From bcb9a2a7e915a1158427e16342dbaa700ce4ee5d Mon Sep 17 00:00:00 2001
From: Zog
Date: Thu, 8 Feb 2018 16:27:52 +0100
Subject: Refs #5865 @1h; Ensure user is allowed to duplicate a referential
 before doing so

I also changed the way 403 errors are handled, to properly respond with
a 403 HTTP code
---
 .../line_referentials_controller_spec.rb           |  4 +--
 spec/controllers/lines_controller_spec.rb          |  8 ++---
 spec/controllers/referentials_controller_spec.rb   | 36 ++++++++++++++++++++++
 .../stop_area_referentials_controller_spec.rb      |  4 ++-
 spec/controllers/stop_areas_controller_spec.rb     |  8 ++---
 5 files changed, 49 insertions(+), 11 deletions(-)

(limited to 'spec/controllers')

diff --git a/spec/controllers/line_referentials_controller_spec.rb b/spec/controllers/line_referentials_controller_spec.rb
index 17ffb670d..8e8d48fda 100644
--- a/spec/controllers/line_referentials_controller_spec.rb
+++ b/spec/controllers/line_referentials_controller_spec.rb
@@ -6,8 +6,8 @@ RSpec.describe LineReferentialsController, :type => :controller do
   describe 'PUT sync' do
     let(:request){ put :sync, id: line_referential.id }
 
-    it 'should redirect to 403' do
-       expect(request).to redirect_to "/403"
+    it 'should respond with 403' do
+       expect(request).to have_http_status 403
     end
 
     with_permission "line_referentials.synchronize" do
diff --git a/spec/controllers/lines_controller_spec.rb b/spec/controllers/lines_controller_spec.rb
index 65fe88b96..96f49bb36 100644
--- a/spec/controllers/lines_controller_spec.rb
+++ b/spec/controllers/lines_controller_spec.rb
@@ -7,8 +7,8 @@ RSpec.describe LinesController, :type => :controller do
   describe 'PUT deactivate' do
     let(:request){ put :deactivate, id: line.id, line_referential_id: line_referential.id }
 
-    it 'should redirect to 403' do
-      expect(request).to redirect_to "/403"
+    it 'should respond with 403' do
+      expect(request).to have_http_status 403
     end
 
     with_permission "lines.change_status" do
@@ -24,8 +24,8 @@ RSpec.describe LinesController, :type => :controller do
     before(:each){
       line.deactivate!
     }
-    it 'should redirect to 403' do
-       expect(request).to redirect_to "/403"
+    it 'should respond with 403' do
+      expect(request).to have_http_status 403
     end
 
     with_permission "lines.change_status" do
diff --git a/spec/controllers/referentials_controller_spec.rb b/spec/controllers/referentials_controller_spec.rb
index 5e0b1e505..ff450c905 100644
--- a/spec/controllers/referentials_controller_spec.rb
+++ b/spec/controllers/referentials_controller_spec.rb
@@ -6,6 +6,42 @@ describe ReferentialsController, :type => :controller do
   let(:organisation) { create :organisation }
   let(:other_referential) { create :referential, organisation: organisation }
 
+  describe "GET new" do
+    let(:request){ get :new, workbench_id: referential.workbench_id }
+    before{ request }
+
+    it 'returns http success' do
+      expect(response).to have_http_status(200)
+    end
+
+    context "when cloning another referential" do
+      let(:source){ referential }
+      let(:request){ get :new, workbench_id: referential.workbench_id, from: source.id }
+
+      it 'returns http success' do
+        expect(response).to have_http_status(200)
+      end
+
+      context "when the referential is in another organisation but accessible by the user" do
+        let(:source){ create(:workbench_referential) }
+        before do
+          source.workbench.update_attribute :workgroup_id, referential.workbench.workgroup_id
+        end
+
+        it 'returns http forbidden' do
+          expect(response).to have_http_status(403)
+        end
+      end
+
+      context "when the referential is not accessible by the user" do
+        let(:source){ create(:workbench_referential) }
+        it 'returns http forbidden' do
+          expect(response).to have_http_status(403)
+        end
+      end
+    end
+  end
+
   describe 'PUT archive' do
     context "user's organisation matches referential's organisation" do
       it 'returns http success' do
diff --git a/spec/controllers/stop_area_referentials_controller_spec.rb b/spec/controllers/stop_area_referentials_controller_spec.rb
index 384323334..737ef631f 100644
--- a/spec/controllers/stop_area_referentials_controller_spec.rb
+++ b/spec/controllers/stop_area_referentials_controller_spec.rb
@@ -6,7 +6,9 @@ RSpec.describe StopAreaReferentialsController, :type => :controller do
   describe 'PUT sync' do
     let(:request){ put :sync, id: stop_area_referential.id }
 
-    it { expect(request).to redirect_to "/403" }
+    it 'should respond with 403' do
+      expect(request).to have_http_status 403
+    end
 
     with_permission "stop_area_referentials.synchronize" do
       it 'returns HTTP success' do
diff --git a/spec/controllers/stop_areas_controller_spec.rb b/spec/controllers/stop_areas_controller_spec.rb
index 23bca3c36..f39ac5776 100644
--- a/spec/controllers/stop_areas_controller_spec.rb
+++ b/spec/controllers/stop_areas_controller_spec.rb
@@ -7,8 +7,8 @@ RSpec.describe StopAreasController, :type => :controller do
   describe 'PUT deactivate' do
     let(:request){ put :deactivate, id: stop_area.id, stop_area_referential_id: stop_area_referential.id }
 
-    it 'should redirect to 403' do
-       expect(request).to redirect_to "/403"
+    it 'should respond with 403' do
+      expect(request).to have_http_status 403
     end
 
     with_permission "stop_areas.change_status" do
@@ -24,8 +24,8 @@ RSpec.describe StopAreasController, :type => :controller do
     before(:each){
       stop_area.deactivate!
     }
-    it 'should redirect to 403' do
-       expect(request).to redirect_to "/403"
+    it 'should respond with 403' do
+      expect(request).to have_http_status 403
     end
 
     with_permission "stop_areas.change_status" do
-- 
cgit v1.2.3