CLDC-4332: Check that a support user can only be in certain orgs

3 weeks ago · f70e63c429
4 changed files with 35 additions and 2 deletions
--- a/app/controllers/users_controller.rb
+++ b/app/controllers/users_controller.rb
@ -221,8 +221,14 @@ private
      @user.errors.add :phone
    end

-    if user_params.key?(:organisation_id) && user_params[:organisation_id].blank?
-      @user.errors.add :organisation_id, :blank
+    if user_params.key?(:organisation_id)
+      if user_params[:organisation_id].blank?
+        @user.errors.add :organisation_id, :blank
+      elsif !@user.role_is_allowed_to_be_in_organisation?(override_organisation_id: user_params[:organisation_id].to_i)
+        # this will also be flagged by the validation in user.rb.
+        # for convenience we show the error early before they go through the change org flow (involves reassigning logs).
+        @user.errors.add :organisation_id, I18n.t("validations.user.support_user_in_wrong_organisation.change_organisation")
+      end
    end
  end

--- a/app/models/user.rb
+++ b/app/models/user.rb
@ -25,6 +25,7 @@ class User < ApplicationRecord

  validates :organisation_id, presence: true
  validate :organisation_not_merged
+  validate :support_user_is_in_correct_organisation

  has_paper_trail ignore: %w[last_sign_in_at
                             current_sign_in_at
@ -390,6 +391,11 @@ class User < ApplicationRecord
    end
  end

+  def role_is_allowed_to_be_in_organisation?(override_organisation_id: nil)
+    return true unless support? && FeatureToggle.support_organisation_allow_list.present?
+    FeatureToggle.support_organisation_allow_list.include?(override_organisation_id || organisation_id)
+  end
+
 protected

  # Checks whether a password is needed or not. For validations only.
@ -407,6 +413,16 @@ private
    end
  end

+  def support_user_is_in_correct_organisation
+    return if role_is_allowed_to_be_in_organisation?
+
+    if role_changed?
+      errors.add :organisation_id, I18n.t("validations.user.support_user_in_wrong_organisation.change_role")
+    else
+      errors.add :organisation_id, I18n.t("validations.user.support_user_in_wrong_organisation.change_organisation")
+    end
+  end
+
  def send_data_protection_confirmation_reminder
    return unless persisted?
    return unless is_dpo?
--- a/app/services/feature_toggle.rb
+++ b/app/services/feature_toggle.rb
@ -34,4 +34,11 @@ class FeatureToggle
  def self.sales_export_enabled?
    Time.zone.now >= Time.zone.local(2025, 4, 1) || (Rails.env.review? || Rails.env.staging?)
  end
+
+  # IDs of organisations a user must be in to be allowed the support role
+  # if nil this feature will be disabled
+  def self.support_organisation_allow_list
+    return [1] if Rails.env.production?
+    return [1] if Rails.env.development?
+  end
 end
--- a/config/locales/en.yml
+++ b/config/locales/en.yml
@ -260,6 +260,10 @@ en:
      blank: "Enter an email address."
    role:
      invalid: "Role must be data accessor, data provider or data coordinator."
+    user:
+      support_user_in_wrong_organisation:
+        change_role: "You cannot create a support account type for a user in this organisation. Support accounts should only be created for MHCLG and contractor staff as they are administrator level accounts with access to all organisations' data. Any support accounts for housing organisations would be a data protection breach."
+        change_organisation: "You cannot move a user with a support account to a non-MHCLG organisation. If you need to move the user, change their role type to data coordinator or data provider."

    setup:
      saledate: