[Fix #162] Deny dossier access for an unauthorized accompagnateur
This commit is contained in:
parent
408cefc809
commit
eff9e556e9
4 changed files with 30 additions and 4 deletions
|
@ -1,6 +1,8 @@
|
|||
class Backoffice::DossiersController < Backoffice::DossiersListController
|
||||
respond_to :html, :xlsx, :ods, :csv
|
||||
|
||||
before_action :ensure_gestionnaire_is_authorized, only: :show
|
||||
|
||||
def index
|
||||
procedure = current_gestionnaire.procedure_filter
|
||||
|
||||
|
@ -185,6 +187,14 @@ class Backoffice::DossiersController < Backoffice::DossiersListController
|
|||
|
||||
private
|
||||
|
||||
def ensure_gestionnaire_is_authorized
|
||||
current_gestionnaire.dossiers.find(params[:id])
|
||||
|
||||
rescue ActiveRecord::RecordNotFound
|
||||
flash.alert = t('errors.messages.dossier_not_found')
|
||||
redirect_to url_for(controller: '/backoffice')
|
||||
end
|
||||
|
||||
def create_dossier_facade dossier_id
|
||||
@facade = DossierFacades.new dossier_id, current_gestionnaire.email
|
||||
|
||||
|
|
|
@ -1,7 +1,8 @@
|
|||
require 'spec_helper'
|
||||
|
||||
feature 'add commentaire on backoffice' do
|
||||
let(:dossier) { create(:dossier, :with_entreprise) }
|
||||
let(:procedure) { create(:procedure) }
|
||||
let(:dossier) { create(:dossier, :with_entreprise, procedure: procedure, state: 'updated') }
|
||||
let(:dossier_id) { dossier.id }
|
||||
let!(:commentaire) { create(:commentaire, dossier: dossier, email: 'toto@toto.com') }
|
||||
let(:email_commentaire) { 'test@test.com' }
|
||||
|
@ -10,6 +11,7 @@ feature 'add commentaire on backoffice' do
|
|||
let(:body) { 'Commentaire de test' }
|
||||
|
||||
before do
|
||||
create :assign_to, gestionnaire: gestionnaire, procedure: procedure
|
||||
login_as gestionnaire, scope: :gestionnaire
|
||||
visit backoffice_dossier_path(dossier)
|
||||
end
|
||||
|
|
|
@ -1,12 +1,13 @@
|
|||
require 'spec_helper'
|
||||
|
||||
feature 'backoffice: flux de commentaires' do
|
||||
let(:procedure) { create(:procedure) }
|
||||
let(:gestionnaire) { create(:gestionnaire) }
|
||||
let(:dossier) { create(:dossier, :with_entreprise) }
|
||||
let(:dossier) { create(:dossier, :with_entreprise, procedure: procedure, state: 'updated') }
|
||||
let(:dossier_id) { dossier.id }
|
||||
|
||||
let(:champ1) { dossier.champs.first }
|
||||
let(:champ2) { create(:champ, dossier: dossier, type_de_champ: create(:type_de_champ_public, libelle: "subtitle")) }
|
||||
let(:champ1) { create(:champ, dossier: dossier, type_de_champ: create(:type_de_champ_public, libelle: "subtitle1")) }
|
||||
let(:champ2) { create(:champ, dossier: dossier, type_de_champ: create(:type_de_champ_public, libelle: "subtitle2")) }
|
||||
|
||||
let!(:commentaire1) { create(:commentaire, dossier: dossier, champ: champ1) }
|
||||
let!(:commentaire2) { create(:commentaire, dossier: dossier) }
|
||||
|
@ -14,6 +15,7 @@ feature 'backoffice: flux de commentaires' do
|
|||
let!(:commentaire4) { create(:commentaire, dossier: dossier, champ: champ1) }
|
||||
|
||||
before do
|
||||
create :assign_to, gestionnaire: gestionnaire, procedure: procedure
|
||||
login_as gestionnaire, scope: :gestionnaire
|
||||
visit backoffice_dossier_path(dossier)
|
||||
end
|
||||
|
|
|
@ -32,6 +32,18 @@ feature 'on backoffice page', js: true do
|
|||
expect(page).to have_css('#backoffice-dossier-show')
|
||||
end
|
||||
end
|
||||
|
||||
context "and goes to the page of a dossier he hasn't access to" do
|
||||
let!(:unauthorized_dossier) { create(:dossier, :with_entreprise, state: 'updated') }
|
||||
|
||||
before do
|
||||
visit backoffice_dossier_path(unauthorized_dossier)
|
||||
end
|
||||
|
||||
scenario "it shows an error message" do
|
||||
expect(page).to have_content("Le dossier n'existe pas ou vous n'y avez pas accès.")
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
context 'when gestionnaire have enterprise and individual dossier in his inbox', js: true do
|
||||
|
|
Loading…
Reference in a new issue