fix(questionnaire): Fixes error when trying to view a questionnaire modified by a deleted admin (#238)

* fix(dashboard): Fixes security vulnerability that allowed event_tracking role to access Dashboard (#215)

* chore(release): 1.22.3 [skip ci]

## [1.22.3](v1.22.2...v1.22.3) (2020-05-16)

### Bug Fixes

* **dashboard:** Fixes security vulnerability that allowed event_tracking role to access Dashboard ([#215](#215)) ([](74a40ad))

### Styles

* **check-in:** Changes table header to be more descriptive ([#207](#207)) ([](889fbd0))
* **config:** Removes unused event_is_over flag ([#208](#208)) ([](0c73e66))

* build(deps): Upgrade yarn (#212)

* build(deps): Upgrade yarn

* build(deps): Upgrade gems

* build(deps): Remove obsolete gems

* v0.0.0

* build(deps): Update semantic-release

* fix(questionnaire): visual bug in school autocomplete school dropdown

the css was set for an "a" tag when the list was made up of divs so I
switched the css to work for the "div" tag in the autocomplete

* fix(questionnaire): visual bug in school autocomplete school dropdown

the css was set for an "a" tag when the list was made up of divs so I
switched the css to work for the "div" tag in the autocomplete. I also
hide a element that was not present earlier

* build(deps): Upgrades Rails to 5.2.4.3

* build(deps): Upgrades gems

Co-authored-by: Jeremy Rudman <[email protected]>

* build(deps): Bump puma from 4.3.4 to 4.3.5 (#219)

Bumps [puma](https://github.com/puma/puma) from 4.3.4 to 4.3.5.
- [Release notes](https://github.com/puma/puma/releases)
- [Changelog](https://github.com/puma/puma/blob/master/History.md)
- [Commits](https://github.com/puma/puma/commits)

Signed-off-by: dependabot[bot] <[email protected]>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* build(deps): Upgrades Puma cache (#221)

* fix(questionnaire): Fixes error when trying to view a questionnaire modified by a deleted admin

* refactor(tests): Cleans verbage of tests to match

Co-authored-by: semantic-release-bot <[email protected]>
Co-authored-by: Jeremy Rudman <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Author: 4 people

app/helpers/audit_helper.rb

@@ -3,7 +3,7 @@ def display_audit_value(value, field)
     return "(none)" if value.blank?
     return Questionnaire::POSSIBLE_ACC_STATUS[value] if field == "acc_status"
     return BusList.find(value)&.name || value if field == "bus_list_id"
-    return User.find(value)&.full_name || value if field == "checked_in_by_id"
+    return User.find_by_id(value)&.full_name || "(deleted user)" if field == "checked_in_by_id"
     return value.join(", ") if value.is_a? Array
     return display_datetime(value, relative: false) if value.is_a? Time
 

app/models/questionnaire.rb

@@ -159,7 +159,7 @@ def date_of_birth_formatted
 
   def acc_status_author
     return unless acc_status_author_id.present?
-    User.find(acc_status_author_id)
+    User.find_by_id(acc_status_author_id)
   end
 
   def checked_in?
@@ -172,7 +172,7 @@ def boarded_bus?
 
   def checked_in_by
     return unless checked_in_by_id.present?
-    User.find(checked_in_by_id)
+    User.find_by_id(checked_in_by_id)
   end
 
   def fips_code

app/views/manage/questionnaires/_checkin_card.html.haml

@@ -5,7 +5,13 @@
       = render 'manage/questionnaires/check_in_badge'
       - if @questionnaire.checked_in_at
         %small
-          = @questionnaire.checked_in_by_id ? @questionnaire.checked_in_by.email : "(never checked in)"
+          - if @questionnaire.checked_in_by_id
+            - if @questionnaire.checked_in_by
+              = @questionnaire.checked_in_by.email
+            - else
+              = "(deleted user)"
+          - else
+            = "(never checked in)"
           = @questionnaire.checked_in_at ? display_datetime(@questionnaire.checked_in_at, in_sentence: true) : "(not checked in)"
     - if [email protected]_in_at
       %p.card-text

app/views/manage/questionnaires/show.html.haml

@@ -32,7 +32,13 @@
         %p.card-text
           = render 'acc_status_badge'
           %small
-            = @questionnaire.acc_status_author_id ? @questionnaire.acc_status_author.email : "(no author)"
+            - if @questionnaire.acc_status_author_id
+              - if @questionnaire.acc_status_author
+                = @questionnaire.acc_status_author.email
+              - else
+                = "(deleted user)"
+            - else
+              = "(no author)"
             = @questionnaire.acc_status_date ? display_datetime(@questionnaire.acc_status_date, in_sentence: true) : "(no date)"
         - if current_user.admin?
           = bs_vertical_simple_form @questionnaire, url: url_for(action: "update_acc_status", controller: "questionnaires") do |f|

test/models/questionnaire_test.rb

@@ -204,6 +204,13 @@ class QuestionnaireTest < ActiveSupport::TestCase
       assert_nil questionnaire.acc_status_author
     end
 
+    should "return nil if author deleted" do
+      user = create(:user, email: "[email protected]")
+      questionnaire = create(:questionnaire, acc_status_author_id: user.id)
+      user.destroy
+      assert_nil questionnaire.acc_status_author
+    end
+
     should "return the questionnaire's user" do
       user = create(:user, email: "[email protected]")
       questionnaire = create(:questionnaire, acc_status_author_id: user.id)
@@ -396,12 +403,19 @@ class QuestionnaireTest < ActiveSupport::TestCase
   end
 
   context "#checked_in_by" do
-    should "return no one if not checked in" do
+    should "return nil if not checked in" do
       questionnaire = create(:questionnaire)
       assert_nil questionnaire.checked_in_by
       assert_nil questionnaire.checked_in_by_id
     end
 
+    should "return nil if user who checked-in questionnaire is deleted" do
+      user = create(:user)
+      questionnaire = create(:questionnaire, checked_in_by_id: user.id)
+      user.destroy
+      assert_nil questionnaire.checked_in_by
+    end
+
     should "return user who checked in ther questionnaire" do
       user = create(:user)
       questionnaire = create(:questionnaire, checked_in_by_id: user.id)