feat(Administrateur::ArchivesController#*): prevent SuperAdmin to index/download archives

This commit is contained in:
Martin 2022-07-21 13:44:21 +02:00 committed by mfo
parent ef67958324
commit c2e0994e11
6 changed files with 61 additions and 9 deletions

View file

@ -6,12 +6,24 @@ module Administrateurs
id = params[:procedure_id] || params[:id] id = params[:procedure_id] || params[:id]
@procedure = current_administrateur.procedures.find(id) @procedure = current_administrateur.procedures.find(id)
rescue ActiveRecord::RecordNotFound rescue ActiveRecord::RecordNotFound
flash.alert = 'Démarche inexistante' flash.alert = 'Démarche inexistante'
redirect_to admin_procedures_path, status: 404 redirect_to admin_procedures_path, status: 404
end end
def retrieve_procedure_administration
id = params[:procedure_id] || params[:id]
@procedure_administration = current_administrateur.administrateurs_procedures.find_by(procedure_id: id)
end
def ensure_not_super_admin!
procedure_administration = retrieve_procedure_administration
if procedure_administration.manager?
redirect_back fallback_location: root_url, alert: "Interdit aux super admins", status: 403
end
end
def procedure_locked? def procedure_locked?
if @procedure.locked? if @procedure.locked?
flash.alert = 'Démarche verrouillée' flash.alert = 'Démarche verrouillée'

View file

@ -1,6 +1,9 @@
module Administrateurs module Administrateurs
class ArchivesController < AdministrateurController class ArchivesController < AdministrateurController
before_action :retrieve_procedure, only: [:index, :create] before_action :retrieve_procedure
before_action :retrieve_procedure_administration
before_action :ensure_not_super_admin!
helper_method :create_archive_url helper_method :create_archive_url
def index def index

View file

@ -6,7 +6,7 @@
# daily_email_notifications_enabled :boolean default(FALSE), not null # daily_email_notifications_enabled :boolean default(FALSE), not null
# instant_email_dossier_notifications_enabled :boolean default(FALSE), not null # instant_email_dossier_notifications_enabled :boolean default(FALSE), not null
# instant_email_message_notifications_enabled :boolean default(FALSE), not null # instant_email_message_notifications_enabled :boolean default(FALSE), not null
# manager :boolean default(TRUE) # manager :boolean default(FALSE)
# weekly_email_notifications_enabled :boolean default(TRUE), not null # weekly_email_notifications_enabled :boolean default(TRUE), not null
# created_at :datetime # created_at :datetime
# updated_at :datetime # updated_at :datetime

View file

@ -1,6 +1,10 @@
class AddManagerToAssignTos < ActiveRecord::Migration[6.1] class AddManagerToAssignTos < ActiveRecord::Migration[6.1]
def change def up
add_column :assign_tos, :manager, :boolean add_column :assign_tos, :manager, :boolean
change_column_default :assign_tos, :manager, default: false change_column_default :assign_tos, :manager, false
end
def down
remove_column :assign_tos, :manager
end end
end end

View file

@ -112,7 +112,7 @@ ActiveRecord::Schema.define(version: 2022_07_28_084804) do
t.boolean "instant_email_dossier_notifications_enabled", default: false, null: false t.boolean "instant_email_dossier_notifications_enabled", default: false, null: false
t.boolean "instant_email_message_notifications_enabled", default: false, null: false t.boolean "instant_email_message_notifications_enabled", default: false, null: false
t.integer "instructeur_id" t.integer "instructeur_id"
t.boolean "manager", default: true t.boolean "manager", default: false
t.datetime "updated_at" t.datetime "updated_at"
t.boolean "weekly_email_notifications_enabled", default: true, null: false t.boolean "weekly_email_notifications_enabled", default: true, null: false
t.index ["groupe_instructeur_id", "instructeur_id"], name: "unique_couple_groupe_instructeur_instructeur", unique: true t.index ["groupe_instructeur_id", "instructeur_id"], name: "unique_couple_groupe_instructeur_instructeur", unique: true

View file

@ -1,6 +1,7 @@
describe Administrateurs::ArchivesController, type: :controller do describe Administrateurs::ArchivesController, type: :controller do
let(:admin) { create(:administrateur) } let(:admin) { create(:administrateur) }
let(:procedure) { create :procedure, administrateur: admin, groupe_instructeurs: [groupe_instructeur1, groupe_instructeur2] } let(:procedure) { create :procedure, groupe_instructeurs: [groupe_instructeur1, groupe_instructeur2] }
let(:administrateur_procedure) { create(:administrateurs_procedure, procedure: procedure, administrateur: admin, manager: manager) }
let(:groupe_instructeur1) { create(:groupe_instructeur) } let(:groupe_instructeur1) { create(:groupe_instructeur) }
let(:groupe_instructeur2) { create(:groupe_instructeur) } let(:groupe_instructeur2) { create(:groupe_instructeur) }
@ -10,8 +11,11 @@ describe Administrateurs::ArchivesController, type: :controller do
context 'when logged out' do context 'when logged out' do
it { is_expected.to have_http_status(302) } it { is_expected.to have_http_status(302) }
end end
context 'when logged in' do
context 'when logged in as administrateur_procedure.manager=false' do
let(:manager) { false }
before do before do
administrateur_procedure
sign_in(admin.user) sign_in(admin.user)
end end
@ -22,15 +26,30 @@ describe Administrateurs::ArchivesController, type: :controller do
subject subject
end end
end end
context 'when logged in as administrateur_procedure.manager=true' do
let(:manager) { true }
before do
administrateur_procedure
sign_in(admin.user)
end end
it { is_expected.to have_http_status(403) }
end
end
describe 'GET #create' do describe 'GET #create' do
subject { post :create, params: { procedure_id: procedure.id, month: '22-06', type: 'monthly' } } subject { post :create, params: { procedure_id: procedure.id, month: '22-06', type: 'monthly' } }
context 'when logged out' do context 'when logged out' do
it { is_expected.to have_http_status(302) } it { is_expected.to have_http_status(302) }
end end
context 'when logged in' do
context 'when logged in in as administrateur_procedure.manager=false' do
let(:manager) { false }
before do before do
administrateur_procedure
sign_in(admin.user) sign_in(admin.user)
end end
@ -39,5 +58,19 @@ describe Administrateurs::ArchivesController, type: :controller do
expect { subject }.to have_enqueued_job(ArchiveCreationJob).with(procedure, an_instance_of(Archive), admin) expect { subject }.to have_enqueued_job(ArchiveCreationJob).with(procedure, an_instance_of(Archive), admin)
end end
end end
context 'when logged in in as administrateur_procedure.manager=true' do
let(:manager) { true }
before do
administrateur_procedure
sign_in(admin.user)
end
it { is_expected.to have_http_status(403) }
it 'does not enqueue the creation job' do
expect { subject }.not_to have_enqueued_job(ArchiveCreationJob)
end
end
end end
end end