Refs #5865 @1h; Ensure user is allowed to duplicate a referential before doing so

I also changed the way 403 errors are handled, to properly respond with a 403 HTTP code
author: Zog 2018-02-08 16:27:52 +0100
committer: Luc Donnet 2018-02-21 11:23:28 +0100
commit: bcb9a2a7e915a1158427e16342dbaa700ce4ee5d (patch)
tree: 80e4134c7242953440c96a907f49c36450bc5d7e
parent: 6599a8d6a10e338fed38119115d12a3acb507e1b (diff)
download: chouette-core-bcb9a2a7e915a1158427e16342dbaa700ce4ee5d.tar.bz2
9 files changed, 75 insertions, 22 deletions
diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
index 45b7f55f6..c4961123d 100644
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -28,7 +28,7 @@ class ApplicationController < ActionController::Base
   protected
 
   def user_not_authorized
-    redirect_to forbidden_path
+    render 'errors/forbidden', status: 403
   end
 
   def current_organisation
diff --git a/app/controllers/referentials_controller.rb b/app/controllers/referentials_controller.rb
index 5267c15d8..6e3694547 100644
--- a/app/controllers/referentials_controller.rb
+++ b/app/controllers/referentials_controller.rb
@@ -7,6 +7,8 @@ class ReferentialsController < ChouetteController
   respond_to :json, :only => :show
   respond_to :js, :only => :show
 
+  before_action :check_cloning_source_is_accessible, only: %i(new create)
+
   def new
     new! do
       build_referential
@@ -175,6 +177,12 @@ class ReferentialsController < ChouetteController
     )
   end
 
+  def check_cloning_source_is_accessible
+    return unless params[:from]
+    source = Referential.find params[:from]
+    return user_not_authorized unless current_user.organisation.workgroups.include?(source.workbench.workgroup)
+  end
+
   def load_workbench
     @workbench ||= Workbench.find(params[:workbench_id]) if params[:workbench_id]
     @workbench ||= resource&.workbench if params[:id]
diff --git a/app/models/organisation.rb b/app/models/organisation.rb
index e8fb4e060..745bc0d22 100644
--- a/app/models/organisation.rb
+++ b/app/models/organisation.rb
@@ -13,6 +13,8 @@ class Organisation < ActiveRecord::Base
   has_many :line_referentials, through: :line_referential_memberships
 
   has_many :workbenches
+  has_many :workgroups, through: :workbenches
+
   has_many :calendars
   has_many :api_keys, class_name: 'Api::V1::ApiKey'
 
diff --git a/spec/controllers/line_referentials_controller_spec.rb b/spec/controllers/line_referentials_controller_spec.rb
index 17ffb670d..8e8d48fda 100644
--- a/spec/controllers/line_referentials_controller_spec.rb
+++ b/spec/controllers/line_referentials_controller_spec.rb
@@ -6,8 +6,8 @@ RSpec.describe LineReferentialsController, :type => :controller do
   describe 'PUT sync' do
     let(:request){ put :sync, id: line_referential.id }
 
-    it 'should redirect to 403' do
-       expect(request).to redirect_to "/403"
+    it 'should respond with 403' do
+       expect(request).to have_http_status 403
     end
 
     with_permission "line_referentials.synchronize" do
diff --git a/spec/controllers/lines_controller_spec.rb b/spec/controllers/lines_controller_spec.rb
index 65fe88b96..96f49bb36 100644
--- a/spec/controllers/lines_controller_spec.rb
+++ b/spec/controllers/lines_controller_spec.rb
@@ -7,8 +7,8 @@ RSpec.describe LinesController, :type => :controller do
   describe 'PUT deactivate' do
     let(:request){ put :deactivate, id: line.id, line_referential_id: line_referential.id }
 
-    it 'should redirect to 403' do
-      expect(request).to redirect_to "/403"
+    it 'should respond with 403' do
+      expect(request).to have_http_status 403
     end
 
     with_permission "lines.change_status" do
@@ -24,8 +24,8 @@ RSpec.describe LinesController, :type => :controller do
     before(:each){
       line.deactivate!
     }
-    it 'should redirect to 403' do
-       expect(request).to redirect_to "/403"
+    it 'should respond with 403' do
+      expect(request).to have_http_status 403
     end
 
     with_permission "lines.change_status" do
diff --git a/spec/controllers/referentials_controller_spec.rb b/spec/controllers/referentials_controller_spec.rb
index 5e0b1e505..ff450c905 100644
--- a/spec/controllers/referentials_controller_spec.rb
+++ b/spec/controllers/referentials_controller_spec.rb
@@ -6,6 +6,42 @@ describe ReferentialsController, :type => :controller do
   let(:organisation) { create :organisation }
   let(:other_referential) { create :referential, organisation: organisation }
 
