CLDC-3639 Allow some users to update to accounts all roles on staging (#2656)

* Allow some users to update to accounts all roles on staging * Add tests for non staging environement
4 months ago · 2786653641
3 changed files with 127 additions and 1 deletions
--- a/app/models/user.rb
+++ b/app/models/user.rb
@ -207,6 +207,10 @@ class User < ApplicationRecord
  end

  def assignable_roles
+    if Rails.env.staging? && Rails.application.credentials[:staging_role_update_email_allowlist].include?(email.split("@").last.downcase)
+      return ROLES
+    end
+
    return {} unless data_coordinator? || support?
    return ROLES if support?

--- a/config/credentials.yml.enc
+++ b/config/credentials.yml.enc
@ -1 +1 @@
-EZNV2LiNWzf52erbQ41Dz3Bh+2f3Uih8liEyhXp5XzHCLzAbmN6/IJqr7b9cTZiCiroFo4n/dFoG3yYrospp3frKsDXxF1K2/MTCJWjpgnn7wc+HiPQWG0W3HRtQCNkyyrHes0YKcYyDWIP6kztYv1I/Me3p0pGEx6t3CpSTg1v46eRnOlDWiUz3rVxPauwq9IYZ75gmnThqvg/Z8wcYsWLx0arago0SXtRPASCNj4uO/lbqTcAfyIXOTSiOlcAIjoPFRSQY7UqY0o2p8jRR/1L16SmGDsk8ijm+UygNmMexa3Khy5WcKctpQICakHs4NRjHNflqgXpXKL9dVBmNc9d7h+gbhbGJQ53Y0d+a35UbhPRMiv4SRH98FwB+WEsLCDdGSHvdmM6ArfOLljTrqrsmSRf0JfUrvzyVYmMCxjv4xgJwUS/TD5lQD1yPwkp2ss00kQJqzNmB7qwFhA8a3e2iNzV8qtAV/Nj+tMlr99Hb7vZZs98/38G2p5RAsE/5Xl9taKhc/ACnVc/bwJND4JWaBB7duCa08xVB8nkjlt5cCwMurzAcy1ZT+e8JepR+g6s8fpScMEWVJXE0hd8=--rZ41rY9TMXmiBUJw--QiLRVNVXZzTW446s7cec1g==
+QGn9IiI91BaO4IGAtfy92FrNP46X9T2jJErRv+o/PRG9LrimEGeuOE+FwhArKZQ5cTipaDqo8u9Ajv45Kitv3c0GynOOvz0r3OjPRHO/p4hW8BFWQDv581cWWPsyZT2JO51zZ5LnwNFvWrjEB2q49YESgtfADPkJWmtx/By5Cg2/PVIRxvhGKOnheme5cih050wqg/43BdiF0PD9FDTZXJDLJg/QQ8nQYkvQe2jN4nM4mTVpkQkmzDKgGknmUWFfW3qWFzlsdMkdkPdeP9wLnJVbFTeyaaJT3wv6l19d2rKqo8iVvacdaQjRev+LVXqOsNAjVHwcPNQVq9s8pxG24HLk3aQ14Eyjf6tHAuZAV4jLnNqQtBQ0AIldWeOl6SKmlTom1P1tcLp9KpajEADplmWSwUktIGmaakFjk/ApYaUBiYTku2iLHMrT/xSc3jPj5W/ZggeJ0Ij6nuGYE1cmBxWGxda9PzOrDP8coEK9vPHiNeDDM1RoukVmf8gwDmshILi5EwIAsO2gJXM1wtPYMu41+H4/y3c0GIwgfv9QP11q+nqhG1MMcOrAUKGhypAS+M+uLwfGQudfQDKP9Zv3VCnOk3mkKlpIzMMD4UdJxQeE/8sfwIsEhWggEo3oa93ptbRdvJ7YYcVvmMmkVBxk0KWFprl4i/BkFHLWrKNl5LBOGA==--ziMOTnYBB5TDyXYU--3FJMs8e6R8lheqcqB8p8uQ==
--- a/spec/models/user_spec.rb
+++ b/spec/models/user_spec.rb
@ -243,6 +243,128 @@ RSpec.describe User, type: :model do
        expect(user.need_two_factor_authentication?(nil)).to be false
      end
    end
+
+    context "when the user is in non staging environment" do
+      before do
+        allow(Rails.env).to receive(:staging?).and_return(false)
+      end
+
+      context "and the user is in the staging role update email allowlist" do
+        before do
+          allow(Rails.application.credentials).to receive(:[]).with(:staging_role_update_email_allowlist).and_return(["example.com"])
+        end
+
+        context "when the user is a data provider" do
+          it "cannot assign roles" do
+            expect(user.assignable_roles).to eq({})
+          end
+        end
+
+        context "when the user is a data coordinator" do
+          let(:user) { create(:user, :data_coordinator) }
+
+          it "can assign all roles except support" do
+            expect(user.assignable_roles).to eq({
+              data_provider: 1,
+              data_coordinator: 2,
+            })
+          end
+        end
+
+        context "when the user is a Support user" do
+          let(:user) { create(:user, :support) }
+
+          it "can assign all roles" do
+            expect(user.assignable_roles).to eq({
+              data_provider: 1,
+              data_coordinator: 2,
+              support: 99,
+            })
+          end
+        end
+      end
+    end
+
+    context "when the user is in staging environment" do
+      before do
+        allow(Rails.env).to receive(:staging?).and_return(true)
+      end
+
+      context "and the user is not in the staging role update email allowlist" do
+        context "when the user is a data provider" do
+          let(:user) { create(:user, :data_provider) }
+
+          it "cannot assign roles" do
+            expect(user.assignable_roles).to eq({})
+          end
+        end
+
+        context "when the user is a data coordinator" do
+          let(:user) { create(:user, :data_coordinator) }
+
+          it "can assign all roles except support" do
+            expect(user.assignable_roles).to eq({
+              data_provider: 1,
+              data_coordinator: 2,
+            })
+          end
+        end
+
+        context "when the user is a Support user" do
+          let(:user) { create(:user, :support) }
+
+          it "can assign all roles" do
+            expect(user.assignable_roles).to eq({
+              data_provider: 1,
+              data_coordinator: 2,
+              support: 99,
+            })
+          end
+        end
+      end
+
+      context "and the user is in the staging role update email allowlist" do
+        before do
+          allow(Rails.application.credentials).to receive(:[]).with(:staging_role_update_email_allowlist).and_return(["example.com"])
+        end
+
+        context "when the user is a data provider" do
+          let(:user) { create(:user, :data_provider) }
+
+          it "can assign all roles" do
+            expect(user.assignable_roles).to eq({
+              data_provider: 1,
+              data_coordinator: 2,
+              support: 99,
+            })
+          end
+        end
+
+        context "when the user is a data coordinator" do
+          let(:user) { create(:user, :data_coordinator) }
+
+          it "can assign all roles" do
+            expect(user.assignable_roles).to eq({
+              data_provider: 1,
+              data_coordinator: 2,
+              support: 99,
+            })
+          end
+        end
+
+        context "when the user is a Support user" do
+          let(:user) { create(:user, :support) }
+
+          it "can assign all roles" do
+            expect(user.assignable_roles).to eq({
+              data_provider: 1,
+              data_coordinator: 2,
+              support: 99,
+            })
+          end
+        end
+      end
+    end
  end

  describe "paper trail" do