gip-inclusion · EwenKorr · Jan 23, 2025 · Jan 20, 2025 · Jan 20, 2025 · Jan 20, 2025
diff --git a/itou/www/job_seekers_views/views.py b/itou/www/job_seekers_views/views.py
@@ -210,6 +210,12 @@ def setup(self, request, *args, **kwargs):
         data |= {"apply": {"company_pk": company.pk}} if company else {}
         self.job_seeker_session = SessionNamespace.create_uuid_namespace(request.session, data)
 
+    def dispatch(self, request, *args, **kwargs):
+        if request.user.kind not in [UserKind.PRESCRIBER, UserKind.EMPLOYER]:
+            raise PermissionDenied("Vous n'êtes pas autorisé à rechercher ou créer un compte candidat.")
+
+        return super().dispatch(request, *args, **kwargs)
+
     def get(self, request, *args, **kwargs):
         if self.tunnel == "sender" or self.tunnel == "gps":
             view_name = "job_seekers_views:check_nir_for_sender"
@@ -301,8 +307,7 @@ def setup(self, request, *args, **kwargs):
 
     def dispatch(self, request, *args, **kwargs):
         if self.sender.kind not in [UserKind.PRESCRIBER, UserKind.EMPLOYER]:
-            logger.info(f"dispatch ({request.path}) : {self.sender.kind} in sender tunnel")
-            return HttpResponseRedirect(reverse("apply:start", kwargs={"company_pk": self.company.pk}))
+            raise PermissionDenied()
         return super().dispatch(request, *args, **kwargs)
 
 
@@ -322,8 +327,7 @@ def setup(self, request, *args, **kwargs):
 
     def dispatch(self, request, *args, **kwargs):
         if not self.job_seeker.is_job_seeker:
-            logger.info(f"dispatch ({request.path}) : {request.user.kind} in jobseeker tunnel")
-            return HttpResponseRedirect(reverse("apply:start", kwargs={"company_pk": self.company.pk}))
+            raise PermissionDenied()
         return super().dispatch(request, *args, **kwargs)
 
     def get(self, request, *args, **kwargs):

diff --git a/tests/www/apply/test_submit.py b/tests/www/apply/test_submit.py
@@ -96,21 +96,8 @@ def test_anonymous_access(self, client):
             "apply:start",
             "apply:start_hire",
             "apply:pending_authorization_for_sender",
-            "job_seekers_views:check_nir_for_sender",
-            "job_seekers_views:check_nir_for_job_seeker",
         ):
-            if viewname.startswith("apply"):
-                url = reverse(viewname, kwargs={"company_pk": company.pk})
-            else:
-                # Init session (as it would be in apply:start)
-                session = client.session
-                session_name = str(uuid.uuid4())
-                session[session_name] = {
-                    "config": {},
-                    "apply": {"company_pk": company.pk},
-                }
-                session.save()
-                url = reverse(viewname, kwargs={"session_uuid": session_name})
+            url = reverse(viewname, kwargs={"company_pk": company.pk})
             response = client.get(url)
             assertRedirects(response, reverse("account_login") + f"?next={url}")
 
@@ -562,27 +549,6 @@ def test_apply_as_job_seeker_temporary_nir(self, client):
             html=True,
         )
 
-    def test_apply_as_job_seeker_on_sender_tunnel(self, client):
-        company = CompanyFactory()
-        user = JobSeekerFactory()
-        client.force_login(user)
-
-        # Init session (as it would be in apply:start)
-        session = client.session
-        session_name = str(uuid.uuid4())
-        session[session_name] = {
-            "config": {
-                "tunnel": "job_seeker",
-                "from_url": reverse("companies_views:card", kwargs={"siae_id": company.pk}),
-            },
-            "apply": {"company_pk": company.pk},
-        }
-        session.save()
-        response = client.get(reverse("job_seekers_views:check_nir_for_sender", kwargs={"session_uuid": session_name}))
-        assertRedirects(
-            response, reverse("apply:start", kwargs={"company_pk": company.pk}), fetch_redirect_response=False
-        )
-
     def test_apply_as_job_seeker_from_job_description(self, client):
         company = CompanyWithMembershipAndJobsFactory(romes=("N1101", "N1105"))
         job_description = company.job_description_through.first()
@@ -1879,29 +1845,6 @@ def test_apply_as_prescriber(self, client, pdf_file):
         response = client.get(next_url)
         assert response.status_code == 200
 
