3 files changed, 11 insertions, 1 deletions

diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
index 45b7f55f6..c4961123d 100644
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -28,7 +28,7 @@ class ApplicationController < ActionController::Base
   protected
 
   def user_not_authorized
-    redirect_to forbidden_path
+    render 'errors/forbidden', status: 403
   end
 
   def current_organisation
diff --git a/app/controllers/referentials_controller.rb b/app/controllers/referentials_controller.rb
index 5267c15d8..6e3694547 100644
--- a/app/controllers/referentials_controller.rb
+++ b/app/controllers/referentials_controller.rb
@@ -7,6 +7,8 @@ class ReferentialsController < ChouetteController
   respond_to :json, :only => :show
   respond_to :js, :only => :show
 
+  before_action :check_cloning_source_is_accessible, only: %i(new create)
+
   def new
     new! do
       build_referential
@@ -175,6 +177,12 @@ class ReferentialsController < ChouetteController
     )
   end
 
+  def check_cloning_source_is_accessible
+    return unless params[:from]
+    source = Referential.find params[:from]
+    return user_not_authorized unless current_user.organisation.workgroups.include?(source.workbench.workgroup)
+  end
+
   def load_workbench
     @workbench ||= Workbench.find(params[:workbench_id]) if params[:workbench_id]
     @workbench ||= resource&.workbench if params[:id]
diff --git a/app/models/organisation.rb b/app/models/organisation.rb
index e8fb4e060..745bc0d22 100644
--- a/app/models/organisation.rb
+++ b/app/models/organisation.rb
@@ -13,6 +13,8 @@ class Organisation < ActiveRecord::Base
   has_many :line_referentials, through: :line_referential_memberships
 
   has_many :workbenches
+  has_many :workgroups, through: :workbenches
+
   has_many :calendars
   has_many :api_keys, class_name: 'Api::V1::ApiKey'