Update permissions and scheme/location views

3 years ago · 5379893cd6
8 changed files with 91 additions and 14 deletions
--- a/app/controllers/locations_controller.rb
+++ b/app/controllers/locations_controller.rb
@ -225,11 +225,15 @@ private
  end

  def authenticate_action!
-    if %w[create update index new_deactivation deactivate_confirm deactivate postcode local_authority name units type_of_unit mobility_standards availability check_answers].include?(action_name) && !((current_user.organisation == @scheme&.owning_organisation) || current_user.support?)
+    if %w[create update index new_deactivation deactivate_confirm deactivate postcode local_authority name units type_of_unit mobility_standards availability check_answers].include?(action_name) && !user_allowed_action?
      render_not_found and return
    end
  end

+  def user_allowed_action?
+    (current_user.organisation == @scheme&.owning_organisation) || (current_user.organisation.parent_organisations.any? { |org| org == @scheme&.owning_organisation }) || current_user.support?
+  end
+
  def location_params
    required_params = params.require(:location).permit(:postcode, :location_admin_district, :location_code, :name, :units, :type_of_unit, :mobility_type, "startdate(1i)", "startdate(2i)", "startdate(3i)").merge(scheme_id: @scheme.id)
    required_params[:postcode] = PostcodeService.clean(required_params[:postcode]) if required_params[:postcode]
--- a/app/controllers/schemes_controller.rb
+++ b/app/controllers/schemes_controller.rb
@ -265,11 +265,15 @@ private
  def authenticate_scope!
    head :unauthorized and return unless current_user.data_coordinator? || current_user.support?

-    if %w[show locations primary_client_group confirm_secondary_client_group secondary_client_group support details check_answers edit_name deactivate].include?(action_name) && !((current_user.organisation == @scheme&.owning_organisation) || current_user.support?)
+    if %w[show locations primary_client_group confirm_secondary_client_group secondary_client_group support details check_answers edit_name deactivate].include?(action_name) && !user_allowed_action?
      render_not_found and return
    end
  end

+  def user_allowed_action?
+    (current_user.organisation == @scheme&.owning_organisation) || (current_user.organisation.parent_organisations.any? { |org| org == @scheme&.owning_organisation }) || current_user.support?
+  end
+
  def redirect_if_scheme_confirmed
    redirect_to @scheme if @scheme.confirmed?
  end
--- a/app/helpers/locations_helper.rb
+++ b/app/helpers/locations_helper.rb
@ -84,6 +84,10 @@ module LocationsHelper
    end
  end

+  def user_can_edit_scheme?(user, scheme)
+    user.support? || user.organisation == scheme.owning_organisation
+  end
+
 private

  ActivePeriod = Struct.new(:from, :to)
--- a/app/views/locations/index.html.erb
+++ b/app/views/locations/index.html.erb
@ -64,7 +64,9 @@
          <% end %>
        <% end %>
      <% end %>
-      <%= govuk_button_to "Add a location", scheme_locations_path(@scheme), method: "post", secondary: true %>
+      <% if user_can_edit_scheme?(current_user, @scheme) %>
+        <%= govuk_button_to "Add a location", scheme_locations_path(@scheme), method: "post", secondary: true %>
+      <% end %>
    </div>
  </div>

@ -118,7 +120,9 @@
      <% end %>
    <% end %>
  <% end %>
-  <%= govuk_button_to "Add a location", scheme_locations_path(@scheme), method: "post", secondary: true %>
+  <% if user_can_edit_scheme?(current_user, @scheme) %>
+    <%= govuk_button_to "Add a location", scheme_locations_path(@scheme), method: "post", secondary: true %>
+  <% end %>

 <% end %>

--- a/app/views/locations/show.html.erb
+++ b/app/views/locations/show.html.erb
@ -16,12 +16,12 @@
                <%= summary_list.row do |row| %>
                <% row.key { attr[:name] } %>
                <% row.value { attr[:attribute].eql?("status") ? status_tag(attr[:value]) : details_html(attr) } %>
-                <% row.action(text: "Change", href: scheme_location_name_path(@scheme, @location, referrer: "details")) if attr[:attribute] == "name" %>
+                <% row.action(text: "Change", href: scheme_location_name_path(@scheme, @location, referrer: "details")) if attr[:attribute] == "name" && current_user.organisation == @scheme.owning_organisation %>
                <% end %>
            <% end %>
        <% end %>
    </div>
 </div>
-<% if FeatureToggle.location_toggle_enabled? %>
+<% if FeatureToggle.location_toggle_enabled? && user_can_edit_scheme?(current_user, @scheme) %>
    <%= toggle_location_link(@location) %>
 <% end %>
--- a/app/views/schemes/show.html.erb
+++ b/app/views/schemes/show.html.erb
@ -22,7 +22,7 @@
          <%= summary_list.row do |row| %>
            <% row.key { attr[:name] } %>
            <% row.value { details_html(attr) } %>
-            <% row.action(text: "Change", href: scheme_edit_name_path(scheme_id: @scheme.id)) if attr[:edit] %>
+            <% row.action(text: "Change", href: scheme_edit_name_path(scheme_id: @scheme.id)) if attr[:edit] && user_can_edit_scheme?(current_user, @scheme) %>
          <% end %>
        <% end %>
      <% end %>
--- a/spec/requests/locations_controller_spec.rb
+++ b/spec/requests/locations_controller_spec.rb
@ -145,7 +145,7 @@ RSpec.describe LocationsController, type: :request do
        end
      end

