From e36df94f0f50338684d7c8b6c09e4c2fa31b24d4 Mon Sep 17 00:00:00 2001
From: Sylvain <bond.never.die@gmail.com>
Date: Thu, 30 Jun 2016 11:39:56 +0200
Subject: [PATCH] server-side protection against deleting used filters

---
 app/assets/javascripts/controllers/admin/events.coffee | 6 ++++--
 app/controllers/api/age_ranges_controller.rb           | 7 +++++--
 app/controllers/api/event_themes_controller.rb         | 7 +++++--
 app/models/age_range.rb                                | 8 ++++++++
 app/models/event_theme.rb                              | 8 ++++++++
 config/locales/app.admin.en.yml                        | 1 +
 config/locales/app.admin.fr.yml                        | 1 +
 7 files changed, 32 insertions(+), 6 deletions(-)

diff --git a/app/assets/javascripts/controllers/admin/events.coffee b/app/assets/javascripts/controllers/admin/events.coffee
index f15fc5606..779e2e118 100644
--- a/app/assets/javascripts/controllers/admin/events.coffee
+++ b/app/assets/javascripts/controllers/admin/events.coffee
@@ -203,8 +203,10 @@ Application.Controllers.controller "AdminEventsController", ["$scope", "$state",
           title: _t('confirmation_required')
           msg: _t('do_you_really_want_to_delete_this_ELEMENT', {ELEMENT:model}, "messageformat")
     , -> # delete confirmed
-      getModel(model)[0].delete getModel(model)[1][index]
-      getModel(model)[1].splice(index, 1)
+      getModel(model)[0].delete getModel(model)[1][index], null, ->
+        getModel(model)[1].splice(index, 1)
+      , ->
+        growl.error(_t('unable_to_delete_an_error_occured'))
 
 
 
diff --git a/app/controllers/api/age_ranges_controller.rb b/app/controllers/api/age_ranges_controller.rb
index a597c5868..03c3a5602 100644
--- a/app/controllers/api/age_ranges_controller.rb
+++ b/app/controllers/api/age_ranges_controller.rb
@@ -31,8 +31,11 @@ class API::AgeRangesController < API::ApiController
 
   def destroy
     authorize AgeRange
-    @age_range.destroy
-    head :no_content
+    if @age_range.safe_destroy
+      head :no_content
+    else
+      render json: @age_range.errors, status: :unprocessable_entity
+    end
   end
 
   private
diff --git a/app/controllers/api/event_themes_controller.rb b/app/controllers/api/event_themes_controller.rb
index ee7febed5..2ba64e0a7 100644
--- a/app/controllers/api/event_themes_controller.rb
+++ b/app/controllers/api/event_themes_controller.rb
@@ -31,8 +31,11 @@ class API::EventThemesController < API::ApiController
 
   def destroy
     authorize EventTheme
-    @event_theme.destroy
-    head :no_content
+    if @event_theme.safe_destroy
+      head :no_content
+    else
+      render json: @event_theme.errors, status: :unprocessable_entity
+    end
   end
 
   private
diff --git a/app/models/age_range.rb b/app/models/age_range.rb
index 0bc247d8c..0b4c83b38 100644
--- a/app/models/age_range.rb
+++ b/app/models/age_range.rb
@@ -3,4 +3,12 @@ class AgeRange < ActiveRecord::Base
   friendly_id :name, use: :slugged
 
   has_many :events, dependent: :nullify
+
+  def safe_destroy
+    if self.events.count == 0
+      destroy
+    else
+      false
+    end
+  end
 end
diff --git a/app/models/event_theme.rb b/app/models/event_theme.rb
index 4b39a5cef..9fc600e7a 100644
--- a/app/models/event_theme.rb
+++ b/app/models/event_theme.rb
@@ -3,4 +3,12 @@ class EventTheme < ActiveRecord::Base
   friendly_id :name, use: :slugged
 
   has_and_belongs_to_many :events, join_table: :events_event_themes, dependent: :destroy
+
+  def safe_destroy
+    if self.events.count == 0
+      destroy
+    else
+      false
+    end
+  end
 end
diff --git a/config/locales/app.admin.en.yml b/config/locales/app.admin.en.yml
index d4cc98563..1d5975b30 100644
--- a/config/locales/app.admin.en.yml
+++ b/config/locales/app.admin.en.yml
@@ -87,6 +87,7 @@ en:
         do_you_really_want_to_delete_this_ELEMENT: "Do you really want to delete this {ELEMENT, select, category{category} theme{theme} age_range{age range} other{element}}?"  # messageFormat interpolation
         unable_to_delete_ELEMENT_already_in_use_NUMBER_times: "Unable to delete this {ELEMENT, select, category{category} theme{theme} age_range{age range} other{element}} because it is already associated with {NUMBER, plural, =0{no events} one{one event} other{{NUMBER} events}}."  # messageFormat interpolation
         at_least_one_category_is_required_unable_to_delete_the_last_one: "At least one category is required. Unable to delete the last one."
+        unable_to_delete_an_error_occured: "Unable to delete: an error occurred."
 
       events_new:
         # add a new event
diff --git a/config/locales/app.admin.fr.yml b/config/locales/app.admin.fr.yml
index bda0fa36a..afc937009 100644
--- a/config/locales/app.admin.fr.yml
+++ b/config/locales/app.admin.fr.yml
@@ -87,6 +87,7 @@ fr:
         do_you_really_want_to_delete_this_ELEMENT: "Voulez-vous vraiment supprimer cette {ELEMENT, select, category{catégorie} theme{thématique} age_range{tranche d'âge} other{élément}} ?"  # messageFormat interpolation
         unable_to_delete_ELEMENT_already_in_use_NUMBER_times: "Impossible de supprimer cette {ELEMENT, select, category{catégorie} theme{thématique} age_range{tranche d'âge} other{élément}} car elle est actuellement associée à {NUMBER, plural, =0{aucun évènement} one{un évènement} other{{NUMBER} évènements}}."  # messageFormat interpolation
         at_least_one_category_is_required_unable_to_delete_the_last_one: "Au moins une catégorie est requise. Impossible de supprimer la dernière."
+        unable_to_delete_an_error_occured: "Impossible de supprimer : une erreur est survenue."
 
       events_new:
         # ajouter un nouveau atelier/stage