feat(Administrateur::ArchivesController#*): prevent SuperAdmin to index/download archives
This commit is contained in:
parent
ef67958324
commit
c2e0994e11
6 changed files with 61 additions and 9 deletions
|
@ -6,12 +6,24 @@ module Administrateurs
|
||||||
id = params[:procedure_id] || params[:id]
|
id = params[:procedure_id] || params[:id]
|
||||||
|
|
||||||
@procedure = current_administrateur.procedures.find(id)
|
@procedure = current_administrateur.procedures.find(id)
|
||||||
|
|
||||||
rescue ActiveRecord::RecordNotFound
|
rescue ActiveRecord::RecordNotFound
|
||||||
flash.alert = 'Démarche inexistante'
|
flash.alert = 'Démarche inexistante'
|
||||||
redirect_to admin_procedures_path, status: 404
|
redirect_to admin_procedures_path, status: 404
|
||||||
end
|
end
|
||||||
|
|
||||||
|
def retrieve_procedure_administration
|
||||||
|
id = params[:procedure_id] || params[:id]
|
||||||
|
|
||||||
|
@procedure_administration = current_administrateur.administrateurs_procedures.find_by(procedure_id: id)
|
||||||
|
end
|
||||||
|
|
||||||
|
def ensure_not_super_admin!
|
||||||
|
procedure_administration = retrieve_procedure_administration
|
||||||
|
if procedure_administration.manager?
|
||||||
|
redirect_back fallback_location: root_url, alert: "Interdit aux super admins", status: 403
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
def procedure_locked?
|
def procedure_locked?
|
||||||
if @procedure.locked?
|
if @procedure.locked?
|
||||||
flash.alert = 'Démarche verrouillée'
|
flash.alert = 'Démarche verrouillée'
|
||||||
|
|
|
@ -1,6 +1,9 @@
|
||||||
module Administrateurs
|
module Administrateurs
|
||||||
class ArchivesController < AdministrateurController
|
class ArchivesController < AdministrateurController
|
||||||
before_action :retrieve_procedure, only: [:index, :create]
|
before_action :retrieve_procedure
|
||||||
|
before_action :retrieve_procedure_administration
|
||||||
|
before_action :ensure_not_super_admin!
|
||||||
|
|
||||||
helper_method :create_archive_url
|
helper_method :create_archive_url
|
||||||
|
|
||||||
def index
|
def index
|
||||||
|
|
|
@ -6,7 +6,7 @@
|
||||||
# daily_email_notifications_enabled :boolean default(FALSE), not null
|
# daily_email_notifications_enabled :boolean default(FALSE), not null
|
||||||
# instant_email_dossier_notifications_enabled :boolean default(FALSE), not null
|
# instant_email_dossier_notifications_enabled :boolean default(FALSE), not null
|
||||||
# instant_email_message_notifications_enabled :boolean default(FALSE), not null
|
# instant_email_message_notifications_enabled :boolean default(FALSE), not null
|
||||||
# manager :boolean default(TRUE)
|
# manager :boolean default(FALSE)
|
||||||
# weekly_email_notifications_enabled :boolean default(TRUE), not null
|
# weekly_email_notifications_enabled :boolean default(TRUE), not null
|
||||||
# created_at :datetime
|
# created_at :datetime
|
||||||
# updated_at :datetime
|
# updated_at :datetime
|
||||||
|
|
|
@ -1,6 +1,10 @@
|
||||||
class AddManagerToAssignTos < ActiveRecord::Migration[6.1]
|
class AddManagerToAssignTos < ActiveRecord::Migration[6.1]
|
||||||
def change
|
def up
|
||||||
add_column :assign_tos, :manager, :boolean
|
add_column :assign_tos, :manager, :boolean
|
||||||
change_column_default :assign_tos, :manager, default: false
|
change_column_default :assign_tos, :manager, false
|
||||||
|
end
|
||||||
|
|
||||||
|
def down
|
||||||
|
remove_column :assign_tos, :manager
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
|
@ -112,7 +112,7 @@ ActiveRecord::Schema.define(version: 2022_07_28_084804) do
|
||||||
t.boolean "instant_email_dossier_notifications_enabled", default: false, null: false
|
t.boolean "instant_email_dossier_notifications_enabled", default: false, null: false
|
||||||
t.boolean "instant_email_message_notifications_enabled", default: false, null: false
|
t.boolean "instant_email_message_notifications_enabled", default: false, null: false
|
||||||
t.integer "instructeur_id"
|
t.integer "instructeur_id"
|
||||||
t.boolean "manager", default: true
|
t.boolean "manager", default: false
|
||||||
t.datetime "updated_at"
|