-      it "shows locations with correct data wben the new locations layout feature toggle is enabled" do
+      it "shows locations with correct data when the new locations layout feature toggle is enabled" do
        locations.each do |location|
          expect(page).to have_content(location.id)
          expect(page).to have_content(location.postcode)
@ -154,7 +154,7 @@ RSpec.describe LocationsController, type: :request do
        end
      end

-      it "shows locations with correct data wben the new locations layout feature toggle is disabled" do
+      it "shows locations with correct data when the new locations layout feature toggle is disabled" do
        allow(FeatureToggle).to receive(:location_toggle_enabled?).and_return(false)
        get "/schemes/#{scheme.id}/locations"
        locations.each do |location|
@ -248,6 +248,30 @@ RSpec.describe LocationsController, type: :request do
          expect(page).to have_title(expected_title)
        end
      end
+
+      context "when coordinator attempts to see scheme belonging to a parent organisation" do
+        let(:parent_organisation) { FactoryBot.create(:organisation) }
+        let!(:scheme) { FactoryBot.create(:scheme, owning_organisation: parent_organisation) }
+        let!(:locations) { FactoryBot.create_list(:location, 3, scheme:, startdate: Time.zone.local(2022, 4, 1)) }
+
+        before do
+          create(:organisation_relationship, parent_organisation:, child_organisation: user.organisation)
+          get "/schemes/#{scheme.id}/locations"
+        end
+
+        it "shows all the locations" do
+          locations.each do |location|
+            expect(page).to have_content(location.id)
+            expect(page).to have_content(location.postcode)
+            expect(page).to have_content(location.name)
+            expect(page).to have_content(location.status)
+          end
+        end
+
+        it "does not allow adding new locations" do
+          expect(page).not_to have_button("Add a location")
+        end
+      end
    end

    context "when signed in as a support user" do
@ -261,16 +285,17 @@ RSpec.describe LocationsController, type: :request do
        get "/schemes/#{scheme.id}/locations"
      end

-      it "shows locations with correct data wben the new locations layout feature toggle is enabled" do
+      it "shows locations with correct data when the new locations layout feature toggle is enabled" do
        locations.each do |location|
          expect(page).to have_content(location.id)
          expect(page).to have_content(location.postcode)
          expect(page).to have_content(location.name)
          expect(page).to have_content(location.status)
        end
+        expect(page).to have_button("Add a location")
      end

-      it "shows locations with correct data wben the new locations layout feature toggle is disabled" do
+      it "shows locations with correct data when the new locations layout feature toggle is disabled" do
        allow(FeatureToggle).to receive(:location_toggle_enabled?).and_return(false)
        get "/schemes/#{scheme.id}/locations"
        locations.each do |location|
@ -1677,6 +1702,27 @@ RSpec.describe LocationsController, type: :request do
          expect(page).not_to have_link("Deactivate this location")
        end
      end
+
+      context "and are viewing their parent organisation's location" do
+        let(:parent_organisation) { FactoryBot.create(:organisation) }
+        let!(:scheme) { FactoryBot.create(:scheme, owning_organisation: parent_organisation) }
+        let!(:location) { FactoryBot.create(:location, scheme:) }
+        let(:add_deactivations) {}
+
+        before do
+          create(:organisation_relationship, parent_organisation:, child_organisation: user.organisation)
+        end
+
+        it "shows the location" do
+          expect(page).to have_content("Location name")
+          expect(page).to have_content(location.name)
+        end
+
+        it "does not allow editing the location" do
+          expect(page).not_to have_link("Change")
+          expect(page).not_to have_link("Deactivate this location", href: "/schemes/#{scheme.id}/locations/#{location.id}/new-deactivation")
+        end
+      end
    end
  end

--- a/spec/requests/schemes_controller_spec.rb
+++ b/spec/requests/schemes_controller_spec.rb
@ -233,9 +233,6 @@ RSpec.describe SchemesController, type: :request do
        expect(page).to have_content(specific_scheme.id_to_display)
        expect(page).to have_content(specific_scheme.service_name)
        expect(page).to have_content(specific_scheme.sensitive)
-        expect(page).to have_content(specific_scheme.id_to_display)
-        expect(page).to have_content(specific_scheme.service_name)
-        expect(page).to have_content(specific_scheme.sensitive)
        expect(page).to have_content(specific_scheme.scheme_type)
        expect(page).to have_content(specific_scheme.registered_under_care_act)
        expect(page).to have_content(specific_scheme.primary_client_group)
@ -306,6 +303,24 @@ RSpec.describe SchemesController, type: :request do
          end
        end
      end
+
+      context "when coordinator attempts to see scheme belonging to a parent organisation" do
+        let(:parent_organisation) { FactoryBot.create(:organisation) }
+        let!(:specific_scheme) { FactoryBot.create(:scheme, owning_organisation: parent_organisation) }
+
+        before do
+          create(:organisation_relationship, parent_organisation:, child_organisation: user.organisation)
+          get "/schemes/#{specific_scheme.id}"
+        end
+
+        it "shows the scheme" do
+          expect(page).to have_content(specific_scheme.id_to_display)
+        end
+
+        it "does not allow editing the scheme" do
+          expect(page).not_to have_link("Change")
+        end
+      end
    end

    context "when signed in as a support user" do