administrateur_procedure
         sign_in(admin.user)
       end
 
@@ -39,5 +58,19 @@ describe Administrateurs::ArchivesController, type: :controller do
         expect { subject }.to have_enqueued_job(ArchiveCreationJob).with(procedure, an_instance_of(Archive), admin)
       end
     end
+
+    context 'when logged in  in as administrateur_procedure.manager=true' do
+      let(:manager) { true }
+
+      before do
+        administrateur_procedure
+        sign_in(admin.user)
+      end
+
+      it { is_expected.to have_http_status(403) }
+      it 'does not enqueue the creation job' do
+        expect { subject }.not_to have_enqueued_job(ArchiveCreationJob)
+      end
+    end
   end
 end