DGNum/demarches-normaliennes
11
1
Fork 0
Code Issues 1 Pull requests Projects Releases Packages Wiki Activity

protect page with check the owner's dossier

Browse source
This commit is contained in:
Xavier J 2015-10-09 17:33:33 +02:00
parent 0bd43e538a
commit c6ed98b978
11 changed files with 98 additions and 16 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
app/controllers/users/carte_controller.rb
View file

@ -2,13 +2,14 @@ class Users::CarteController < UsersController
include DossierConcern
def show
@dossier = current_dossier
@dossier = current_user_dossier
rescue ActiveRecord::RecordNotFound
flash.alert = t('errors.messages.dossier_not_found')
redirect_to url_for(controller: :dossiers, action: :index)
end
def save_ref_api_carto
dossier = current_dossier
dossier = current_user_dossier
if dossier.draft?
dossier.update_attributes(ref_dossier_carto: params[:ref_dossier])
@ -27,7 +28,7 @@ class Users::CarteController < UsersController
end
def get_position
dossier = current_dossier
dossier = current_user_dossier
if dossier.position_lat.nil?
tmp_position = Carto::Geocodeur.convert_adresse_to_point(dossier.etablissement.adresse.gsub("\r\n", ' '))

6
app/controllers/users/description_controller.rb
View file

@ -1,13 +1,13 @@
class Users::DescriptionController < UsersController
def show
@dossier = Dossier.find(params[:dossier_id])
@dossier = current_user_dossier
@dossier = @dossier.decorate
@procedure = @dossier.procedure
rescue ActiveRecord::RecordNotFound
flash.alert = t('errors.messages.dossier_not_found')
redirect_to url_for(controller: :siret)
redirect_to url_for(root_path)
end
def error
@ -17,7 +17,7 @@ class Users::DescriptionController < UsersController
end
def create
@dossier = Dossier.find(params[:dossier_id])
@dossier = current_user_dossier
unless @dossier.update_attributes(create_params)
@dossier = @dossier.decorate
@procedure = @dossier.procedure

4
app/controllers/users/dossiers_controller.rb
View file

@ -5,7 +5,7 @@ class Users::DossiersController < UsersController
end
def show
@dossier = Dossier.find(params[:id])
@dossier = current_user_dossier params[:id]
@etablissement = @dossier.etablissement
@entreprise = @dossier.entreprise.decorate
@ -43,7 +43,7 @@ class Users::DossiersController < UsersController
def update
@dossier = Dossier.find(params[:id])
@dossier = current_user_dossier params[:id]
if checked_autorisation_donnees?
@dossier.update_attributes(update_params)

4
app/controllers/users/recapitulatif_controller.rb
View file

@ -1,6 +1,6 @@
class Users::RecapitulatifController < UsersController
def show
@dossier = Dossier.find(params[:dossier_id])
@dossier = current_user_dossier
@dossier = @dossier.decorate
@procedure = @dossier.procedure
@ -13,7 +13,7 @@ class Users::RecapitulatifController < UsersController
@commentaire_email = 'user@email'
rescue ActiveRecord::RecordNotFound
flash.alert = t('errors.messages.dossier_not_found')
redirect_to url_for(controller: :siret)
redirect_to url_for(root_path)
end
def propose

2
config/locales/fr.yml
View file

@ -78,7 +78,7 @@ fr:
not_saved:
one: "1 erreur a empêché ce(tte) %{resource} d'être sauvegardé(e) :"
other: "%{count} erreurs ont empêché ce(tte) %{resource} d'être sauvegardé(e) :"
dossier_not_found: "Le dossier n'existe pas"
dossier_not_found: "Le dossier n'existe pas ou vous n'y avez pas accès."
invalid_siret: "Le siret est incorrect"
france_connect:
connexion: "Erreur lors de la connexion à France Connect."

