baarkerlounger
/
submit-social-housing-lettings-and-sales-data
mirror of https://github.com/communitiesuk/submit-social-housing-lettings-and-sales-data.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

Update user policy

pull/2288/head
Kat 2 years ago
parent
550824a209
commit
42caef617b
3 changed files with 140 additions and 2 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 21
      app/policies/user_policy.rb
  2. 119
      spec/policies/user_policy_spec.rb
  3. 2
      spec/requests/users_controller_spec.rb

21
app/policies/user_policy.rb
Unescape View File

@ -35,10 +35,27 @@ class UserPolicy
end
def delete_confirmation?
current_user.support?
delete?
end
def delete?
current_user.support? && user.status == :deactivated
return false unless current_user.support?
return false unless user.status == :deactivated
!has_any_logs_in_editable_collection_period && !has_signed_data_protection_agreement?
end
private
def has_any_logs_in_editable_collection_period
editable_from_date = FormHandler.instance.earliest_open_for_editing_collection_start_date
LettingsLog.where(created_by_id: user.id).after_date(editable_from_date).or(LettingsLog.where(startdate: nil, created_by_id: user.id)).any?
end
def has_signed_data_protection_agreement?
return false unless user.is_dpo? && user.organisation.data_protection_confirmed?
user.organisation.data_protection_confirmation.data_protection_officer == user
end
end

119
spec/policies/user_policy_spec.rb
Unescape View File

@ -99,5 +99,124 @@ RSpec.describe UserPolicy do
expect(policy).to permit(support, data_provider)
end
end
permissions :delete? do
context "with active user" do
let(:user) { create(:user, last_sign_in_at: Time.zone.yesterday) }
it "does not allow deleting a user as a provider" do
expect(user.status).to eq(:active)
expect(policy).not_to permit(data_provider, user)
end
it "does not allow allows deleting a user as a coordinator" do
expect(policy).not_to permit(data_coordinator, user)
end
it "does not allow deleting a user as a support user" do
expect(policy).not_to permit(support, user)
end
end
context "with unconfirmed user" do
let(:user) { create(:user, last_sign_in_at: nil) }
it "does not allow deleting a user as a provider" do
expect(user.status).to eq(:unconfirmed)
expect(policy).not_to permit(data_provider, user)
end
it "does not allow allows deleting a user as a coordinator" do
expect(policy).not_to permit(data_coordinator, user)
end
it "does not allow deleting a user as a support user" do
expect(policy).not_to permit(support, user)
end
end
context "with deactivated user" do
let(:user) { create(:user, active: false) }
before do
Timecop.freeze(Time.utc(2024, 4, 10))
log = create(:lettings_log, owning_organisation: user.organisation, created_by: user)
log.startdate = Time.zone.local(2022, 10, 10)
log.save!(validate: false)
end
after do
Timecop.unfreeze
end
context "and associated logs in editable collection period" do
before do
create(:lettings_log, :sh, owning_organisation: user.organisation, created_by: user, startdate: Time.zone.local(2024, 4, 9))
end
it "does not allow deleting a user as a provider" do
expect(policy).not_to permit(data_provider, user)
end
it "does not allow allows deleting a user as a coordinator" do
expect(policy).not_to permit(data_coordinator, user)
end
it "does not allow deleting a user as a support user" do
expect(policy).not_to permit(support, user)
end
end
context "and no associated logs in editable collection period" do
it "does not allow deleting a user as a provider" do
expect(policy).not_to permit(data_provider, user)
end
it "does not allow allows deleting a user as a coordinator" do
expect(policy).not_to permit(data_coordinator, user)
end
it "allows deleting a user as a support user" do
expect(policy).to permit(support, user)
end
end
context "and user is the DPO that has signed the agreement" do
let(:user) { create(:user, active: false, is_dpo: true) }
before do
user.organisation.data_protection_confirmation.update!(data_protection_officer: user)
end
it "does not allow deleting a user as a provider" do
expect(policy).not_to permit(data_provider, user)
end
it "does not allow allows deleting a user as a coordinator" do
expect(policy).not_to permit(data_coordinator, user)
end
it "does not allow deleting a user as a support user" do
expect(policy).not_to permit(support, user)
end
end
context "and user is the DPO that hasn't signed the agreement" do
let(:user) { create(:user, active: false, is_dpo: true) }
it "does not allow deleting a user as a provider" do
expect(policy).not_to permit(data_provider, user)
end
it "does not allow allows deleting a user as a coordinator" do
expect(policy).not_to permit(data_coordinator, user)
end
it "allows deleting a user as a support user" do
expect(policy).to permit(support, user)
end
end
end
end
end
# rubocop:enable RSpec/RepeatedExample

2
spec/requests/users_controller_spec.rb
Unescape View File

@ -2015,6 +2015,8 @@ RSpec.describe UsersController, type: :request do
end
describe "#delete-confirmation" do
let(:other_user) { create(:user, active: false) }
before do
get "/users/#{other_user.id}/delete-confirmation"
end

Write Preview
Loading…
Cancel
Save