Bugfix : RDV interdit car un usager n'est dans aucun orga

betagouv · Jan 27, 2025 · 7186206 · 7186206
1 parent c98bf2c
commit 7186206
Show file tree

Hide file tree

Showing 3 changed files with 35 additions and 4 deletions.
diff --git a/.rubocop.yml b/.rubocop.yml
@@ -280,6 +280,9 @@ Style/ComparableClamp:
 Style/SafeNavigationChainLength:
   Enabled: false
 
+Style/MapToSet:
+  Enabled: false
+
 # cette vérification serait bien à mettre en place mais il y plus de 20 specs qui ne la respectent pas aujourd’hui
 RSpec/NoExpectationExample:
   Enabled: false

diff --git a/app/policies/agent/rdv_policy.rb b/app/policies/agent/rdv_policy.rb
@@ -71,10 +71,18 @@ def authorized_agent_ids_via_motif(rdv_agent_ids)
   def users_authorized?
     return @users_authorized if defined?(@users_authorized)
 
-    participation_user_ids = record.participations.map(&:user).reject(&:soft_deleted?).map(&:id)
-
-    @users_authorized = Agent::UserPolicy::TerritoryScope.new(agent_organisation_context, User).resolve
-      .where(id: participation_user_ids).pluck(:id).to_set == participation_user_ids.to_set
+    participation_user_ids = record.participations.map(&:user).reject(&:soft_deleted?).map(&:id).to_set
+
+    users_i_can_create_rdv_for = Agent::UserPolicy::TerritoryScope.new(agent_organisation_context, User).resolve
+      .where(id: participation_user_ids).pluck(:id).to_set
+
+    users_i_cannot_create_rdv_for = participation_user_ids.difference(users_i_can_create_rdv_for)
+    @users_authorized = if users_i_cannot_create_rdv_for.empty?
+                          true
+                        else
+                          users_of_rdvs_i_can_see = Scope.new(current_agent, Rdv.joins(:participations).where(participations: { user_id: users_i_cannot_create_rdv_for })).resolve
+                          users_of_rdvs_i_can_see.pluck(:id).to_set == users_i_cannot_create_rdv_for
+                        end
 
     notify_users_unauthorized unless @users_authorized
 

diff --git a/spec/policies/agent/rdv_policy_spec.rb b/spec/policies/agent/rdv_policy_spec.rb
@@ -155,5 +155,25 @@
     it_behaves_like "not permit actions", :rdv
   end
 
+  context "the participating user belongs to no organisation but already has a RDV in my orgs" do
+    let(:organisation) { create(:organisation) }
+    let(:service) { create(:service) }
+    let(:agent) { create(:agent, admin_role_in_organisations: [organisation], service: service) }
+    let(:motif) { create(:motif, organisation: organisation, service: service) }
+
+    let(:user) { create(:user) }
+    let!(:rdv) { create(:rdv, organisation: organisation, agents: [agent], users: [user], motif: motif) }
+    let(:pundit_context) { AgentOrganisationContext.new(agent, organisation) }
+
+    before do
+      # On s'assure que l'usager du RDV est sans orga
+      UserProfile.where(user: user).destroy_all
+      rdv.reload
+    end
+
+    it_behaves_like "permit actions", :rdv, :new?, :create?, :show?, :edit?, :update?, :destroy?
+    it_behaves_like "not permit actions", :rdv
+  end
+
   # TODO: write cases for :new? and create? which
 end