[Fix #577] Restrict comment creation to Users/Gestionnaires allowed on dossier

2017-07-10 17:11:55 +02:00 · 2017-07-10 17:11:55 +02:00 · c3fa1e01b9
commit c3fa1e01b9
parent 2985623bec
3 changed files with 135 additions and 91 deletions
--- a/app/controllers/commentaires_controller.rb
+++ b/app/controllers/commentaires_controller.rb
@ -13,14 +13,16 @@ class CommentairesController < ApplicationController

  def create
    @commentaire = Commentaire.new
-    @commentaire.dossier = Dossier.find(params['dossier_id'])
    @commentaire.champ = @commentaire.dossier.champs.find(params[:champ_id]) if params[:champ_id]

+    dossier_id = params['dossier_id']
    if is_gestionnaire?
      @commentaire.email = current_gestionnaire.email
+      @commentaire.dossier = current_gestionnaire.dossiers.find_by(id: dossier_id) || current_gestionnaire.avis.find_by!(dossier_id: dossier_id).dossier
      @commentaire.dossier.next_step! 'gestionnaire', 'comment'
    else
      @commentaire.email = current_user.email
+      @commentaire.dossier = current_user.dossiers.find_by(id: dossier_id) || current_user.invites.find_by!(dossier_id: dossier_id).dossier
      @commentaire.dossier.next_step! 'user', 'comment' if current_user.email == @commentaire.dossier.user.email
    end

--- a/spec/controllers/backoffice/commentaires_controller_spec.rb
+++ b/spec/controllers/backoffice/commentaires_controller_spec.rb
@ -1,7 +1,7 @@
 require 'spec_helper'

 describe Backoffice::CommentairesController, type: :controller do
-  let(:dossier) { create(:dossier) }
+  let(:dossier) { create(:dossier, :replied) }
  let(:dossier_id) { dossier.id }
  let(:email_commentaire) { 'test@test.com' }
  let(:texte_commentaire) { 'Commentaire de test' }
@ -16,6 +16,25 @@ describe Backoffice::CommentairesController, type: :controller do
      sign_in gestionnaire
    end

+    context "when gestionnaire has no access to dossier" do
+      subject { post :create, params: { dossier_id: dossier_id, texte_commentaire: texte_commentaire } }
+
+      it { expect { subject }.to raise_error(ActiveRecord::RecordNotFound) }
+      it { expect { subject rescue nil }.to change(Commentaire, :count).by(0) }
+    end
+
+    context "when gestionnaire is invited for avis on dossier" do
+      subject { post :create, params: { dossier_id: dossier_id, texte_commentaire: texte_commentaire } }
+      before { Avis.create(dossier: dossier, gestionnaire: gestionnaire, claimant: create(:gestionnaire)) }
+
+      it { expect{ subject }.to change(Commentaire, :count).by(1) }
+    end
+
+    context "when gestionnaire has access to dossier" do
+      before do
+        gestionnaire.procedures << dossier.procedure
+      end
+
      context "création correct d'un commentaire" do
        subject { post :create, params: {dossier_id: dossier_id, email_commentaire: email_commentaire, texte_commentaire: texte_commentaire} }

@ -58,8 +77,8 @@ describe Backoffice::CommentairesController, type: :controller do
          subject
        end

-      it 'Internal notification is not create' do
-        expect { subject }.to change(Notification, :count).by (0)
+        it 'Internal notification is created' do
+          expect { subject }.to change(Notification, :count).by (1)
        end

        describe 'piece justificative created' do
@ -96,7 +115,7 @@ describe Backoffice::CommentairesController, type: :controller do
        context 'gestionnaire is connected' do
          context 'when dossier is at state updated' do
            before do
-            sign_in create(:gestionnaire)
+              sign_in gestionnaire
              dossier.updated!

              post :create, params: {dossier_id: dossier_id, texte_commentaire: texte_commentaire}
@ -130,3 +149,4 @@ describe Backoffice::CommentairesController, type: :controller do
      end
    end
  end
+end
--- a/spec/controllers/users/commentaires_controller_spec.rb
+++ b/spec/controllers/users/commentaires_controller_spec.rb
@ -11,6 +11,28 @@ describe Users::CommentairesController, type: :controller do
  end

  describe '#POST create' do
+    context "when user has no access to dossier" do
+      before do
+        sign_in create(:user)
+      end
+      subject { post :create, params: { dossier_id: dossier_id, texte_commentaire: texte_commentaire } }
+
+      it { expect { subject }.to raise_error(ActiveRecord::RecordNotFound) }
+      it { expect { subject rescue nil }.to change(Commentaire, :count).by(0) }
+    end
+
+    context "when user is invited on dossier" do
+      let(:user) { create(:user) }
+      subject { post :create, params: { dossier_id: dossier_id, texte_commentaire: texte_commentaire } }
+
+      before do
+        sign_in user
+        InviteUser.create(dossier: dossier, user: user, email: user.email, email_sender: "test@test.com")
+      end
+
+      it { expect{ subject }.to change(Commentaire, :count).by(1) }
+    end
+
    context 'création correct d\'un commentaire' do
      subject do
        sign_in dossier.user