baarkerlounger
/
submit-social-housing-lettings-and-sales-data
mirror of https://github.com/communitiesuk/submit-social-housing-lettings-and-sales-data.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

Only data coordinators can change role, dpo, keycontact

pull/435/head
baarkerlounger 3 years ago
parent
871adde398
commit
25b3cae0e9
6 changed files with 260 additions and 180 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 12
      app/controllers/users_controller.rb
  2. 2
      app/views/users/edit.html.erb
  3. 2
      app/views/users/new.html.erb
  4. 8
      app/views/users/show.html.erb
  5. 33
      spec/features/user_spec.rb
  6. 35
      spec/requests/users_controller_spec.rb

12
app/controllers/users_controller.rb
Unescape View File

@ -3,7 +3,7 @@ class UsersController < ApplicationController
include Helpers::Email include Helpers::Email
before_action :authenticate_user! before_action :authenticate_user!
before_action :find_resource, except: %i[new create] before_action :find_resource, except: %i[new create]
before_action :authenticate_scope!, except: %i[new create] before_action :authenticate_scope!, except: %i[new]
def update def update
if @user.update(user_params) if @user.update(user_params)
@ -76,8 +76,12 @@ private
def user_params def user_params
if @user == current_user if @user == current_user
if current_user.data_coordinator?
params.require(:user).permit(:email, :name, :password, :password_confirmation, :role, :is_dpo, :is_key_contact) params.require(:user).permit(:email, :name, :password, :password_confirmation, :role, :is_dpo, :is_key_contact)
else else
params.require(:user).permit(:email, :name, :password, :password_confirmation)
end
elsif current_user.data_coordinator?
params.require(:user).permit(:email, :name, :role, :is_dpo, :is_key_contact) params.require(:user).permit(:email, :name, :role, :is_dpo, :is_key_contact)
end end
end end
@ -87,8 +91,12 @@ private
end end
def authenticate_scope! def authenticate_scope!
if action_name == "create"
head :unauthorized and return unless current_user.data_coordinator?
else
render_not_found and return unless current_user.organisation == @user.organisation render_not_found and return unless current_user.organisation == @user.organisation
render_not_found and return if action_name == "edit_password" && current_user != @user render_not_found and return if action_name == "edit_password" && current_user != @user
render_not_found and return unless current_user.role == "data_coordinator" || current_user == @user render_not_found and return unless current_user.data_coordinator? || current_user == @user
end
end end
end end

2
app/views/users/edit.html.erb
Unescape View File

@ -26,6 +26,7 @@
spellcheck: "false" spellcheck: "false"
%> %>
<% if current_user.data_coordinator? %>
<%= f.govuk_collection_radio_buttons :is_dpo, <%= f.govuk_collection_radio_buttons :is_dpo,
[OpenStruct.new(id: false, name: "No"), OpenStruct.new(id: true, name: "Yes")], [OpenStruct.new(id: false, name: "No"), OpenStruct.new(id: true, name: "Yes")],
:id, :id,
@ -41,6 +42,7 @@
inline: true, inline: true,
legend: { text: "Are #{current_user == @user ? "you" : "they"} a key contact?", size: "m" } legend: { text: "Are #{current_user == @user ? "you" : "they"} a key contact?", size: "m" }
%> %>
<% end %>
<%= f.govuk_submit "Save changes" %> <%= f.govuk_submit "Save changes" %>
</div> </div>

2
app/views/users/new.html.erb
Unescape View File

@ -31,6 +31,7 @@
f.govuk_collection_radio_buttons :role, roles, :id, :name, legend: { text: "Role", size: "m" } f.govuk_collection_radio_buttons :role, roles, :id, :name, legend: { text: "Role", size: "m" }
%> %>
<% if current_user.data_coordinator? %>
<%= f.govuk_collection_radio_buttons :is_dpo, <%= f.govuk_collection_radio_buttons :is_dpo,
[OpenStruct.new(id: false, name: "No"), OpenStruct.new(id: true, name: "Yes")], [OpenStruct.new(id: false, name: "No"), OpenStruct.new(id: true, name: "Yes")],
:id, :id,
@ -46,6 +47,7 @@
inline: true, inline: true,
legend: { text: "Are #{current_user == @user ? "you" : "they"} a key contact?", size: "m" } legend: { text: "Are #{current_user == @user ? "you" : "they"} a key contact?", size: "m" }
%> %>
<% end %>
<%= f.govuk_submit "Continue" %> <%= f.govuk_submit "Continue" %>
</div> </div>