t.datetime "updated_at"
|
||||||
t.boolean "weekly_email_notifications_enabled", default: true, null: false
|
t.boolean "weekly_email_notifications_enabled", default: true, null: false
|
||||||
t.index ["groupe_instructeur_id", "instructeur_id"], name: "unique_couple_groupe_instructeur_instructeur", unique: true
|
t.index ["groupe_instructeur_id", "instructeur_id"], name: "unique_couple_groupe_instructeur_instructeur", unique: true
|
||||||
|
|
|
@ -1,6 +1,7 @@
|
||||||
describe Administrateurs::ArchivesController, type: :controller do
|
describe Administrateurs::ArchivesController, type: :controller do
|
||||||
let(:admin) { create(:administrateur) }
|
let(:admin) { create(:administrateur) }
|
||||||
let(:procedure) { create :procedure, administrateur: admin, groupe_instructeurs: [groupe_instructeur1, groupe_instructeur2] }
|
let(:procedure) { create :procedure, groupe_instructeurs: [groupe_instructeur1, groupe_instructeur2] }
|
||||||
|
let(:administrateur_procedure) { create(:administrateurs_procedure, procedure: procedure, administrateur: admin, manager: manager) }
|
||||||
let(:groupe_instructeur1) { create(:groupe_instructeur) }
|
let(:groupe_instructeur1) { create(:groupe_instructeur) }
|
||||||
let(:groupe_instructeur2) { create(:groupe_instructeur) }
|
let(:groupe_instructeur2) { create(:groupe_instructeur) }
|
||||||
|
|
||||||
|
@ -10,8 +11,11 @@ describe Administrateurs::ArchivesController, type: :controller do
|
||||||
context 'when logged out' do
|
context 'when logged out' do
|
||||||
it { is_expected.to have_http_status(302) }
|
it { is_expected.to have_http_status(302) }
|
||||||
end
|
end
|
||||||
context 'when logged in' do
|
|
||||||
|
context 'when logged in as administrateur_procedure.manager=false' do
|
||||||
|
let(:manager) { false }
|
||||||
before do
|
before do
|
||||||
|
administrateur_procedure
|
||||||
sign_in(admin.user)
|
sign_in(admin.user)
|
||||||
end
|
end
|
||||||
|
|
||||||
|
@ -22,15 +26,30 @@ describe Administrateurs::ArchivesController, type: :controller do
|
||||||
subject
|
subject
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
context 'when logged in as administrateur_procedure.manager=true' do
|
||||||
|
let(:manager) { true }
|
||||||
|
|
||||||
|
before do
|
||||||
|
administrateur_procedure
|
||||||
|
sign_in(admin.user)
|
||||||
end
|
end
|
||||||
|
|
||||||
|
it { is_expected.to have_http_status(403) }
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
describe 'GET #create' do
|
describe 'GET #create' do
|
||||||
subject { post :create, params: { procedure_id: procedure.id, month: '22-06', type: 'monthly' } }
|
subject { post :create, params: { procedure_id: procedure.id, month: '22-06', type: 'monthly' } }
|
||||||
|
|
||||||
context 'when logged out' do
|
context 'when logged out' do
|
||||||
it { is_expected.to have_http_status(302) }
|
it { is_expected.to have_http_status(302) }
|
||||||
end
|
end
|
||||||
context 'when logged in' do
|
|
||||||
|
context 'when logged in in as administrateur_procedure.manager=false' do
|
||||||
|
let(:manager) { false }
|
||||||
|
|
||||||
before do
|
before do
|
||||||
|
administrateur_procedure
|
||||||
sign_in(admin.user)
|
sign_in(admin.user)
|
||||||
end
|
end
|
||||||
|
|
||||||
|
@ -39,5 +58,19 @@ describe Administrateurs::ArchivesController, type: :controller do
|
||||||
expect { subject }.to have_enqueued_job(ArchiveCreationJob).with(procedure, an_instance_of(Archive), admin)
|
expect { subject }.to have_enqueued_job(ArchiveCreationJob).with(procedure, an_instance_of(Archive), admin)
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
context 'when logged in in as administrateur_procedure.manager=true' do
|
||||||
|
let(:manager) { true }
|
||||||
|
|
||||||
|
before do
|
||||||
|
administrateur_procedure
|
||||||
|
sign_in(admin.user)
|
||||||
|
end
|
||||||
|
|
||||||
|
it { is_expected.to have_http_status(403) }
|
||||||
|
it 'does not enqueue the creation job' do
|
||||||
|
expect { subject }.not_to have_enqueued_job(ArchiveCreationJob)
|
||||||
|
end
|
||||||
|
end
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
Loading…
Reference in a new issue