From e4513abba99f72ecc1862b407745cc27127a618d Mon Sep 17 00:00:00 2001
From: Kat <katrina@kosiak.co.uk>
Date: Mon, 23 Sep 2024 15:48:52 +0100
Subject: [PATCH] Allow some users to update to accounts all roles on staging

---
 app/models/user.rb         |  4 ++
 config/credentials.yml.enc |  2 +-
 spec/models/user_spec.rb   | 81 ++++++++++++++++++++++++++++++++++++++
 3 files changed, 86 insertions(+), 1 deletion(-)

diff --git a/app/models/user.rb b/app/models/user.rb
index 0a26a254b..aa9b5a507 100644
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -207,6 +207,10 @@ class User < ApplicationRecord
   end
 
   def assignable_roles
+    if Rails.env.staging? && Rails.application.credentials[:staging_role_update_email_allowlist].include?(email.split("@").last.downcase)
+      return ROLES
+    end
+
     return {} unless data_coordinator? || support?
     return ROLES if support?
 
diff --git a/config/credentials.yml.enc b/config/credentials.yml.enc
index c9d564782..9cd4bba71 100644
--- a/config/credentials.yml.enc
+++ b/config/credentials.yml.enc
@@ -1 +1 @@
-EZNV2LiNWzf52erbQ41Dz3Bh+2f3Uih8liEyhXp5XzHCLzAbmN6/IJqr7b9cTZiCiroFo4n/dFoG3yYrospp3frKsDXxF1K2/MTCJWjpgnn7wc+HiPQWG0W3HRtQCNkyyrHes0YKcYyDWIP6kztYv1I/Me3p0pGEx6t3CpSTg1v46eRnOlDWiUz3rVxPauwq9IYZ75gmnThqvg/Z8wcYsWLx0arago0SXtRPASCNj4uO/lbqTcAfyIXOTSiOlcAIjoPFRSQY7UqY0o2p8jRR/1L16SmGDsk8ijm+UygNmMexa3Khy5WcKctpQICakHs4NRjHNflqgXpXKL9dVBmNc9d7h+gbhbGJQ53Y0d+a35UbhPRMiv4SRH98FwB+WEsLCDdGSHvdmM6ArfOLljTrqrsmSRf0JfUrvzyVYmMCxjv4xgJwUS/TD5lQD1yPwkp2ss00kQJqzNmB7qwFhA8a3e2iNzV8qtAV/Nj+tMlr99Hb7vZZs98/38G2p5RAsE/5Xl9taKhc/ACnVc/bwJND4JWaBB7duCa08xVB8nkjlt5cCwMurzAcy1ZT+e8JepR+g6s8fpScMEWVJXE0hd8=--rZ41rY9TMXmiBUJw--QiLRVNVXZzTW446s7cec1g==
\ No newline at end of file
+QGn9IiI91BaO4IGAtfy92FrNP46X9T2jJErRv+o/PRG9LrimEGeuOE+FwhArKZQ5cTipaDqo8u9Ajv45Kitv3c0GynOOvz0r3OjPRHO/p4hW8BFWQDv581cWWPsyZT2JO51zZ5LnwNFvWrjEB2q49YESgtfADPkJWmtx/By5Cg2/PVIRxvhGKOnheme5cih050wqg/43BdiF0PD9FDTZXJDLJg/QQ8nQYkvQe2jN4nM4mTVpkQkmzDKgGknmUWFfW3qWFzlsdMkdkPdeP9wLnJVbFTeyaaJT3wv6l19d2rKqo8iVvacdaQjRev+LVXqOsNAjVHwcPNQVq9s8pxG24HLk3aQ14Eyjf6tHAuZAV4jLnNqQtBQ0AIldWeOl6SKmlTom1P1tcLp9KpajEADplmWSwUktIGmaakFjk/ApYaUBiYTku2iLHMrT/xSc3jPj5W/ZggeJ0Ij6nuGYE1cmBxWGxda9PzOrDP8coEK9vPHiNeDDM1RoukVmf8gwDmshILi5EwIAsO2gJXM1wtPYMu41+H4/y3c0GIwgfv9QP11q+nqhG1MMcOrAUKGhypAS+M+uLwfGQudfQDKP9Zv3VCnOk3mkKlpIzMMD4UdJxQeE/8sfwIsEhWggEo3oa93ptbRdvJ7YYcVvmMmkVBxk0KWFprl4i/BkFHLWrKNl5LBOGA==--ziMOTnYBB5TDyXYU--3FJMs8e6R8lheqcqB8p8uQ==
\ No newline at end of file
diff --git a/spec/models/user_spec.rb b/spec/models/user_spec.rb
index 5cb6cb580..53d937554 100644
--- a/spec/models/user_spec.rb
+++ b/spec/models/user_spec.rb
@@ -243,6 +243,87 @@ RSpec.describe User, type: :model do
         expect(user.need_two_factor_authentication?(nil)).to be false
       end
     end
+
+    context "when the user is in staging environment" do
+      before do
+        allow(Rails.env).to receive(:staging?).and_return(true)
+      end
+
+      context "and the user is not in the staging role update email allowlist" do
+        context "when the user is a data provider" do
+          let(:user) { create(:user, :data_provider) }
+
+          it "cannot assign roles" do
+            expect(user.assignable_roles).to eq({})
+          end
+        end
+
+        context "when the user is a data coordinator" do
+          let(:user) { create(:user, :data_coordinator) }
+
+          it "can assign all roles except support" do
+            expect(user.assignable_roles).to eq({
+              data_provider: 1,
+              data_coordinator: 2,
+            })
+          end
+        end
+
+        context "when the user is a Support user" do
+          let(:user) { create(:user, :support) }
+
+          it "can assign all roles" do
+            expect(user.assignable_roles).to eq({
+              data_provider: 1,
+              data_coordinator: 2,
+              support: 99,
+            })
+          end
+        end
+      end
+
+      context "and the user is in the staging role update email allowlist" do
+        before do
+          allow(Rails.application.credentials).to receive(:[]).with(:staging_role_update_email_allowlist).and_return(["example.com"])
+        end
+
+        context "when the user is a data provider" do
+          let(:user) { create(:user, :data_provider) }
+
+          it "can assign all roles" do
+            expect(user.assignable_roles).to eq({
+              data_provider: 1,
+              data_coordinator: 2,
+              support: 99,
+            })
+          end
+        end
+
+        context "when the user is a data coordinator" do
+          let(:user) { create(:user, :data_coordinator) }
+
+          it "can assign all roles" do
+            expect(user.assignable_roles).to eq({
+              data_provider: 1,
+              data_coordinator: 2,
+              support: 99,
+            })
+          end
+        end
+
+        context "when the user is a Support user" do
+          let(:user) { create(:user, :support) }
+
+          it "can assign all roles" do
+            expect(user.assignable_roles).to eq({
+              data_provider: 1,
+              data_coordinator: 2,
+              support: 99,
+            })
+          end
+        end
+      end
+    end
   end
 
   describe "paper trail" do