8
app/views/users/show.html.erb
Unescape View File

@ -48,13 +48,21 @@
<%= summary_list.row do |row| <%= summary_list.row do |row|
row.key { 'Data protection officer' } row.key { 'Data protection officer' }
row.value { @user.is_data_protection_officer? ? "Yes" : "No" } row.value { @user.is_data_protection_officer? ? "Yes" : "No" }
if current_user.data_coordinator?
row.action(visually_hidden_text: "are #{current_user == @user ? "you" : "they"} a data protection officer?", href: edit_user_path, html_attributes: { "data-qa": "change-are-#{current_user == @user ? "you" : "they"}-a-data-protection-officer" }) row.action(visually_hidden_text: "are #{current_user == @user ? "you" : "they"} a data protection officer?", href: edit_user_path, html_attributes: { "data-qa": "change-are-#{current_user == @user ? "you" : "they"}-a-data-protection-officer" })
else
row.action()
end
end %> end %>
<%= summary_list.row do |row| <%= summary_list.row do |row|
row.key { 'Key contact' } row.key { 'Key contact' }
row.value { @user.is_key_contact? ? "Yes" : "No" } row.value { @user.is_key_contact? ? "Yes" : "No" }
if current_user.data_coordinator?
row.action(visually_hidden_text: "are #{current_user == @user ? "you" : "they"} a key contact?", href: edit_user_path, html_attributes: { "data-qa": "change-are-#{current_user == @user ? "you" : "they"}-a-key-contact" }) row.action(visually_hidden_text: "are #{current_user == @user ? "you" : "they"} a key contact?", href: edit_user_path, html_attributes: { "data-qa": "change-are-#{current_user == @user ? "you" : "they"}-a-key-contact" })
else
row.action()
end
end %> end %>
<% end %> <% end %>
</div> </div>

33
spec/features/user_spec.rb
Unescape View File

@ -172,6 +172,32 @@ RSpec.describe "User Features" do
end end
end end
context "when signed in as a data provider" do
context "when viewing your account" do
before do
visit("/logs")
fill_in("user[email]", with: user.email)
fill_in("user[password]", with: "pAssword1")
click_button("Sign in")
end
it "does not have change links for dpo and key contact" do
visit("/users/#{user.id}")
expect(page).not_to have_selector('[data-qa="change-are-you-a-data-protection-officer"]')
expect(page).not_to have_selector('[data-qa="change-are-you-a-key-contact"]')
end
it "does not have dpo and key contact as editable fields" do
visit("/users/#{user.id}/edit")
expect(page).not_to have_field("user[is_dpo]")
expect(page).not_to have_field("user[is_key_contact]")
end
end
end
context "when signed in as a data coordinator" do
let!(:user) { FactoryBot.create(:user, :data_coordinator, last_sign_in_at: Time.zone.now) }
context "when viewing your account" do context "when viewing your account" do
before do before do
visit("/logs") visit("/logs")
@ -206,6 +232,12 @@ RSpec.describe "User Features" do
expect(page).to have_current_path("/users/#{user.id}") expect(page).to have_current_path("/users/#{user.id}")
expect(page).to have_content("Test New") expect(page).to have_content("Test New")
end end
it "has dpo and key contact as editable fields" do
visit("/users/#{user.id}")
expect(page).to have_selector('[data-qa="change-are-you-a-data-protection-officer"]')
expect(page).to have_selector('[data-qa="change-are-you-a-key-contact"]')
end
end end
context "when adding a new user" do context "when adding a new user" do
@ -291,4 +323,5 @@ RSpec.describe "User Features" do
)).to be_a(User) )).to be_a(User)
end end
end end
end
end end

35
spec/requests/users_controller_spec.rb
Unescape View File

@ -213,11 +213,11 @@ RSpec.describe UsersController, type: :request do
context "when user changes email, dpo, key_contact" do context "when user changes email, dpo, key_contact" do
let(:params) { { id: user.id, user: { name: new_name, email: new_email, is_dpo: "true", is_key_contact: "true" } } } let(:params) { { id: user.id, user: { name: new_name, email: new_email, is_dpo: "true", is_key_contact: "true" } } }
it "allows changing email and dpo" do it "allows changing email but not dpo or key_contact" do
user.reload user.reload
expect(user.email).to eq(new_email) expect(user.email).to eq(new_email)
expect(user.is_data_protection_officer?).to be true expect(user.is_data_protection_officer?).to be false
expect(user.is_key_contact?).to be true expect(user.is_key_contact?).to be false
end end
end end
end end
@ -266,6 +266,32 @@ RSpec.describe UsersController, type: :request do
end end
end end
end end
describe "#create" do
let(:params) do
{
"user": {
name: "new user",
email: "new_user@example.com",
role: "data_coordinator",
},
}
end
let(:request) { post "/users/", headers: headers, params: params }
before do
sign_in user
end
it "does not invite a new user" do
expect { request }.not_to change(User, :count)
end
it "returns 401 unauthorized" do
request
expect(response).to have_http_status(:unauthorized)
end
end
end end
context "when user is signed in as a data coordinator" do context "when user is signed in as a data coordinator" do
@ -513,9 +539,9 @@ RSpec.describe UsersController, type: :request do
end end
end end
end end
end
describe "#create" do describe "#create" do
let(:user) { FactoryBot.create(:user, :data_coordinator) }
let(:params) do let(:params) do
{ {
"user": { "user": {
@ -552,6 +578,7 @@ RSpec.describe UsersController, type: :request do
end end
end end
end end
end
describe "title link" do describe "title link" do
before do before do

Write Preview
Loading…
Cancel
Save