2
spec/controllers/users/carte_controller_spec.rb
View file

@ -37,6 +37,8 @@ RSpec.describe Users::CarteController, type: :controller do
get :show, dossier_id: bad_dossier_id
expect(response).to redirect_to(controller: :dossiers, action: :index)
end
it_behaves_like "not owner of dossier", :show
end
describe 'POST #save_ref_api_carto' do

5
spec/controllers/users/description_controller_spec.rb
View file

@ -11,7 +11,6 @@ describe Users::DescriptionController, type: :controller do
end
describe 'GET #show' do
context 'user is not connected' do
before do
sign_out dossier.user
@ -30,8 +29,10 @@ describe Users::DescriptionController, type: :controller do
it 'redirection vers start si mauvais dossier ID' do
get :show, dossier_id: bad_dossier_id
expect(response).to redirect_to(controller: :siret)
expect(response).to redirect_to(root_path)
end
it_behaves_like "not owner of dossier", :show
end
describe 'POST #create' do

4
spec/controllers/users/dossiers_controller_spec.rb
View file

@ -30,7 +30,7 @@ describe Users::DossiersController, type: :controller do
describe 'GET #show' do
before do
sign_in create(:user)
sign_in dossier.user
end
it 'returns http success with dossier_id valid' do
get :show, id: dossier_id
@ -130,7 +130,7 @@ describe Users::DossiersController, type: :controller do
describe 'PUT #update' do
before do
sign_in create(:user)
sign_in dossier.user
put :update, id: dossier_id, dossier: { autorisation_donnees: autorisation_donnees }
end
context 'when Checkbox is checked' do

5
spec/controllers/users/recapitulatif_controller_spec.rb
View file

@ -16,8 +16,11 @@ describe Users::RecapitulatifController, type: :controller do
it 'redirection vers siret si mauvais dossier ID' do
get :show, dossier_id: bad_dossier_id
expect(response).to redirect_to('/users/siret')
expect(response).to redirect_to('/')
end
it_behaves_like "not owner of dossier", :show
end
describe 'POST #propose' do

55
spec/controllers/users_controller_spec.rb
View file

@ -0,0 +1,55 @@
require 'spec_helper'
describe UsersController, type: :controller do
describe '.current_user_dossier' do
let(:user) { create(:user) }
let(:dossier) { create(:dossier, user: user)}
before do
sign_in user
end
context 'when no params table exist and no params past at the function' do
it { expect{ subject.current_user_dossier }.to raise_error }
end
context 'when no params table exist and params past at the function' do
context 'when dossier id is good' do
it 'returns current user dossier' do
expect(subject.current_user_dossier dossier.id).to eq(dossier)
end
end
context 'when dossier id is bad' do
it { expect{ subject.current_user_dossier 1 }.to raise_error }
end
end
context 'when params table exist and no params past at the function' do
context 'when dossier id is good' do
before do
subject.params[:dossier_id] = dossier.id
end
it 'returns current user dossier' do
expect(subject.current_user_dossier).to eq(dossier)
end
end
context 'when dossier id is bad' do
it { expect{ subject.current_user_dossier }.to raise_error }
end
end
context 'when params table exist and params past at the function' do
before do
subject.params[:dossier_id] = 1
end
it 'returns dossier with the id on params past' do
expect(subject.current_user_dossier dossier.id).to eq(dossier)
end
end
end
end

20
spec/support/shared_exemples_for_dossier.rb Normal file
View file

@ -0,0 +1,20 @@
require 'spec_helper'
RSpec.shared_examples 'not owner of dossier' do |controller, redirect|
let(:dossier_2) { create(:dossier, :with_user) }
before do
get controller, dossier_id: dossier_2.id
end
it 'redirect to home page' do
redirect_page = '/'
redirect_page = redirect unless redirect.nil?
expect(response).to redirect_to(redirect_page)
end
it 'show a flash message error' do
expect(flash[:alert]).to be_present
end
end