fix(questionnaire): Fixes error when trying to view a questionnaire m…

…odified by a deleted admin (#238) * fix(dashboard): Fixes security vulnerability that allowed event_tracking role to access Dashboard (#215) * chore(release): 1.22.3 [skip ci] ## [1.22.3](v1.22.2...v1.22.3) (2020-05-16) ### Bug Fixes * **dashboard:** Fixes security vulnerability that allowed event_tracking role to access Dashboard ([#215](#215)) ([](74a40ad)) ### Styles * **check-in:** Changes table header to be more descriptive ([#207](#207)) ([](889fbd0)) * **config:** Removes unused event_is_over flag ([#208](#208)) ([](0c73e66)) * build(deps): Upgrade yarn (#212) * build(deps): Upgrade yarn * build(deps): Upgrade gems * build(deps): Remove obsolete gems * v0.0.0 * build(deps): Update semantic-release * fix(questionnaire): visual bug in school autocomplete school dropdown the css was set for an "a" tag when the list was made up of divs so I switched the css to work for the "div" tag in the autocomplete * fix(questionnaire): visual bug in school autocomplete school dropdown the css was set for an "a" tag when the list was made up of divs so I switched the css to work for the "div" tag in the autocomplete. I also hide a element that was not present earlier * build(deps): Upgrades Rails to 5.2.4.3 * build(deps): Upgrades gems Co-authored-by: Jeremy Rudman <jeremyrudman@gmail.com> * build(deps): Bump puma from 4.3.4 to 4.3.5 (#219) Bumps [puma](https://github.com/puma/puma) from 4.3.4 to 4.3.5. - [Release notes](https://github.com/puma/puma/releases) - [Changelog](https://github.com/puma/puma/blob/master/History.md) - [Commits](https://github.com/puma/puma/commits) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * build(deps): Upgrades Puma cache (#221) * fix(questionnaire): Fixes error when trying to view a questionnaire modified by a deleted admin * refactor(tests): Cleans verbage of tests to match Co-authored-by: semantic-release-bot <semantic-release-bot@martynus.net> Co-authored-by: Jeremy Rudman <jeremyrudman@gmail.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
codeRIT · Jun 11, 2020 · f07ec28 · f07ec28
1 parent 2808058
commit f07ec28
Show file tree

Hide file tree

Showing 5 changed files with 32 additions and 6 deletions.
diff --git a/app/helpers/audit_helper.rb b/app/helpers/audit_helper.rb
@@ -3,7 +3,7 @@ def display_audit_value(value, field)
     return "(none)" if value.blank?
     return Questionnaire::POSSIBLE_ACC_STATUS[value] if field == "acc_status"
     return BusList.find(value)&.name || value if field == "bus_list_id"
-    return User.find(value)&.full_name || value if field == "checked_in_by_id"
+    return User.find_by_id(value)&.full_name || "(deleted user)" if field == "checked_in_by_id"
     return value.join(", ") if value.is_a? Array
     return display_datetime(value, relative: false) if value.is_a? Time
 

diff --git a/app/models/questionnaire.rb b/app/models/questionnaire.rb
@@ -159,7 +159,7 @@ def date_of_birth_formatted
 
   def acc_status_author
     return unless acc_status_author_id.present?
-    User.find(acc_status_author_id)
+    User.find_by_id(acc_status_author_id)
   end
 
   def checked_in?
@@ -172,7 +172,7 @@ def boarded_bus?
 
   def checked_in_by
     return unless checked_in_by_id.present?
-    User.find(checked_in_by_id)
+    User.find_by_id(checked_in_by_id)
   end
 
   def fips_code

diff --git a/app/views/manage/questionnaires/_checkin_card.html.haml b/app/views/manage/questionnaires/_checkin_card.html.haml
@@ -5,7 +5,13 @@
       = render 'manage/questionnaires/check_in_badge'
       - if @questionnaire.checked_in_at
         %small
-          = @questionnaire.checked_in_by_id ? @questionnaire.checked_in_by.email : "(never checked in)"
+          - if @questionnaire.checked_in_by_id
+            - if @questionnaire.checked_in_by
+              = @questionnaire.checked_in_by.email
+            - else
+              = "(deleted user)"
+          - else
+            = "(never checked in)"
           = @questionnaire.checked_in_at ? display_datetime(@questionnaire.checked_in_at, in_sentence: true) : "(not checked in)"
     - if !@questionnaire.checked_in_at
       %p.card-text

diff --git a/app/views/manage/questionnaires/show.html.haml b/app/views/manage/questionnaires/show.html.haml
@@ -32,7 +32,13 @@
         %p.card-text
           = render 'acc_status_badge'
           %small
-            = @questionnaire.acc_status_author_id ? @questionnaire.acc_status_author.email : "(no author)"
+            - if @questionnaire.acc_status_author_id
+              - if @questionnaire.acc_status_author
+                = @questionnaire.acc_status_author.email
+              - else
+                = "(deleted user)"
+            - else
+              = "(no author)"
             = @questionnaire.acc_status_date ? display_datetime(@questionnaire.acc_status_date, in_sentence: true) : "(no date)"
         - if current_user.admin?
           = bs_vertical_simple_form @questionnaire, url: url_for(action: "update_acc_status", controller: "questionnaires") do |f|

diff --git a/test/models/questionnaire_test.rb b/test/models/questionnaire_test.rb
@@ -204,6 +204,13 @@ class QuestionnaireTest < ActiveSupport::TestCase
       assert_nil questionnaire.acc_status_author
     end
 
+    should "return nil if author deleted" do
+      user = create(:user, email: "admin@example.com")
+      questionnaire = create(:questionnaire, acc_status_author_id: user.id)
+      user.destroy
+      assert_nil questionnaire.acc_status_author
+    end
+
     should "return the questionnaire's user" do
       user = create(:user, email: "admin@example.com")
       questionnaire = create(:questionnaire, acc_status_author_id: user.id)
@@ -396,12 +403,19 @@ class QuestionnaireTest < ActiveSupport::TestCase
   end
 
   context "#checked_in_by" do
-    should "return no one if not checked in" do
+    should "return nil if not checked in" do
       questionnaire = create(:questionnaire)
       assert_nil questionnaire.checked_in_by
       assert_nil questionnaire.checked_in_by_id
     end
 
+    should "return nil if user who checked-in questionnaire is deleted" do
+      user = create(:user)
+      questionnaire = create(:questionnaire, checked_in_by_id: user.id)
+      user.destroy
+      assert_nil questionnaire.checked_in_by
+    end
+
     should "return user who checked in ther questionnaire" do
       user = create(:user)
       questionnaire = create(:questionnaire, checked_in_by_id: user.id)