auth: tighten the index on EstablishmentUserRole

We were scoping the uniqueness of the role to the user and establishment, which meant you could have: - user 1, etab X, role: dir - user 1, etab X, role: authorised - user 1, etab X, role: anything Tighten the index by making the unique index enforce one user per establishment instead.
betagouv · Oct 17, 2023 · b7f7c13 · b7f7c13
1 parent 2fe6eef
commit b7f7c13
Show file tree

Hide file tree

Showing 4 changed files with 8 additions and 7 deletions.
diff --git a/app/models/establishment_user_role.rb b/app/models/establishment_user_role.rb
@@ -6,7 +6,8 @@ class EstablishmentUserRole < ApplicationRecord
 
   enum role: { dir: 0, authorised: 1 }
 
-  validates :role,
-            presence: true,
-            uniqueness: { scope: %i[establishment_id user_id] }
+  validates :role, presence: true
+
+  validates :user,
+            uniqueness: { scope: %i[establishment_id] }
 end
diff --git a/db/migrate/20231014100213_add_unique_index_on_establishment_users.rb b/db/migrate/20231014100213_add_unique_index_on_establishment_users.rb
@@ -2,6 +2,6 @@
 
 class AddUniqueIndexOnEstablishmentUsers < ActiveRecord::Migration[7.1]
   def change
-    add_index :establishment_users, %i[establishment_id user_id role], unique: true
+    add_index :establishment_users, %i[establishment_id user_id], unique: true
   end
 end
diff --git a/db/schema.rb b/db/schema.rb
diff --git a/spec/models/establishment_user_role_spec.rb b/spec/models/establishment_user_role_spec.rb
@@ -18,8 +18,8 @@
       # outside of one-line blocks, but if this was to be a one-liner then
       # the line would be too long... tough times.
       is_expected.to( # rubocop:disable RSpec/ImplicitSubject
-        validate_uniqueness_of(:role)
-          .scoped_to(:establishment_id, :user_id)
+        validate_uniqueness_of(:user)
+          .scoped_to(:establishment_id)
           .ignoring_case_sensitivity
       )
     }