protect page with check the owner's dossier

2015-10-09 17:33:33 +02:00 · 2015-10-09 17:33:33 +02:00 · c6ed98b978
commit c6ed98b978
parent 0bd43e538a
11 changed files with 98 additions and 16 deletions
--- a/spec/controllers/users/carte_controller_spec.rb
+++ b/spec/controllers/users/carte_controller_spec.rb
@ -37,6 +37,8 @@ RSpec.describe Users::CarteController, type: :controller do
      get :show, dossier_id: bad_dossier_id
      expect(response).to redirect_to(controller: :dossiers, action: :index)
    end
+
+    it_behaves_like "not owner of dossier", :show
  end

  describe 'POST #save_ref_api_carto' do
--- a/spec/controllers/users/description_controller_spec.rb
+++ b/spec/controllers/users/description_controller_spec.rb
@ -11,7 +11,6 @@ describe Users::DescriptionController, type: :controller do
  end

  describe 'GET #show' do
-
    context 'user is not connected' do
      before do
        sign_out dossier.user
@ -30,8 +29,10 @@ describe Users::DescriptionController, type: :controller do

    it 'redirection vers start si mauvais dossier ID' do
      get :show, dossier_id: bad_dossier_id
-      expect(response).to redirect_to(controller: :siret)
+      expect(response).to redirect_to(root_path)
    end
+
+    it_behaves_like "not owner of dossier", :show
  end

  describe 'POST #create' do
--- a/spec/controllers/users/dossiers_controller_spec.rb
+++ b/spec/controllers/users/dossiers_controller_spec.rb
@ -30,7 +30,7 @@ describe Users::DossiersController, type: :controller do

  describe 'GET #show' do
    before do
-        sign_in create(:user)
+        sign_in dossier.user
    end
    it 'returns http success with dossier_id valid' do
      get :show, id: dossier_id
@ -130,7 +130,7 @@ describe Users::DossiersController, type: :controller do

  describe 'PUT #update' do
    before do
-      sign_in create(:user)
+      sign_in dossier.user
      put :update, id: dossier_id, dossier: { autorisation_donnees: autorisation_donnees }
    end
    context 'when Checkbox is checked' do
--- a/spec/controllers/users/recapitulatif_controller_spec.rb
+++ b/spec/controllers/users/recapitulatif_controller_spec.rb
@ -16,8 +16,11 @@ describe Users::RecapitulatifController, type: :controller do

    it 'redirection vers siret si mauvais dossier ID' do
      get :show, dossier_id: bad_dossier_id
-      expect(response).to redirect_to('/users/siret')
+      expect(response).to redirect_to('/')
    end
+
+    it_behaves_like "not owner of dossier", :show
+
  end

  describe 'POST #propose' do
--- a/spec/controllers/users_controller_spec.rb
+++ b/spec/controllers/users_controller_spec.rb
@ -0,0 +1,55 @@
+require 'spec_helper'
+
+describe UsersController, type: :controller do
+
+  describe '.current_user_dossier' do
+    let(:user) { create(:user) }
+    let(:dossier) { create(:dossier, user: user)}
+
+    before do
+      sign_in user
+    end
+
+    context 'when no params table exist and no params past at the function' do
+      it { expect{ subject.current_user_dossier }.to raise_error }
+    end
+
+    context 'when no params table exist and params past at the function' do
+      context 'when dossier id is good' do
+        it 'returns current user dossier' do
+          expect(subject.current_user_dossier dossier.id).to eq(dossier)
+        end
+      end
+
+      context 'when dossier id is bad' do
+        it { expect{ subject.current_user_dossier 1 }.to raise_error }
+      end
+    end
+
+    context 'when params table exist and no params past at the function' do
+      context 'when dossier id is good' do
+        before do
+          subject.params[:dossier_id] = dossier.id
+        end
+
+        it 'returns current user dossier' do
+          expect(subject.current_user_dossier).to eq(dossier)
+        end
+      end
+
+      context 'when dossier id is bad' do
+        it { expect{ subject.current_user_dossier }.to raise_error }
+      end
+    end
+
+    context 'when params table exist and params past at the function' do
+      before do
+        subject.params[:dossier_id] = 1
+      end
+
+      it 'returns dossier with the id on params past' do
+        expect(subject.current_user_dossier dossier.id).to eq(dossier)
+      end
+    end
+  end
+end
--- a/spec/support/shared_exemples_for_dossier.rb
+++ b/spec/support/shared_exemples_for_dossier.rb
@ -0,0 +1,20 @@
+require 'spec_helper'
+
+RSpec.shared_examples 'not owner of dossier' do |controller, redirect|
+  let(:dossier_2) { create(:dossier, :with_user) }
+
+  before do
+    get controller, dossier_id: dossier_2.id
+  end
+
+  it 'redirect to home page' do
+    redirect_page = '/'
+    redirect_page = redirect unless redirect.nil?
+
+    expect(response).to redirect_to(redirect_page)
+  end
+
+  it 'show a flash message error' do
+    expect(flash[:alert]).to be_present
+  end
+end