prevent delegations from differnt organizations

coopdevs · May 24, 2024 · a32bf0a · a32bf0a
1 parent 9654679
commit a32bf0a
Show file tree

Hide file tree

Showing 3 changed files with 44 additions and 5 deletions.
diff --git a/.rubocop_ruby.yml b/.rubocop_ruby.yml
@@ -71,11 +71,6 @@ AllCops:
  # Otherwise we fallback to the oldest officially supported Ruby version (2.0).
  TargetRubyVersion: 3.0
 
- RSpec:
- Patterns:
- - "(?:^|/)spec/"
- - "(?:^|/)test/"
-
 # Indent private/protected/public as deep as method definitions
 Layout/AccessModifierIndentation:
  EnforcedStyle: indent

diff --git a/app/models/decidim/action_delegator/delegation.rb b/app/models/decidim/action_delegator/delegation.rb
@@ -16,6 +16,10 @@ class Delegation < ApplicationRecord
  message: I18n.t("delegations.create.error_granter_unique", scope: "decidim.action_delegator.admin")
  }
 
+ validate :grantee_is_not_granter
+ validate :granter_and_grantee_belongs_to_same_organization
+ validate :granter_is_same_organization_as_consultation
+
  delegate :consultation, to: :setting
 
  before_destroy { |record| throw(:abort) if record.grantee_voted? }
@@ -32,6 +36,27 @@ def grantee_voted?
  granter_votes&.detect { |vote| vote.versions.exists?(whodunnit: grantee&.id) } ? true : false
  end
  end
+
+ private
+
+ def grantee_is_not_granter
+ return unless granter == grantee
+
+ errors.add(:grantee, :invalid)
+ end
+
+ def granter_and_grantee_belongs_to_same_organization
+ return unless granter.organization != grantee.organization
+
+ errors.add(:grantee, :invalid)
+ end
+
+ def granter_is_same_organization_as_consultation
+ return unless setting && setting.consultation
+ return unless consultation.organization != granter.organization
+
+ errors.add(:granter, :invalid)
+ end
  end
  end
 end
diff --git a/spec/models/decidim/action_delegator/delegation_spec.rb b/spec/models/decidim/action_delegator/delegation_spec.rb
@@ -11,6 +11,25 @@ module ActionDelegator
  it { is_expected.to be_valid }
  it { is_expected.not_to be_grantee_voted }
 
+ context "when users from different organizations" do
+ let(:grantee) { create(:user) }
+
+ subject { build(:delegation, grantee: grantee) }
+
+ it { is_expected.not_to be_valid }
+ end
+
+ context "when users are from a different organization than the consultation" do
+ let(:consultation) { create(:consultation) }
+ let(:setting) { create(:setting, consultation: consultation) }
+ let(:grantee) { create(:user) }
+ let(:granter) { create(:user, organization: grantee.organization) }
+
+ subject { build(:delegation, grantee: grantee, granter: granter, setting: setting) }
+
+ it { is_expected.not_to be_valid }
+ end
+
  describe ".granted_to?" do
  subject { delegation }