[fix #2072] DossierController: check the user can update the dossier

2018-06-08 15:51:46 +02:00 · 2018-06-08 15:51:46 +02:00 · e11392981d
commit e11392981d
parent db4c0e11d2
3 changed files with 34 additions and 0 deletions
--- a/app/controllers/new_user/dossiers_controller.rb
+++ b/app/controllers/new_user/dossiers_controller.rb
@ -2,6 +2,7 @@ module NewUser
  class DossiersController < UserController
    before_action :ensure_ownership!, except: [:index, :modifier, :update]
    before_action :ensure_ownership_or_invitation!, only: [:modifier, :update]
+    before_action :ensure_dossier_can_be_updated, only: [:update_identite, :update]
    before_action :forbid_invite_submission!, only: [:update]

    def attestation
@ -109,6 +110,13 @@ module NewUser

    private

+    def ensure_dossier_can_be_updated
+      if !dossier.can_be_updated_by_the_user?
+        flash.alert = 'Votre dossier ne peut plus être modifié'
+        redirect_to users_dossiers_path
+      end
+    end
+
    def page
      [params[:page].to_i, 1].max
    end