Merge pull request #618 from sgmap/check_admin_ownership_on_procedure

Check admin ownership on procedure
2017-07-20 18:21:30 +02:00 · 2017-07-20 18:21:30 +02:00 · e19410ed75
commit e19410ed75
parent 409bed4080 1d0734dda2
2 changed files with 34 additions and 5 deletions
--- a/app/controllers/admin/procedures_controller.rb
+++ b/app/controllers/admin/procedures_controller.rb
@ -43,7 +43,7 @@ class Admin::ProceduresController < AdminController
  end

  def hide
-    procedure = Procedure.find(params[:id])
+    procedure = current_administrateur.procedures.find(params[:id])
    procedure.hide!

    flash.notice = "Procédure supprimée, en cas d'erreur contactez nous : contact@tps.apientreprise.fr"
@ -51,7 +51,7 @@ class Admin::ProceduresController < AdminController
  end

  def destroy
-    procedure = Procedure.find(params[:id])
+    procedure = current_administrateur.procedures.find(params[:id])

    return render json: {}, status: 401 if procedure.publiee_ou_archivee?

--- a/spec/controllers/admin/procedures_controller_spec.rb
+++ b/spec/controllers/admin/procedures_controller_spec.rb
@ -54,9 +54,9 @@ describe Admin::ProceduresController, type: :controller do
  end

  describe 'DELETE #destroy' do
-    let(:procedure_draft) { create :procedure, published_at: nil, archived_at: nil }
-    let(:procedure_published) { create :procedure, published_at: Time.now, archived_at: nil }
-    let(:procedure_archived) { create :procedure, published_at: nil, archived_at: Time.now }
+    let(:procedure_draft) { create :procedure, administrateur: admin, published_at: nil, archived_at: nil }
+    let(:procedure_published) { create :procedure, administrateur: admin, published_at: Time.now, archived_at: nil }
+    let(:procedure_archived) { create :procedure, administrateur: admin, published_at: nil, archived_at: Time.now }

    subject { delete :destroy, params: {id: procedure.id} }

@ -91,6 +91,14 @@ describe Admin::ProceduresController, type: :controller do

      it { expect(subject.status).to eq 401 }
    end
+
+    context "when administrateur does not own the procedure" do
+      let(:procedure_not_owned) { create :procedure, administrateur: create(:administrateur), published_at: nil, archived_at: nil }
+
+      subject { delete :destroy, params: {id: procedure_not_owned.id} }
+
+      it { expect{ subject }.to raise_error(ActiveRecord::RecordNotFound) }
+    end
  end

  describe 'GET #edit' do
@ -527,4 +535,25 @@ describe Admin::ProceduresController, type: :controller do
      end
    end
  end
+
+  describe "POST hide" do
+    subject { post :hide, params: { id: procedure.id } }
+
+    context "when procedure is not owned by administrateur" do
+      let!(:procedure) { create :procedure, administrateur: create(:administrateur) }
+
+      it { expect{ subject }.to raise_error(ActiveRecord::RecordNotFound) }
+    end
+
+    context "when procedure is owned by administrateur" do
+      let!(:procedure) { create :procedure, administrateur: admin }
+
+      before do
+         subject
+         procedure.reload
+       end
+
+      it { expect(procedure.hidden_at).to_not eq nil }
+    end
+  end
 end