[Fix #162] Deny dossier access for an unauthorized accompagnateur

This commit is contained in:
gregoirenovel 2017-05-02 15:58:21 +02:00
parent 408cefc809
commit eff9e556e9
4 changed files with 30 additions and 4 deletions

View file

@ -1,6 +1,8 @@
class Backoffice::DossiersController < Backoffice::DossiersListController
respond_to :html, :xlsx, :ods, :csv
before_action :ensure_gestionnaire_is_authorized, only: :show
def index
procedure = current_gestionnaire.procedure_filter
@ -185,6 +187,14 @@ class Backoffice::DossiersController < Backoffice::DossiersListController
private
def ensure_gestionnaire_is_authorized
current_gestionnaire.dossiers.find(params[:id])
rescue ActiveRecord::RecordNotFound
flash.alert = t('errors.messages.dossier_not_found')
redirect_to url_for(controller: '/backoffice')
end
def create_dossier_facade dossier_id
@facade = DossierFacades.new dossier_id, current_gestionnaire.email

View file

@ -1,7 +1,8 @@
require 'spec_helper'
feature 'add commentaire on backoffice' do
let(:dossier) { create(:dossier, :with_entreprise) }
let(:procedure) { create(:procedure) }
let(:dossier) { create(:dossier, :with_entreprise, procedure: procedure, state: 'updated') }
let(:dossier_id) { dossier.id }
let!(:commentaire) { create(:commentaire, dossier: dossier, email: 'toto@toto.com') }
let(:email_commentaire) { 'test@test.com' }
@ -10,6 +11,7 @@ feature 'add commentaire on backoffice' do
let(:body) { 'Commentaire de test' }
before do
create :assign_to, gestionnaire: gestionnaire, procedure: procedure
login_as gestionnaire, scope: :gestionnaire
visit backoffice_dossier_path(dossier)
end

View file

@ -1,12 +1,13 @@
require 'spec_helper'
feature 'backoffice: flux de commentaires' do
let(:procedure) { create(:procedure) }
let(:gestionnaire) { create(:gestionnaire) }
let(:dossier) { create(:dossier, :with_entreprise) }
let(:dossier) { create(:dossier, :with_entreprise, procedure: procedure, state: 'updated') }
let(:dossier_id) { dossier.id }
let(:champ1) { dossier.champs.first }
let(:champ2) { create(:champ, dossier: dossier, type_de_champ: create(:type_de_champ_public, libelle: "subtitle")) }
let(:champ1) { create(:champ, dossier: dossier, type_de_champ: create(:type_de_champ_public, libelle: "subtitle1")) }
let(:champ2) { create(:champ, dossier: dossier, type_de_champ: create(:type_de_champ_public, libelle: "subtitle2")) }
let!(:commentaire1) { create(:commentaire, dossier: dossier, champ: champ1) }
let!(:commentaire2) { create(:commentaire, dossier: dossier) }
@ -14,6 +15,7 @@ feature 'backoffice: flux de commentaires' do
let!(:commentaire4) { create(:commentaire, dossier: dossier, champ: champ1) }
before do
create :assign_to, gestionnaire: gestionnaire, procedure: procedure
login_as gestionnaire, scope: :gestionnaire
visit backoffice_dossier_path(dossier)
end

View file

@ -32,6 +32,18 @@ feature 'on backoffice page', js: true do
expect(page).to have_css('#backoffice-dossier-show')
end
end
context "and goes to the page of a dossier he hasn't access to" do
let!(:unauthorized_dossier) { create(:dossier, :with_entreprise, state: 'updated') }
before do
visit backoffice_dossier_path(unauthorized_dossier)
end
scenario "it shows an error message" do
expect(page).to have_content("Le dossier n'existe pas ou vous n'y avez pas accès.")
end
end
end
context 'when gestionnaire have enterprise and individual dossier in his inbox', js: true do