[#1677] Prevent invites from submitting a dossier

2018-03-29 16:49:01 +02:00 · 2018-03-29 16:49:01 +02:00 · dd219d5d40
commit dd219d5d40
parent b869efd7d1
2 changed files with 21 additions and 3 deletions
--- a/app/controllers/new_user/dossiers_controller.rb
+++ b/app/controllers/new_user/dossiers_controller.rb
@ -2,6 +2,7 @@ module NewUser
  class DossiersController < UserController
    before_action :ensure_ownership!, except: [:index, :modifier, :update]
    before_action :ensure_ownership_or_invitation!, only: [:modifier, :update]
+    before_action :forbid_invite_submission!, only: [:update]

    def attestation
      send_data(dossier.attestation.pdf.read, filename: 'attestation.pdf', type: 'application/pdf')
@ -114,6 +115,12 @@ module NewUser
      end
    end

+    def forbid_invite_submission!
+      if passage_en_construction? && !owns_dossier?
+        forbidden!
+      end
+    end
+
    def forbidden!
      flash[:alert] = "Vous n'avez pas accès à ce dossier"
      redirect_to root_path
@ -131,6 +138,10 @@ module NewUser
      dossier.user_id == current_user.id
    end

+    def passage_en_construction?
+      dossier.brouillon? && !draft?
+    end
+
    def draft?
      params[:submit_action] == 'draft'
    end
--- a/spec/controllers/new_user/dossiers_controller_spec.rb
+++ b/spec/controllers/new_user/dossiers_controller_spec.rb
@ -3,14 +3,14 @@ require 'spec_helper'
 describe NewUser::DossiersController, type: :controller do
  let(:user) { create(:user) }

-  describe 'before_actions: ensure_ownership, ensure_ownership_or_invitation!' do
-    it 'is present' do
+  describe 'before_actions' do
+    it 'are present' do
      before_actions = NewUser::DossiersController
        ._process_action_callbacks
        .find_all{ |process_action_callbacks| process_action_callbacks.kind == :before }
        .map(&:filter)

-      expect(before_actions).to include(:ensure_ownership!, :ensure_ownership_or_invitation!)
+      expect(before_actions).to include(:ensure_ownership!, :ensure_ownership_or_invitation!, :forbid_invite_submission!)
    end
  end

@ -314,6 +314,13 @@ describe NewUser::DossiersController, type: :controller do
        it { expect(dossier.reload.state).to eq('brouillon') }
      end

+      context 'and the invite tries to submit the dossier' do
+        before { subject }
+
+        it { expect(response).to redirect_to(root_path) }
+        it { expect(flash.alert).to eq("Vous n'avez pas accès à ce dossier") }
+      end
+
      context 'and the invite updates a dossier en constructions' do
        before do
          dossier.en_construction!