diff --git a/app/policies/user_policy.rb b/app/policies/user_policy.rb index ff7d871f2..4d3b7ad8f 100644 --- a/app/policies/user_policy.rb +++ b/app/policies/user_policy.rb @@ -45,6 +45,10 @@ class UserPolicy !has_any_logs_in_editable_collection_period && !has_signed_data_protection_agreement? end + def edit_organisation? + @current_user.support? && @user.active? + end + private def has_any_logs_in_editable_collection_period diff --git a/app/views/users/edit.html.erb b/app/views/users/edit.html.erb index 6fdfdb5aa..692a6c4c5 100644 --- a/app/views/users/edit.html.erb +++ b/app/views/users/edit.html.erb @@ -42,6 +42,24 @@ legend: { text: "Role", size: "m" } %> <% end %> + <% if UserPolicy.new(current_user, @user).edit_organisation? %> + <% null_option = [OpenStruct.new(id: "", name: "Select an option")] %> + <% organisations = Organisation.filter_by_active.map { |org| OpenStruct.new(id: org.id, name: org.name) } %> + <% answer_options = null_option + organisations %> + + <%= f.govuk_select(:organisation_id, + label: { text: "Organisation", size: "m" }, + "data-controller": "accessible-autocomplete") do %> + <% answer_options.each do |answer| %> + + <% end %> + <% end %> + <% end %> + <%= f.govuk_submit "Save changes" %> diff --git a/app/views/users/show.html.erb b/app/views/users/show.html.erb index df8c0e915..7f42107f8 100644 --- a/app/views/users/show.html.erb +++ b/app/views/users/show.html.erb @@ -68,7 +68,15 @@ <%= summary_list.with_row do |row| row.with_key { "Organisation" } row.with_value { current_user.support? ? govuk_link_to(@user.organisation.name, lettings_logs_organisation_path(@user.organisation)) : @user.organisation.name } - row.with_action + if UserPolicy.new(current_user, @user).edit_organisation? + row.with_action( + visually_hidden_text: "organisation", + href: aliased_user_edit(@user, current_user), + html_attributes: { "data-qa": "change-organisation" }, + ) + else + row.with_action + end end %> <%= summary_list.with_row do |row| diff --git a/spec/policies/user_policy_spec.rb b/spec/policies/user_policy_spec.rb index e2266cb48..63f3317d8 100644 --- a/spec/policies/user_policy_spec.rb +++ b/spec/policies/user_policy_spec.rb @@ -100,6 +100,20 @@ RSpec.describe UserPolicy do end end + permissions :edit_organisation? do + it "as a provider it does not allow changing organisation" do + expect(policy).not_to permit(data_provider, data_provider) + end + + it "as a coordinator it does not allow changing organisatio" do + expect(policy).not_to permit(data_coordinator, data_provider) + end + + it "as a support user allows changing other user's organisation" do + expect(policy).to permit(support, data_provider) + end + end + permissions :delete? do context "with active user" do let(:user) { create(:user, last_sign_in_at: Time.zone.yesterday) } diff --git a/spec/requests/users_controller_spec.rb b/spec/requests/users_controller_spec.rb index dac2806a5..4096b747b 100644 --- a/spec/requests/users_controller_spec.rb +++ b/spec/requests/users_controller_spec.rb @@ -149,6 +149,7 @@ RSpec.describe UsersController, type: :request do expect(page).not_to have_link("Change", text: "role") expect(page).not_to have_link("Change", text: "if data protection officer") expect(page).not_to have_link("Change", text: "if a key contact") + expect(page).not_to have_link("Change", text: "organisation") end it "does not allow deactivating the user" do @@ -208,6 +209,7 @@ RSpec.describe UsersController, type: :request do expect(page).not_to have_link("Change", text: "role") expect(page).not_to have_link("Change", text: "if data protection officer") expect(page).not_to have_link("Change", text: "if a key contact") + expect(page).not_to have_link("Change", text: "organisation") end it "does not allow deactivating the user" do @@ -258,6 +260,7 @@ RSpec.describe UsersController, type: :request do expect(page).not_to have_field("user[role]") expect(page).not_to have_field("user[is_dpo]") expect(page).not_to have_field("user[is_key_contact]") + expect(page).not_to have_field("user[organisation_id]") end end @@ -607,6 +610,7 @@ RSpec.describe UsersController, type: :request do expect(page).to have_link("Change", text: "role") expect(page).to have_link("Change", text: "if data protection officer") expect(page).to have_link("Change", text: "if a key contact") + expect(page).not_to have_link("Change", text: "organisation") end it "does not allow deactivating the user" do @@ -655,6 +659,7 @@ RSpec.describe UsersController, type: :request do expect(page).to have_link("Change", text: "role") expect(page).to have_link("Change", text: "if data protection officer") expect(page).to have_link("Change", text: "if a key contact") + expect(page).not_to have_link("Change", text: "organisation") end it "allows deactivating the user" do @@ -713,6 +718,7 @@ RSpec.describe UsersController, type: :request do expect(page).to have_field("user[name]") expect(page).to have_field("user[email]") expect(page).to have_field("user[role]") + expect(page).not_to have_field("user[organisation_id]") end it "does not allow setting the role to `support`" do @@ -738,6 +744,7 @@ RSpec.describe UsersController, type: :request do expect(page).to have_field("user[name]") expect(page).to have_field("user[email]") expect(page).to have_field("user[role]") + expect(page).not_to have_field("user[organisation_id]") end end @@ -1459,6 +1466,7 @@ RSpec.describe UsersController, type: :request do expect(page).to have_link("Change", text: "role") expect(page).to have_link("Change", text: "if data protection officer") expect(page).to have_link("Change", text: "if a key contact") + expect(page).to have_link("Change", text: "organisation") end it "does not allow deactivating the user" do @@ -1488,6 +1496,7 @@ RSpec.describe UsersController, type: :request do expect(page).to have_link("Change", text: "role") expect(page).to have_link("Change", text: "if data protection officer") expect(page).to have_link("Change", text: "if a key contact") + expect(page).to have_link("Change", text: "organisation") end it "links to user organisation" do @@ -1626,6 +1635,7 @@ RSpec.describe UsersController, type: :request do expect(page).to have_field("user[role]") expect(page).to have_field("user[phone]") expect(page).to have_field("user[phone_extension]") + expect(page).to have_field("user[organisation_id]") end it "allows setting the role to `support`" do @@ -1653,6 +1663,7 @@ RSpec.describe UsersController, type: :request do expect(page).to have_field("user[role]") expect(page).to have_field("user[phone]") expect(page).to have_field("user[phone_extension]") + expect(page).to have_field("user[organisation_id]") end end @@ -1673,6 +1684,7 @@ RSpec.describe UsersController, type: :request do expect(page).to have_field("user[role]") expect(page).to have_field("user[phone]") expect(page).to have_field("user[phone_extension]") + expect(page).to have_field("user[organisation_id]") end end