+  describe "GET new" do
+    let(:request){ get :new, workbench_id: referential.workbench_id }
+    before{ request }
+
+    it 'returns http success' do
+      expect(response).to have_http_status(200)
+    end
+
+    context "when cloning another referential" do
+      let(:source){ referential }
+      let(:request){ get :new, workbench_id: referential.workbench_id, from: source.id }
+
+      it 'returns http success' do
+        expect(response).to have_http_status(200)
+      end
+
+      context "when the referential is in another organisation but accessible by the user" do
+        let(:source){ create(:workbench_referential) }
+        before do
+          source.workbench.update_attribute :workgroup_id, referential.workbench.workgroup_id
+        end
+
+        it 'returns http forbidden' do
+          expect(response).to have_http_status(403)
+        end
+      end
+
+      context "when the referential is not accessible by the user" do
+        let(:source){ create(:workbench_referential) }
+        it 'returns http forbidden' do
+          expect(response).to have_http_status(403)
+        end
+      end
+    end
+  end
+
   describe 'PUT archive' do
     context "user's organisation matches referential's organisation" do
       it 'returns http success' do
diff --git a/spec/controllers/stop_area_referentials_controller_spec.rb b/spec/controllers/stop_area_referentials_controller_spec.rb
index 384323334..737ef631f 100644
--- a/spec/controllers/stop_area_referentials_controller_spec.rb
+++ b/spec/controllers/stop_area_referentials_controller_spec.rb
@@ -6,7 +6,9 @@ RSpec.describe StopAreaReferentialsController, :type => :controller do
   describe 'PUT sync' do
     let(:request){ put :sync, id: stop_area_referential.id }
 
-    it { expect(request).to redirect_to "/403" }
+    it 'should respond with 403' do
+      expect(request).to have_http_status 403
+    end
 
     with_permission "stop_area_referentials.synchronize" do
       it 'returns HTTP success' do
diff --git a/spec/controllers/stop_areas_controller_spec.rb b/spec/controllers/stop_areas_controller_spec.rb
index 23bca3c36..f39ac5776 100644
--- a/spec/controllers/stop_areas_controller_spec.rb
+++ b/spec/controllers/stop_areas_controller_spec.rb
@@ -7,8 +7,8 @@ RSpec.describe StopAreasController, :type => :controller do
   describe 'PUT deactivate' do
     let(:request){ put :deactivate, id: stop_area.id, stop_area_referential_id: stop_area_referential.id }
 
-    it 'should redirect to 403' do
-       expect(request).to redirect_to "/403"
+    it 'should respond with 403' do
+      expect(request).to have_http_status 403
     end
 
     with_permission "stop_areas.change_status" do
@@ -24,8 +24,8 @@ RSpec.describe StopAreasController, :type => :controller do
     before(:each){
       stop_area.deactivate!
     }
-    it 'should redirect to 403' do
-       expect(request).to redirect_to "/403"
+    it 'should respond with 403' do
+      expect(request).to have_http_status 403
     end
 
     with_permission "stop_areas.change_status" do
diff --git a/spec/models/referential_spec.rb b/spec/models/referential_spec.rb
index 6d699f759..eeedf6562 100644
--- a/spec/models/referential_spec.rb
+++ b/spec/models/referential_spec.rb
@@ -30,16 +30,21 @@ describe Referential, :type => :model do
       Referential.new_from(ref, [])
     end
 
-    # let(:saved_clone) do
-    #   clone.tap do |clone|
-    #     clone.organisation = ref.organisation
-    #     clone.metadatas.each do |metadata|
-    #       metadata.line_ids = ref.lines.where(id: clone.line_ids, objectid: JSON.parse(ref.organisation.sso_attributes["functional_scope"]).collect(&:id)
-    #       metadata.periodes = metadata.periodes.map { |period| Range.new(period.end+1, period.end+10) }
-    #     end
-    #     clone.save!
-    #   end
-    # end
+    let!(:workbench){ create :workbench }
+
+    let(:saved_clone) do
+      clone.tap do |clone|
+        clone.organisation = workbench.organisation
+        clone.workbench = workbench
+        clone.metadatas = [create(:referential_metadata, referential: clone)]
+        clone.save!
+      end
+    end
+
+    it 'should create a Referential' do
+      ref
+      expect { saved_clone }.to change{Referential.count}.by(1)
+    end
 
     xit 'should create a ReferentialCloning' do
       expect { saved_clone }.to change{ReferentialCloning.count}.by(1)
author	Zog	2018-02-08 16:27:52 +0100
committer	Luc Donnet	2018-02-21 11:23:28 +0100
commit	bcb9a2a7e915a1158427e16342dbaa700ce4ee5d (patch)
tree	80e4134c7242953440c96a907f49c36450bc5d7e
parent	6599a8d6a10e338fed38119115d12a3acb507e1b (diff)
download	chouette-core-bcb9a2a7e915a1158427e16342dbaa700ce4ee5d.tar.bz2