From 69b901fa1223fb78142a1e4e76d1b88d879aec61 Mon Sep 17 00:00:00 2001
From: cedricnjanga
Date: Fri, 23 Feb 2018 13:29:07 -0800
Subject: Refs #5950 Fix 404 error when user wants to see CCSet from other
 organisation :

- remove begin_association_chain in controller
- Change collecyion to only see user organisayion CCSet and STIF CCSet
- add policy for show action
---
 app/controllers/compliance_control_sets_controller.rb | 9 ++-------
 app/policies/application_policy.rb                    | 5 +++++
 app/policies/compliance_control_set_policy.rb         | 4 ++++
 3 files changed, 11 insertions(+), 7 deletions(-)

diff --git a/app/controllers/compliance_control_sets_controller.rb b/app/controllers/compliance_control_sets_controller.rb
index 8f9251155..621eeb9a5 100644
--- a/app/controllers/compliance_control_sets_controller.rb
+++ b/app/controllers/compliance_control_sets_controller.rb
@@ -27,16 +27,11 @@ class ComplianceControlSetsController < ChouetteController
     redirect_to(compliance_control_sets_path)
   end
 
-  protected
-
-  def begin_of_association_chain
-    current_organisation
-  end
-
   private
 
   def collection
-    scope = self.ransack_period_range(scope: ComplianceControlSet.all, error_message: t('imports.filters.error_period_filter'), query: :where_updated_at_between)
+    scope = ComplianceControlSet.joins(:organisation).where('organisation_id = ? OR organisations.code = ?', current_organisation.id, 'STIF')
+    scope = self.ransack_period_range(scope: scope, error_message: t('imports.filters.error_period_filter'), query: :where_updated_at_between)
     @q_for_form = scope.ransack(params[:q])
     compliance_control_sets = @q_for_form.result
     compliance_control_sets = joins_with_associated_objects(compliance_control_sets).order(sort_column + ' ' + sort_direction) if sort_column && sort_direction
diff --git a/app/policies/application_policy.rb b/app/policies/application_policy.rb
index c44937c9e..d14839bdf 100644
--- a/app/policies/application_policy.rb
+++ b/app/policies/application_policy.rb
@@ -96,6 +96,11 @@ class ApplicationPolicy
   end
 
 
+  def belongs_to_stif?
+    record.try(:organisation).try(:code) == "STIF"
+  end
+
+
   #
   #  Helpers
   #  -------
diff --git a/app/policies/compliance_control_set_policy.rb b/app/policies/compliance_control_set_policy.rb
index 011f6c0c7..e3fb83e38 100644
--- a/app/policies/compliance_control_set_policy.rb
+++ b/app/policies/compliance_control_set_policy.rb
@@ -5,6 +5,10 @@ class ComplianceControlSetPolicy < ApplicationPolicy
     end
   end
 
+  def show?
+    organisation_match? or belongs_to_stif?
+  end
+
   def destroy?
     user.has_permission?('compliance_control_sets.destroy')
   end
-- 
cgit v1.2.3