Merge pull request #412 from etalab/features/public-id

Introduce public pages for authorization requests

app/controllers/authenticated_user_controller.rb

@@ -1,8 +1,6 @@
 class AuthenticatedUserController < ApplicationController
   include Authentication
-  include Pundit::Authorization
-
-  rescue_from Pundit::NotAuthorizedError, with: :user_not_authorized
+  include AccessAuthorization
 
   allow_unauthenticated_access only: :bypass_login
 
@@ -14,16 +12,4 @@ def bypass_login
 
     redirect_to dashboard_path
   end
-
-  def pundit_user
-    UserContext.new(current_user, request.host)
-  end
-
-  def user_not_authorized
-    flash[:error] = {
-      title: t('application.user_not_authorized.title')
-    }
-
-    redirect_to dashboard_path
-  end
 end

app/controllers/concerns/access_authorization.rb

@@ -0,0 +1,25 @@
+module AccessAuthorization
+  extend ActiveSupport::Concern
+
+  included do
+    include Pundit::Authorization
+
+    rescue_from Pundit::NotAuthorizedError, with: :user_not_authorized
+
+    def pundit_user
+      UserContext.new(current_user, request.host)
+    end
+  end
+
+  def pundit_user
+    self.class.pundit_user
+  end
+
+  def user_not_authorized
+    flash[:error] = {
+      title: t('application.user_not_authorized.title')
+    }
+
+    redirect_to dashboard_path
+  end
+end

app/controllers/public/authorization_requests_controller.rb

@@ -0,0 +1,17 @@
+class Public::AuthorizationRequestsController < PublicController
+  helper AuthorizationRequestsHelpers
+
+  helper_method :current_user, :user_signed_in?
+
+  def show
+    @authorization_request = AuthorizationRequest.find_by(public_id: params[:id])
+
+    if @authorization_request
+      @authorization_request = @authorization_request.decorate
+
+      render 'authorization_request_forms/summary', layout: 'authorization_request'
+    else
+      redirect_to root_path
+    end
+  end
+end

app/controllers/public_controller.rb

@@ -0,0 +1,11 @@
+class PublicController < ApplicationController
+  include AccessAuthorization
+
+  def current_user
+    @current_user ||= User.new
+  end
+
+  def user_signed_in?
+    false
+  end
+end

app/serializers/webhook_authorization_request_serializer.rb

@@ -1,5 +1,6 @@
 class WebhookAuthorizationRequestSerializer < ApplicationSerializer
   attributes :id,
+    :public_id,
     :state,
     :form_uid,
     :data

config/routes.rb

@@ -18,6 +18,8 @@
 
   patch '/settings/notifications', to: 'notifications_settings#update', as: :notifications_settings
 
+  get '/public/demandes/:id', to: 'public/authorization_requests#show', as: :public_authorization_request
+
   scope(path_names: { new: 'nouveau', edit: 'modifier' }) do
     resources :authorization_requests, only: %w[show], path: 'demandes' do
       resources :messages, only: %w[index create], path: 'messages'

db/migrate/20240906081749_add_public_id_to_authorization_requests.rb

@@ -0,0 +1,6 @@
+class AddPublicIdToAuthorizationRequests < ActiveRecord::Migration[7.2]
+  def change
+    add_column :authorization_requests, :public_id, :uuid, default: 'gen_random_uuid()'
+    add_index :authorization_requests, :public_id
+  end
+end

features/page_publique_habilitation.feature

@@ -0,0 +1,10 @@
+# language: fr
+
+Fonctionnalité: Consultation d'une demande d'habilitation via sa page public
+  Chaque demande d'habilitation possède une page public accessible à n'importe quel internaute
+
+  Scénario: Je peux consulter une page de demande d'habilitation sans être connectée
+    Sachant qu'il existe une demande d'habilitation "API Entreprise" intitulée "Ma superbe demande"
+    Et que je visite sa page publique
+    Alors la page contient "API Entreprise"
+    Et la page contient "Ma superbe demande"

features/step_definitions/authorization_requests_steps.rb

@@ -1,3 +1,11 @@
+Quand("il existe une demande d'habilitation {string} intitulée {string}") do |authorization_request_kind, authorization_request_name|
+  FactoryBot.create(
+    :authorization_request,
+    find_factory_trait_from_name(authorization_request_kind),
+    intitule: authorization_request_name,
+  )
+end
+
 Quand("j'ai déjà une demande d'habilitation {string} en cours") do |string|
   FactoryBot.create(
     :authorization_request,
@@ -301,3 +309,9 @@
     expect(page).to have_css('.authorization-request-state', text: I18n.t("authorization_request.status.#{state}"), count:)
   end
 end
+
+Quand('je visite sa page publique') do
+  authorization_request = AuthorizationRequest.last
+
+  visit public_authorization_request_path(authorization_request.public_id)
+end