DGNum/demarches-normaliennes
13
1
Fork 0
Code Issues 1 Pull requests Projects Releases Packages Wiki Activity

Merge pull request #618 from sgmap/check_admin_ownership_on_procedure

Browse source 
Check admin ownership on procedure
This commit is contained in:
Mathieu Magnin 2017-07-20 18:21:30 +02:00 committed by GitHub
commit e19410ed75
2 changed files with 34 additions and 5 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
app/controllers/admin/procedures_controller.rb
View file

@ -43,7 +43,7 @@ class Admin::ProceduresController < AdminController
end end
def hide def hide
procedure = Procedure.find(params[:id]) procedure = current_administrateur.procedures.find(params[:id])
procedure.hide! procedure.hide!
flash.notice = "Procédure supprimée, en cas d'erreur contactez nous : contact@tps.apientreprise.fr" flash.notice = "Procédure supprimée, en cas d'erreur contactez nous : contact@tps.apientreprise.fr"
@ -51,7 +51,7 @@ class Admin::ProceduresController < AdminController
end end
def destroy def destroy
procedure = Procedure.find(params[:id]) procedure = current_administrateur.procedures.find(params[:id])
return render json: {}, status: 401 if procedure.publiee_ou_archivee? return render json: {}, status: 401 if procedure.publiee_ou_archivee?

35
spec/controllers/admin/procedures_controller_spec.rb
View file

@ -54,9 +54,9 @@ describe Admin::ProceduresController, type: :controller do
end end
describe 'DELETE #destroy' do describe 'DELETE #destroy' do
let(:procedure_draft) { create :procedure, published_at: nil, archived_at: nil } let(:procedure_draft) { create :procedure, administrateur: admin, published_at: nil, archived_at: nil }
let(:procedure_published) { create :procedure, published_at: Time.now, archived_at: nil } let(:procedure_published) { create :procedure, administrateur: admin, published_at: Time.now, archived_at: nil }
let(:procedure_archived) { create :procedure, published_at: nil, archived_at: Time.now } let(:procedure_archived) { create :procedure, administrateur: admin, published_at: nil, archived_at: Time.now }
subject { delete :destroy, params: {id: procedure.id} } subject { delete :destroy, params: {id: procedure.id} }
@ -91,6 +91,14 @@ describe Admin::ProceduresController, type: :controller do
it { expect(subject.status).to eq 401 } it { expect(subject.status).to eq 401 }
end end
context "when administrateur does not own the procedure" do
let(:procedure_not_owned) { create :procedure, administrateur: create(:administrateur), published_at: nil, archived_at: nil }
subject { delete :destroy, params: {id: procedure_not_owned.id} }
it { expect{ subject }.to raise_error(ActiveRecord::RecordNotFound) }
end
end end
describe 'GET #edit' do describe 'GET #edit' do
@ -527,4 +535,25 @@ describe Admin::ProceduresController, type: :controller do
end end
end end
end end
describe "POST hide" do
subject { post :hide, params: { id: procedure.id } }
context "when procedure is not owned by administrateur" do
let!(:procedure) { create :procedure, administrateur: create(:administrateur) }
it { expect{ subject }.to raise_error(ActiveRecord::RecordNotFound) }
end
context "when procedure is owned by administrateur" do
let!(:procedure) { create :procedure, administrateur: admin }
before do
subject
procedure.reload
end
it { expect(procedure.hidden_at).to_not eq nil }
end
end
end end