feat(Administrateur::ArchivesController#*): prevent SuperAdmin to index/download archives

2022-07-21 13:44:21 +02:00 · 2022-07-21 13:44:21 +02:00 · c2e0994e11
commit c2e0994e11
parent ef67958324
6 changed files with 61 additions and 9 deletions
--- a/app/controllers/administrateurs/administrateur_controller.rb
+++ b/app/controllers/administrateurs/administrateur_controller.rb
@ -6,12 +6,24 @@ module Administrateurs
      id = params[:procedure_id] || params[:id]
      @procedure = current_administrateur.procedures.find(id)
    rescue ActiveRecord::RecordNotFound
      flash.alert = 'Démarche inexistante'
      redirect_to admin_procedures_path, status: 404
    end
    def retrieve_procedure_administration
      id = params[:procedure_id] || params[:id]
      @procedure_administration = current_administrateur.administrateurs_procedures.find_by(procedure_id: id)
    end
    def ensure_not_super_admin!
      procedure_administration = retrieve_procedure_administration
      if procedure_administration.manager?
        redirect_back fallback_location: root_url, alert: "Interdit aux super admins", status: 403
      end
    end
    def procedure_locked?
      if @procedure.locked?
        flash.alert = 'Démarche verrouillée'
--- a/app/controllers/administrateurs/archives_controller.rb
+++ b/app/controllers/administrateurs/archives_controller.rb
@ -1,6 +1,9 @@
 module Administrateurs
  class ArchivesController < AdministrateurController
-    before_action :retrieve_procedure, only: [:index, :create]
+    before_action :retrieve_procedure
    before_action :retrieve_procedure_administration
    before_action :ensure_not_super_admin!
    helper_method :create_archive_url
    def index
--- a/app/models/assign_to.rb
+++ b/app/models/assign_to.rb
@ -6,7 +6,7 @@
 #  daily_email_notifications_enabled           :boolean          default(FALSE), not null
 #  instant_email_dossier_notifications_enabled :boolean          default(FALSE), not null
 #  instant_email_message_notifications_enabled :boolean          default(FALSE), not null
-#  manager                                     :boolean          default(TRUE)
+#  manager                                     :boolean          default(FALSE)
 #  weekly_email_notifications_enabled          :boolean          default(TRUE), not null
 #  created_at                                  :datetime
 #  updated_at                                  :datetime
--- a/db/migrate/20220712141913_add_manager_to_assign_tos.rb
+++ b/db/migrate/20220712141913_add_manager_to_assign_tos.rb
@ -1,6 +1,10 @@
 class AddManagerToAssignTos < ActiveRecord::Migration[6.1]
-  def change
+  def up
    add_column :assign_tos, :manager, :boolean
-    change_column_default :assign_tos, :manager, default: false
+    change_column_default :assign_tos, :manager, false
  end
  def down
    remove_column :assign_tos, :manager
  end
 end
--- a/db/schema.rb
+++ b/db/schema.rb
@ -112,7 +112,7 @@ ActiveRecord::Schema.define(version: 2022_07_28_084804) do
    t.boolean "instant_email_dossier_notifications_enabled", default: false, null: false
    t.boolean "instant_email_message_notifications_enabled", default: false, null: false
    t.integer "instructeur_id"
-    t.boolean "manager", default: true
+    t.boolean "manager", default: false
    t.datetime "updated_at"
    t.boolean "weekly_email_notifications_enabled", default: true, null: false
    t.index ["groupe_instructeur_id", "instructeur_id"], name: "unique_couple_groupe_instructeur_instructeur", unique: true
--- a/spec/controllers/administrateurs/archives_controller_spec.rb
+++ b/spec/controllers/administrateurs/archives_controller_spec.rb
@ -1,6 +1,7 @@
 describe Administrateurs::ArchivesController, type: :controller do
  let(:admin) { create(:administrateur) }
-  let(:procedure) { create :procedure, administrateur: admin, groupe_instructeurs: [groupe_instructeur1, groupe_instructeur2] }
+  let(:procedure) { create :procedure, groupe_instructeurs: [groupe_instructeur1, groupe_instructeur2] }
  let(:administrateur_procedure) { create(:administrateurs_procedure, procedure: procedure, administrateur: admin, manager: manager) }
  let(:groupe_instructeur1) { create(:groupe_instructeur) }
  let(:groupe_instructeur2) { create(:groupe_instructeur) }
@ -10,8 +11,11 @@ describe Administrateurs::ArchivesController, type: :controller do
    context 'when logged out' do
      it { is_expected.to have_http_status(302) }
    end
-    context 'when logged in' do
+
    context 'when logged in as administrateur_procedure.manager=false' do
      let(:manager) { false }
      before do
        administrateur_procedure
        sign_in(admin.user)
      end
@ -22,15 +26,30 @@ describe Administrateurs::ArchivesController, type: :controller do
        subject
      end
    end
    context 'when logged in as administrateur_procedure.manager=true' do
      let(:manager) { true }
      before do
        administrateur_procedure
        sign_in(admin.user)
      end
      it { is_expected.to have_http_status(403) }
    end
  end
  describe 'GET #create' do
    subject { post :create, params: { procedure_id: procedure.id, month: '22-06', type: 'monthly' } }
    context 'when logged out' do
      it { is_expected.to have_http_status(302) }
    end
-    context 'when logged in' do
+
    context 'when logged in  in as administrateur_procedure.manager=false' do
      let(:manager) { false }
      before do
        administrateur_procedure
        sign_in(admin.user)
      end
@ -39,5 +58,19 @@ describe Administrateurs::ArchivesController, type: :controller do
        expect { subject }.to have_enqueued_job(ArchiveCreationJob).with(procedure, an_instance_of(Archive), admin)
      end
    end
    context 'when logged in  in as administrateur_procedure.manager=true' do
      let(:manager) { true }
      before do
        administrateur_procedure
        sign_in(admin.user)
      end
      it { is_expected.to have_http_status(403) }
      it 'does not enqueue the creation job' do
        expect { subject }.not_to have_enqueued_job(ArchiveCreationJob)
      end
    end
  end
 end