From 301131179534b4299c1700e56593f290b6ce3d83 Mon Sep 17 00:00:00 2001
From: Jack S <jacopo.scotti@softwire.com>
Date: Tue, 13 Jun 2023 11:23:22 +0100
Subject: [PATCH] Prevent access to bulk upload pages when DPC not signed

---
 .../bulk_upload_lettings_logs_controller.rb         |  7 +++++++
 .../bulk_upload_sales_logs_controller.rb            |  7 +++++++
 .../bulk_upload_lettings_logs_controller_spec.rb    | 13 ++++++++++++-
 .../bulk_upload_sales_logs_controller_spec.rb       | 13 ++++++++++++-
 4 files changed, 38 insertions(+), 2 deletions(-)

diff --git a/app/controllers/bulk_upload_lettings_logs_controller.rb b/app/controllers/bulk_upload_lettings_logs_controller.rb
index 40f898012..1d011dcca 100644
--- a/app/controllers/bulk_upload_lettings_logs_controller.rb
+++ b/app/controllers/bulk_upload_lettings_logs_controller.rb
@@ -1,5 +1,6 @@
 class BulkUploadLettingsLogsController < ApplicationController
   before_action :authenticate_user!
+  before_action :validate_data_protection_agrement_signed!
 
   def start
     if in_crossover_period?
@@ -23,6 +24,12 @@ class BulkUploadLettingsLogsController < ApplicationController
 
 private
 
+  def validate_data_protection_agrement_signed!
+    unless @current_user.organisation.data_protection_confirmed?
+      redirect_to lettings_logs_path
+    end
+  end
+
   def current_year
     FormHandler.instance.current_collection_start_year
   end
diff --git a/app/controllers/bulk_upload_sales_logs_controller.rb b/app/controllers/bulk_upload_sales_logs_controller.rb
index 85be7e96d..aa865f0c7 100644
--- a/app/controllers/bulk_upload_sales_logs_controller.rb
+++ b/app/controllers/bulk_upload_sales_logs_controller.rb
@@ -1,5 +1,6 @@
 class BulkUploadSalesLogsController < ApplicationController
   before_action :authenticate_user!
+  before_action :validate_data_protection_agrement_signed!
 
   def start
     if in_crossover_period?
@@ -23,6 +24,12 @@ class BulkUploadSalesLogsController < ApplicationController
 
 private
 
+  def validate_data_protection_agrement_signed!
+    unless @current_user.organisation.data_protection_confirmed?
+      redirect_to sales_logs_path
+    end
+  end
+
   def current_year
     FormHandler.instance.forms["current_sales"].start_date.year
   end
diff --git a/spec/requests/bulk_upload_lettings_logs_controller_spec.rb b/spec/requests/bulk_upload_lettings_logs_controller_spec.rb
index 7cea42f69..f901cdb7e 100644
--- a/spec/requests/bulk_upload_lettings_logs_controller_spec.rb
+++ b/spec/requests/bulk_upload_lettings_logs_controller_spec.rb
@@ -1,7 +1,7 @@
 require "rails_helper"
 
 RSpec.describe BulkUploadLettingsLogsController, type: :request do
-  let(:user) { FactoryBot.create(:user) }
+  let(:user) { create(:user) }
   let(:organisation) { user.organisation }
 
   before do
@@ -9,6 +9,17 @@ RSpec.describe BulkUploadLettingsLogsController, type: :request do
   end
 
   describe "GET /lettings-logs/bulk-upload-logs/start" do
+    context "when data protection confirmation not signed" do
+      let(:organisation) { create(:organisation, :without_dpc) }
+      let(:user) { create(:user, organisation:) }
+
+      it "redirects to lettings index page" do
+        get "/lettings-logs/bulk-upload-logs/start", params: {}
+
+        expect(response).to redirect_to("/lettings-logs")
+      end
+    end
+
     context "when not in crossover period" do
       let(:expected_year) { 2022 }
 
diff --git a/spec/requests/bulk_upload_sales_logs_controller_spec.rb b/spec/requests/bulk_upload_sales_logs_controller_spec.rb
index 3e2aa5910..3220ff885 100644
--- a/spec/requests/bulk_upload_sales_logs_controller_spec.rb
+++ b/spec/requests/bulk_upload_sales_logs_controller_spec.rb
@@ -1,7 +1,7 @@
 require "rails_helper"
 
 RSpec.describe BulkUploadSalesLogsController, type: :request do
-  let(:user) { FactoryBot.create(:user) }
+  let(:user) { create(:user) }
   let(:organisation) { user.organisation }
 
   before do
@@ -9,6 +9,17 @@ RSpec.describe BulkUploadSalesLogsController, type: :request do
   end
 
   describe "GET /sales-logs/bulk-upload-logs/start" do
+    context "when data protection confirmation not signed" do
+      let(:organisation) { create(:organisation, :without_dpc) }
+      let(:user) { create(:user, organisation:) }
+
+      it "redirects to sales index page" do
+        get "/sales-logs/bulk-upload-logs/start", params: {}
+
+        expect(response).to redirect_to("/sales-logs")
+      end
+    end
+
     context "when not in crossover period" do
       let(:expected_year) { FormHandler.instance.forms["current_sales"].start_date.year }