From bcb9a2a7e915a1158427e16342dbaa700ce4ee5d Mon Sep 17 00:00:00 2001
From: Zog
Date: Thu, 8 Feb 2018 16:27:52 +0100
Subject: Refs #5865 @1h; Ensure user is allowed to duplicate a referential
 before doing so

I also changed the way 403 errors are handled, to properly respond with
a 403 HTTP code
---
 app/controllers/application_controller.rb  | 2 +-
 app/controllers/referentials_controller.rb | 8 ++++++++
 app/models/organisation.rb                 | 2 ++
 3 files changed, 11 insertions(+), 1 deletion(-)

(limited to 'app')

diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
index 45b7f55f6..c4961123d 100644
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -28,7 +28,7 @@ class ApplicationController < ActionController::Base
   protected
 
   def user_not_authorized
-    redirect_to forbidden_path
+    render 'errors/forbidden', status: 403
   end
 
   def current_organisation
diff --git a/app/controllers/referentials_controller.rb b/app/controllers/referentials_controller.rb
index 5267c15d8..6e3694547 100644
--- a/app/controllers/referentials_controller.rb
+++ b/app/controllers/referentials_controller.rb
@@ -7,6 +7,8 @@ class ReferentialsController < ChouetteController
   respond_to :json, :only => :show
   respond_to :js, :only => :show
 
+  before_action :check_cloning_source_is_accessible, only: %i(new create)
+
   def new
     new! do
       build_referential
@@ -175,6 +177,12 @@ class ReferentialsController < ChouetteController
     )
   end
 
+  def check_cloning_source_is_accessible
+    return unless params[:from]
+    source = Referential.find params[:from]
+    return user_not_authorized unless current_user.organisation.workgroups.include?(source.workbench.workgroup)
+  end
+
   def load_workbench
     @workbench ||= Workbench.find(params[:workbench_id]) if params[:workbench_id]
     @workbench ||= resource&.workbench if params[:id]
diff --git a/app/models/organisation.rb b/app/models/organisation.rb
index e8fb4e060..745bc0d22 100644
--- a/app/models/organisation.rb
+++ b/app/models/organisation.rb
@@ -13,6 +13,8 @@ class Organisation < ActiveRecord::Base
   has_many :line_referentials, through: :line_referential_memberships
 
   has_many :workbenches
+  has_many :workgroups, through: :workbenches
+
   has_many :calendars
   has_many :api_keys, class_name: 'Api::V1::ApiKey'
 
-- 
cgit v1.2.3