-    def test_apply_as_prescriber_on_job_seeker_tunnel(self, client):
-        company = CompanyFactory()
-        user = PrescriberFactory()
-        client.force_login(user)
-
-        # Init session (as it would be in apply:start)
-        session = client.session
-        session_name = str(uuid.uuid4())
-        session[session_name] = {
-            "config": {
-                "tunnel": "sender",
-                "from_url": reverse("companies_views:card", kwargs={"siae_id": company.pk}),
-                "session_kind": JobSeekerSessionKinds.GET_OR_CREATE,
-            },
-            "apply": {"company_pk": company.pk},
-        }
-        session.save()
-
-        response = client.get(
-            reverse("job_seekers_views:check_nir_for_job_seeker", kwargs={"session_uuid": session_name})
-        )
-        assert response.status_code == 404  # session_kind doesn't match
-
     def test_check_info_as_prescriber_for_job_seeker_with_incomplete_info(self, client):
         company = CompanyFactory(with_membership=True, with_jobs=True, romes=("N1101", "N1105"))
         user = PrescriberFactory()
@@ -3107,8 +3050,6 @@ class TestApplyAsOther:
     ROUTES = [
         "apply:start",
         "apply:start_hire",
-        "job_seekers_views:check_nir_for_job_seeker",
-        "job_seekers_views:check_nir_for_sender",
     ]
 
     def test_labor_inspectors_are_not_allowed_to_submit_application(self, client, subtests):
@@ -3119,18 +3060,7 @@ def test_labor_inspectors_are_not_allowed_to_submit_application(self, client, su
 
         for route in self.ROUTES:
             with subtests.test(route=route):
-                if route.startswith("apply"):
-                    response = client.get(reverse(route, kwargs={"company_pk": company.pk}), follow=True)
-                else:
-                    # Init session (as it would be in apply:start)
-                    session = client.session
-                    session_name = str(uuid.uuid4())
-                    session[session_name] = {
-                        "config": {},
-                        "apply": {"company_pk": company.pk},
-                    }
-                    session.save()
-                    response = client.get(reverse(route, kwargs={"session_uuid": session_name}), follow=True)
+                response = client.get(reverse(route, kwargs={"company_pk": company.pk}), follow=True)
                 assert response.status_code == 403
 
     def test_itou_staff_are_not_allowed_to_submit_application(self, client, subtests):
@@ -3140,18 +3070,7 @@ def test_itou_staff_are_not_allowed_to_submit_application(self, client, subtests
 
         for route in self.ROUTES:
             with subtests.test(route=route):
-                if route.startswith("apply"):
-                    response = client.get(reverse(route, kwargs={"company_pk": company.pk}), follow=True)
-                else:
-                    # Init session (as it would be in apply:start)
-                    session = client.session
-                    session_name = str(uuid.uuid4())
-                    session[session_name] = {
-                        "config": {},
-                        "apply": {"company_pk": company.pk},
-                    }
-                    session.save()
-                    response = client.get(reverse(route, kwargs={"session_uuid": session_name}), follow=True)
+                response = client.get(reverse(route, kwargs={"company_pk": company.pk}), follow=True)
                 assert response.status_code == 403
 
 
@@ -3858,10 +3777,6 @@ def _check_only_administrative_allowed(self, client, user):
 class TestUpdateJobSeeker(UpdateJobSeekerTestMixin):
     FINAL_REDIRECT_VIEW_NAME = "apply:application_jobs"
 
-    def test_anonymous_start(self, client):
-        response = client.get(self.start_url)
-        assertRedirects(response, add_url_params(reverse("account_login"), {"next": self.start_url}))
-
     def test_as_job_seeker(self, client):
         self._check_nothing_permitted(client, self.job_seeker)
 
@@ -4000,10 +3915,6 @@ def test_as_company_that_last_step_doesnt_crash_with_direct_access(self, client)
 class TestUpdateJobSeekerForHire(UpdateJobSeekerTestMixin):
     FINAL_REDIRECT_VIEW_NAME = "job_seekers_views:check_job_seeker_info_for_hire"
 
-    def test_anonymous_start(self, client):
-        response = client.get(self.start_url)
-        assertRedirects(response, add_url_params(reverse("account_login"), {"next": self.start_url}))
-
     def test_as_job_seeker(self, client):
         self._check_nothing_permitted(client, self.job_seeker)