From 42caef617b0b56c304c9b5464f1b1426b0037c95 Mon Sep 17 00:00:00 2001 From: Kat Date: Tue, 5 Mar 2024 13:23:53 +0000 Subject: [PATCH] Update user policy --- app/policies/user_policy.rb | 21 ++++- spec/policies/user_policy_spec.rb | 119 +++++++++++++++++++++++++ spec/requests/users_controller_spec.rb | 2 + 3 files changed, 140 insertions(+), 2 deletions(-) diff --git a/app/policies/user_policy.rb b/app/policies/user_policy.rb index ea919512d..eb747266d 100644 --- a/app/policies/user_policy.rb +++ b/app/policies/user_policy.rb @@ -35,10 +35,27 @@ class UserPolicy end def delete_confirmation? - current_user.support? + delete? end def delete? - current_user.support? && user.status == :deactivated + return false unless current_user.support? + return false unless user.status == :deactivated + + !has_any_logs_in_editable_collection_period && !has_signed_data_protection_agreement? + end + +private + + def has_any_logs_in_editable_collection_period + editable_from_date = FormHandler.instance.earliest_open_for_editing_collection_start_date + + LettingsLog.where(created_by_id: user.id).after_date(editable_from_date).or(LettingsLog.where(startdate: nil, created_by_id: user.id)).any? + end + + def has_signed_data_protection_agreement? + return false unless user.is_dpo? && user.organisation.data_protection_confirmed? + + user.organisation.data_protection_confirmation.data_protection_officer == user end end diff --git a/spec/policies/user_policy_spec.rb b/spec/policies/user_policy_spec.rb index ec84fbceb..1964f2c3a 100644 --- a/spec/policies/user_policy_spec.rb +++ b/spec/policies/user_policy_spec.rb @@ -99,5 +99,124 @@ RSpec.describe UserPolicy do expect(policy).to permit(support, data_provider) end end + + permissions :delete? do + context "with active user" do + let(:user) { create(:user, last_sign_in_at: Time.zone.yesterday) } + + it "does not allow deleting a user as a provider" do + expect(user.status).to eq(:active) + expect(policy).not_to permit(data_provider, user) + end + + it "does not allow allows deleting a user as a coordinator" do + expect(policy).not_to permit(data_coordinator, user) + end + + it "does not allow deleting a user as a support user" do + expect(policy).not_to permit(support, user) + end + end + + context "with unconfirmed user" do + let(:user) { create(:user, last_sign_in_at: nil) } + + it "does not allow deleting a user as a provider" do + expect(user.status).to eq(:unconfirmed) + expect(policy).not_to permit(data_provider, user) + end + + it "does not allow allows deleting a user as a coordinator" do + expect(policy).not_to permit(data_coordinator, user) + end + + it "does not allow deleting a user as a support user" do + expect(policy).not_to permit(support, user) + end + end + + context "with deactivated user" do + let(:user) { create(:user, active: false) } + + before do + Timecop.freeze(Time.utc(2024, 4, 10)) + log = create(:lettings_log, owning_organisation: user.organisation, created_by: user) + log.startdate = Time.zone.local(2022, 10, 10) + log.save!(validate: false) + end + + after do + Timecop.unfreeze + end + + context "and associated logs in editable collection period" do + before do + create(:lettings_log, :sh, owning_organisation: user.organisation, created_by: user, startdate: Time.zone.local(2024, 4, 9)) + end + + it "does not allow deleting a user as a provider" do + expect(policy).not_to permit(data_provider, user) + end + + it "does not allow allows deleting a user as a coordinator" do + expect(policy).not_to permit(data_coordinator, user) + end + + it "does not allow deleting a user as a support user" do + expect(policy).not_to permit(support, user) + end + end + + context "and no associated logs in editable collection period" do + it "does not allow deleting a user as a provider" do + expect(policy).not_to permit(data_provider, user) + end + + it "does not allow allows deleting a user as a coordinator" do + expect(policy).not_to permit(data_coordinator, user) + end + + it "allows deleting a user as a support user" do + expect(policy).to permit(support, user) + end + end + + context "and user is the DPO that has signed the agreement" do + let(:user) { create(:user, active: false, is_dpo: true) } + + before do + user.organisation.data_protection_confirmation.update!(data_protection_officer: user) + end + + it "does not allow deleting a user as a provider" do + expect(policy).not_to permit(data_provider, user) + end + + it "does not allow allows deleting a user as a coordinator" do + expect(policy).not_to permit(data_coordinator, user) + end + + it "does not allow deleting a user as a support user" do + expect(policy).not_to permit(support, user) + end + end + + context "and user is the DPO that hasn't signed the agreement" do + let(:user) { create(:user, active: false, is_dpo: true) } + + it "does not allow deleting a user as a provider" do + expect(policy).not_to permit(data_provider, user) + end + + it "does not allow allows deleting a user as a coordinator" do + expect(policy).not_to permit(data_coordinator, user) + end + + it "allows deleting a user as a support user" do + expect(policy).to permit(support, user) + end + end + end + end end # rubocop:enable RSpec/RepeatedExample diff --git a/spec/requests/users_controller_spec.rb b/spec/requests/users_controller_spec.rb index 799ec3dac..9afcdc727 100644 --- a/spec/requests/users_controller_spec.rb +++ b/spec/requests/users_controller_spec.rb @@ -2015,6 +2015,8 @@ RSpec.describe UsersController, type: :request do end describe "#delete-confirmation" do + let(:other_user) { create(:user, active: false) } + before do get "/users/#{other_user.id}/delete-confirmation" end