feat(Administrateur::ArchivesController#*): prevent SuperAdmin to index/download archives
This commit is contained in:
parent
ef67958324
commit
c2e0994e11
6 changed files with 61 additions and 9 deletions
|
@ -6,12 +6,24 @@ module Administrateurs
|
|||
id = params[:procedure_id] || params[:id]
|
||||
|
||||
@procedure = current_administrateur.procedures.find(id)
|
||||
|
||||
rescue ActiveRecord::RecordNotFound
|
||||
flash.alert = 'Démarche inexistante'
|
||||
redirect_to admin_procedures_path, status: 404
|
||||
end
|
||||
|
||||
def retrieve_procedure_administration
|
||||
id = params[:procedure_id] || params[:id]
|
||||
|
||||
@procedure_administration = current_administrateur.administrateurs_procedures.find_by(procedure_id: id)
|
||||
end
|
||||
|
||||
def ensure_not_super_admin!
|
||||
procedure_administration = retrieve_procedure_administration
|
||||
if procedure_administration.manager?
|
||||
redirect_back fallback_location: root_url, alert: "Interdit aux super admins", status: 403
|
||||
end
|
||||
end
|
||||
|
||||
def procedure_locked?
|
||||
if @procedure.locked?
|
||||
flash.alert = 'Démarche verrouillée'
|
||||
|
|
|
@ -1,6 +1,9 @@
|
|||
module Administrateurs
|
||||
class ArchivesController < AdministrateurController
|
||||
before_action :retrieve_procedure, only: [:index, :create]
|
||||
before_action :retrieve_procedure
|
||||
before_action :retrieve_procedure_administration
|
||||
before_action :ensure_not_super_admin!
|
||||
|
||||
helper_method :create_archive_url
|
||||
|
||||
def index
|
||||
|
|
|
@ -6,7 +6,7 @@
|
|||
# daily_email_notifications_enabled :boolean default(FALSE), not null
|
||||
# instant_email_dossier_notifications_enabled :boolean default(FALSE), not null
|
||||
# instant_email_message_notifications_enabled :boolean default(FALSE), not null
|
||||
# manager :boolean default(TRUE)
|
||||
# manager :boolean default(FALSE)
|
||||
# weekly_email_notifications_enabled :boolean default(TRUE), not null
|
||||
# created_at :datetime
|
||||
# updated_at :datetime
|
||||
|
|
|
@ -1,6 +1,10 @@
|
|||
class AddManagerToAssignTos < ActiveRecord::Migration[6.1]
|
||||
def change
|
||||
def up
|
||||
add_column :assign_tos, :manager, :boolean
|
||||
change_column_default :assign_tos, :manager, default: false
|
||||
change_column_default :assign_tos, :manager, false
|
||||
end
|
||||
|
||||
def down
|
||||
remove_column :assign_tos, :manager
|
||||
end
|
||||
end
|
||||
|
|
|
@ -112,7 +112,7 @@ ActiveRecord::Schema.define(version: 2022_07_28_084804) do
|
|||
t.boolean "instant_email_dossier_notifications_enabled", default: false, null: false
|
||||
t.boolean "instant_email_message_notifications_enabled", default: false, null: false
|
||||
t.integer "instructeur_id"
|
||||
t.boolean "manager", default: true
|
||||
t.boolean "manager", default: false
|
||||
t.datetime "updated_at"
|
||||
t.boolean "weekly_email_notifications_enabled", default: true, null: false
|
||||
t.index ["groupe_instructeur_id", "instructeur_id"], name: "unique_couple_groupe_instructeur_instructeur", unique: true
|
||||
|
|
|
@ -1,6 +1,7 @@
|
|||
describe Administrateurs::ArchivesController, type: :controller do
|
||||
let(:admin) { create(:administrateur) }
|
||||
let(:procedure) { create :procedure, administrateur: admin, groupe_instructeurs: [groupe_instructeur1, groupe_instructeur2] }
|
||||
let(:procedure) { create :procedure, groupe_instructeurs: [groupe_instructeur1, groupe_instructeur2] }
|
||||
let(:administrateur_procedure) { create(:administrateurs_procedure, procedure: procedure, administrateur: admin, manager: manager) }
|
||||
let(:groupe_instructeur1) { create(:groupe_instructeur) }
|
||||
let(:groupe_instructeur2) { create(:groupe_instructeur) }
|
||||
|
||||
|
@ -10,8 +11,11 @@ describe Administrateurs::ArchivesController, type: :controller do
|
|||
context 'when logged out' do
|
||||
it { is_expected.to have_http_status(302) }
|
||||
end
|
||||
context 'when logged in' do
|
||||
|
||||
context 'when logged in as administrateur_procedure.manager=false' do
|
||||
let(:manager) { false }
|
||||
before do
|
||||
administrateur_procedure
|
||||
sign_in(admin.user)
|
||||
end
|
||||
|
||||
|
@ -22,15 +26,30 @@ describe Administrateurs::ArchivesController, type: :controller do
|
|||
subject
|
||||
end
|
||||
end
|
||||
context 'when logged in as administrateur_procedure.manager=true' do
|
||||
let(:manager) { true }
|
||||
|
||||
before do
|
||||
administrateur_procedure
|
||||
sign_in(admin.user)
|
||||
end
|
||||
|
||||
it { is_expected.to have_http_status(403) }
|
||||
end
|
||||
end
|
||||
|
||||
describe 'GET #create' do
|
||||
subject { post :create, params: { procedure_id: procedure.id, month: '22-06', type: 'monthly' } }
|
||||
|
||||
context 'when logged out' do
|
||||
it { is_expected.to have_http_status(302) }
|
||||
end
|
||||
context 'when logged in' do
|
||||
|
||||
context 'when logged in in as administrateur_procedure.manager=false' do
|
||||
let(:manager) { false }
|
||||
|
||||
before do
|
||||
administrateur_procedure
|
||||
sign_in(admin.user)
|
||||
end
|
||||
|
||||
|
@ -39,5 +58,19 @@ describe Administrateurs::ArchivesController, type: :controller do
|
|||
expect { subject }.to have_enqueued_job(ArchiveCreationJob).with(procedure, an_instance_of(Archive), admin)
|
||||
end
|
||||
end
|
||||
|
||||
context 'when logged in in as administrateur_procedure.manager=true' do
|
||||
let(:manager) { true }
|
||||
|
||||
before do
|
||||
administrateur_procedure
|
||||
sign_in(admin.user)
|
||||
end
|
||||
|
||||
it { is_expected.to have_http_status(403) }
|
||||
it 'does not enqueue the creation job' do
|
||||
expect { subject }.not_to have_enqueued_job(ArchiveCreationJob)
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
|
|
Loading…
Reference in a new issue