[Fix #162] Deny dossier access for an unauthorized accompagnateur

2017-05-02 15:58:21 +02:00 · 2017-05-02 15:58:21 +02:00 · eff9e556e9
commit eff9e556e9
parent 408cefc809
4 changed files with 30 additions and 4 deletions
--- a/app/controllers/backoffice/dossiers_controller.rb
+++ b/app/controllers/backoffice/dossiers_controller.rb
@ -1,6 +1,8 @@
 class Backoffice::DossiersController < Backoffice::DossiersListController
  respond_to :html, :xlsx, :ods, :csv
  before_action :ensure_gestionnaire_is_authorized, only: :show
  def index
    procedure = current_gestionnaire.procedure_filter
@ -185,6 +187,14 @@ class Backoffice::DossiersController < Backoffice::DossiersListController
  private
  def ensure_gestionnaire_is_authorized
    current_gestionnaire.dossiers.find(params[:id])
  rescue ActiveRecord::RecordNotFound
    flash.alert = t('errors.messages.dossier_not_found')
    redirect_to url_for(controller: '/backoffice')
  end
  def create_dossier_facade dossier_id
    @facade = DossierFacades.new dossier_id, current_gestionnaire.email
--- a/spec/features/backoffice/add_commentaire_spec.rb
+++ b/spec/features/backoffice/add_commentaire_spec.rb
@ -1,7 +1,8 @@
 require 'spec_helper'
 feature 'add commentaire on backoffice' do
-  let(:dossier) { create(:dossier, :with_entreprise) }
+  let(:procedure) { create(:procedure) }
  let(:dossier) { create(:dossier, :with_entreprise, procedure: procedure, state: 'updated') }
  let(:dossier_id) { dossier.id }
  let!(:commentaire) { create(:commentaire, dossier: dossier, email: 'toto@toto.com') }
  let(:email_commentaire) { 'test@test.com' }
@ -10,6 +11,7 @@ feature 'add commentaire on backoffice' do
  let(:body) { 'Commentaire de test' }
  before do
    create :assign_to, gestionnaire: gestionnaire, procedure: procedure
    login_as gestionnaire, scope: :gestionnaire
    visit backoffice_dossier_path(dossier)
  end
--- a/spec/features/backoffice/flux_de_commentaires_spec.rb
+++ b/spec/features/backoffice/flux_de_commentaires_spec.rb
@ -1,12 +1,13 @@
 require 'spec_helper'
 feature 'backoffice: flux de commentaires' do
  let(:procedure) { create(:procedure) }
  let(:gestionnaire) { create(:gestionnaire) }
-  let(:dossier) { create(:dossier, :with_entreprise) }
+  let(:dossier) { create(:dossier, :with_entreprise, procedure: procedure, state: 'updated') }
  let(:dossier_id) { dossier.id }
-  let(:champ1) { dossier.champs.first }
+  let(:champ1) { create(:champ, dossier: dossier, type_de_champ: create(:type_de_champ_public, libelle: "subtitle1")) }
-  let(:champ2) { create(:champ, dossier: dossier, type_de_champ: create(:type_de_champ_public, libelle: "subtitle")) }
+  let(:champ2) { create(:champ, dossier: dossier, type_de_champ: create(:type_de_champ_public, libelle: "subtitle2")) }
  let!(:commentaire1) { create(:commentaire, dossier: dossier, champ: champ1) }
  let!(:commentaire2) { create(:commentaire, dossier: dossier) }
@ -14,6 +15,7 @@ feature 'backoffice: flux de commentaires' do
  let!(:commentaire4) { create(:commentaire, dossier: dossier, champ: champ1) }
  before do
    create :assign_to, gestionnaire: gestionnaire, procedure: procedure
    login_as gestionnaire, scope: :gestionnaire
    visit backoffice_dossier_path(dossier)
  end
--- a/spec/features/backoffice/navigate_to_dossier_spec.rb
+++ b/spec/features/backoffice/navigate_to_dossier_spec.rb
@ -32,6 +32,18 @@ feature 'on backoffice page', js: true do
        expect(page).to have_css('#backoffice-dossier-show')
      end
    end
    context "and goes to the page of a dossier he hasn't access to" do
      let!(:unauthorized_dossier) { create(:dossier, :with_entreprise, state: 'updated') }
      before do
        visit backoffice_dossier_path(unauthorized_dossier)
      end
      scenario "it shows an error message" do
        expect(page).to have_content("Le dossier n'existe pas ou vous n'y avez pas accès.")
      end
    end
  end
  context 'when gestionnaire have enterprise and individual dossier in his inbox', js: true do