From c6ed98b9782afe18ad6b816db581c250a617e4df Mon Sep 17 00:00:00 2001 From: Xavier J Date: Fri, 9 Oct 2015 17:33:33 +0200 Subject: [PATCH] protect page with check the owner's dossier --- app/controllers/users/carte_controller.rb | 7 ++- .../users/description_controller.rb | 6 +- app/controllers/users/dossiers_controller.rb | 4 +- .../users/recapitulatif_controller.rb | 4 +- config/locales/fr.yml | 2 +- .../users/carte_controller_spec.rb | 2 + .../users/description_controller_spec.rb | 5 +- .../users/dossiers_controller_spec.rb | 4 +- .../users/recapitulatif_controller_spec.rb | 5 +- spec/controllers/users_controller_spec.rb | 55 +++++++++++++++++++ spec/support/shared_exemples_for_dossier.rb | 20 +++++++ 11 files changed, 98 insertions(+), 16 deletions(-) create mode 100644 spec/support/shared_exemples_for_dossier.rb diff --git a/app/controllers/users/carte_controller.rb b/app/controllers/users/carte_controller.rb index 246eca252..780ed1a71 100644 --- a/app/controllers/users/carte_controller.rb +++ b/app/controllers/users/carte_controller.rb @@ -2,13 +2,14 @@ class Users::CarteController < UsersController include DossierConcern def show - @dossier = current_dossier + @dossier = current_user_dossier rescue ActiveRecord::RecordNotFound + flash.alert = t('errors.messages.dossier_not_found') redirect_to url_for(controller: :dossiers, action: :index) end def save_ref_api_carto - dossier = current_dossier + dossier = current_user_dossier if dossier.draft? dossier.update_attributes(ref_dossier_carto: params[:ref_dossier]) @@ -27,7 +28,7 @@ class Users::CarteController < UsersController end def get_position - dossier = current_dossier + dossier = current_user_dossier if dossier.position_lat.nil? tmp_position = Carto::Geocodeur.convert_adresse_to_point(dossier.etablissement.adresse.gsub("\r\n", ' ')) diff --git a/app/controllers/users/description_controller.rb b/app/controllers/users/description_controller.rb index 0e32da2a1..2824c140e 100644 --- a/app/controllers/users/description_controller.rb +++ b/app/controllers/users/description_controller.rb @@ -1,13 +1,13 @@ class Users::DescriptionController < UsersController def show - @dossier = Dossier.find(params[:dossier_id]) + @dossier = current_user_dossier @dossier = @dossier.decorate @procedure = @dossier.procedure rescue ActiveRecord::RecordNotFound flash.alert = t('errors.messages.dossier_not_found') - redirect_to url_for(controller: :siret) + redirect_to url_for(root_path) end def error @@ -17,7 +17,7 @@ class Users::DescriptionController < UsersController end def create - @dossier = Dossier.find(params[:dossier_id]) + @dossier = current_user_dossier unless @dossier.update_attributes(create_params) @dossier = @dossier.decorate @procedure = @dossier.procedure diff --git a/app/controllers/users/dossiers_controller.rb b/app/controllers/users/dossiers_controller.rb index 8d7ee0257..1287b9bc8 100644 --- a/app/controllers/users/dossiers_controller.rb +++ b/app/controllers/users/dossiers_controller.rb @@ -5,7 +5,7 @@ class Users::DossiersController < UsersController end def show - @dossier = Dossier.find(params[:id]) + @dossier = current_user_dossier params[:id] @etablissement = @dossier.etablissement @entreprise = @dossier.entreprise.decorate @@ -43,7 +43,7 @@ class Users::DossiersController < UsersController def update - @dossier = Dossier.find(params[:id]) + @dossier = current_user_dossier params[:id] if checked_autorisation_donnees? @dossier.update_attributes(update_params) diff --git a/app/controllers/users/recapitulatif_controller.rb b/app/controllers/users/recapitulatif_controller.rb index ceca3647a..37e7f08dd 100644 --- a/app/controllers/users/recapitulatif_controller.rb +++ b/app/controllers/users/recapitulatif_controller.rb @@ -1,6 +1,6 @@ class Users::RecapitulatifController < UsersController def show - @dossier = Dossier.find(params[:dossier_id]) + @dossier = current_user_dossier @dossier = @dossier.decorate @procedure = @dossier.procedure @@ -13,7 +13,7 @@ class Users::RecapitulatifController < UsersController @commentaire_email = 'user@email' rescue ActiveRecord::RecordNotFound flash.alert = t('errors.messages.dossier_not_found') - redirect_to url_for(controller: :siret) + redirect_to url_for(root_path) end def propose diff --git a/config/locales/fr.yml b/config/locales/fr.yml index ae19320e8..3ade15838 100644 --- a/config/locales/fr.yml +++ b/config/locales/fr.yml @@ -78,7 +78,7 @@ fr: not_saved: one: "1 erreur a empêché ce(tte) %{resource} d'être sauvegardé(e) :" other: "%{count} erreurs ont empêché ce(tte) %{resource} d'être sauvegardé(e) :" - dossier_not_found: "Le dossier n'existe pas" + dossier_not_found: "Le dossier n'existe pas ou vous n'y avez pas accès." invalid_siret: "Le siret est incorrect" france_connect: connexion: "Erreur lors de la connexion à France Connect." diff --git a/spec/controllers/users/carte_controller_spec.rb b/spec/controllers/users/carte_controller_spec.rb index 89d20b6e2..03fa062e0 100644 --- a/spec/controllers/users/carte_controller_spec.rb +++ b/spec/controllers/users/carte_controller_spec.rb @@ -37,6 +37,8 @@ RSpec.describe Users::CarteController, type: :controller do get :show, dossier_id: bad_dossier_id expect(response).to redirect_to(controller: :dossiers, action: :index) end + + it_behaves_like "not owner of dossier", :show end describe 'POST #save_ref_api_carto' do diff --git a/spec/controllers/users/description_controller_spec.rb b/spec/controllers/users/description_controller_spec.rb index dddd0fb1c..f544d2209 100644 --- a/spec/controllers/users/description_controller_spec.rb +++ b/spec/controllers/users/description_controller_spec.rb @@ -11,7 +11,6 @@ describe Users::DescriptionController, type: :controller do end describe 'GET #show' do - context 'user is not connected' do before do sign_out dossier.user @@ -30,8 +29,10 @@ describe Users::DescriptionController, type: :controller do it 'redirection vers start si mauvais dossier ID' do get :show, dossier_id: bad_dossier_id - expect(response).to redirect_to(controller: :siret) + expect(response).to redirect_to(root_path) end + + it_behaves_like "not owner of dossier", :show end describe 'POST #create' do diff --git a/spec/controllers/users/dossiers_controller_spec.rb b/spec/controllers/users/dossiers_controller_spec.rb index e12cb342a..87b2f7d75 100644 --- a/spec/controllers/users/dossiers_controller_spec.rb +++ b/spec/controllers/users/dossiers_controller_spec.rb @@ -30,7 +30,7 @@ describe Users::DossiersController, type: :controller do describe 'GET #show' do before do - sign_in create(:user) + sign_in dossier.user end it 'returns http success with dossier_id valid' do get :show, id: dossier_id @@ -130,7 +130,7 @@ describe Users::DossiersController, type: :controller do describe 'PUT #update' do before do - sign_in create(:user) + sign_in dossier.user put :update, id: dossier_id, dossier: { autorisation_donnees: autorisation_donnees } end context 'when Checkbox is checked' do diff --git a/spec/controllers/users/recapitulatif_controller_spec.rb b/spec/controllers/users/recapitulatif_controller_spec.rb index b7e7413d9..e82bfc7fd 100644 --- a/spec/controllers/users/recapitulatif_controller_spec.rb +++ b/spec/controllers/users/recapitulatif_controller_spec.rb @@ -16,8 +16,11 @@ describe Users::RecapitulatifController, type: :controller do it 'redirection vers siret si mauvais dossier ID' do get :show, dossier_id: bad_dossier_id - expect(response).to redirect_to('/users/siret') + expect(response).to redirect_to('/') end + + it_behaves_like "not owner of dossier", :show + end describe 'POST #propose' do diff --git a/spec/controllers/users_controller_spec.rb b/spec/controllers/users_controller_spec.rb index e69de29bb..fe2c205ae 100644 --- a/spec/controllers/users_controller_spec.rb +++ b/spec/controllers/users_controller_spec.rb @@ -0,0 +1,55 @@ +require 'spec_helper' + +describe UsersController, type: :controller do + + describe '.current_user_dossier' do + let(:user) { create(:user) } + let(:dossier) { create(:dossier, user: user)} + + before do + sign_in user + end + + context 'when no params table exist and no params past at the function' do + it { expect{ subject.current_user_dossier }.to raise_error } + end + + context 'when no params table exist and params past at the function' do + context 'when dossier id is good' do + it 'returns current user dossier' do + expect(subject.current_user_dossier dossier.id).to eq(dossier) + end + end + + context 'when dossier id is bad' do + it { expect{ subject.current_user_dossier 1 }.to raise_error } + end + end + + context 'when params table exist and no params past at the function' do + context 'when dossier id is good' do + before do + subject.params[:dossier_id] = dossier.id + end + + it 'returns current user dossier' do + expect(subject.current_user_dossier).to eq(dossier) + end + end + + context 'when dossier id is bad' do + it { expect{ subject.current_user_dossier }.to raise_error } + end + end + + context 'when params table exist and params past at the function' do + before do + subject.params[:dossier_id] = 1 + end + + it 'returns dossier with the id on params past' do + expect(subject.current_user_dossier dossier.id).to eq(dossier) + end + end + end +end \ No newline at end of file diff --git a/spec/support/shared_exemples_for_dossier.rb b/spec/support/shared_exemples_for_dossier.rb new file mode 100644 index 000000000..1d0fdc84c --- /dev/null +++ b/spec/support/shared_exemples_for_dossier.rb @@ -0,0 +1,20 @@ +require 'spec_helper' + +RSpec.shared_examples 'not owner of dossier' do |controller, redirect| + let(:dossier_2) { create(:dossier, :with_user) } + + before do + get controller, dossier_id: dossier_2.id + end + + it 'redirect to home page' do + redirect_page = '/' + redirect_page = redirect unless redirect.nil? + + expect(response).to redirect_to(redirect_page) + end + + it 'show a flash message error' do + expect(flash[:alert]).to be_present + end +end