diff --git a/app/models/user.rb b/app/models/user.rb index 69d63f3ac..27a884fa4 100644 --- a/app/models/user.rb +++ b/app/models/user.rb @@ -81,4 +81,11 @@ class User < ApplicationRecord personalisation = { otp: code } DeviseNotifyMailer.new.send_email(email, template_id, personalisation) end + + def assignable_roles + return {} unless data_coordinator? || support? + return ROLES if support? + + ROLES.except(:support) + end end diff --git a/app/views/users/edit.html.erb b/app/views/users/edit.html.erb index fb7a885ba..e6ae068fa 100644 --- a/app/views/users/edit.html.erb +++ b/app/views/users/edit.html.erb @@ -26,8 +26,9 @@ spellcheck: "false" %> - <% if current_user.data_coordinator? %> - <%= roles = User::ROLES.map { |key, _| OpenStruct.new(id: key, name: key.to_s.humanize) } + <% if current_user.data_coordinator? || current_user.support? %> + <%= roles = current_user.assignable_roles.map { |key, _| OpenStruct.new(id: key, name: key.to_s.humanize) } + f.govuk_collection_radio_buttons :role, roles, :id, :name, legend: { text: "Role", size: "m" } %> diff --git a/app/views/users/new.html.erb b/app/views/users/new.html.erb index 7af8daa0c..a3dea4fff 100644 --- a/app/views/users/new.html.erb +++ b/app/views/users/new.html.erb @@ -27,27 +27,25 @@ value: @resource.email %> - <%= roles = User::ROLES.map { |key, _| OpenStruct.new(id: key, name: key.to_s.humanize) } + <%= roles = current_user.assignable_roles.map { |key, _| OpenStruct.new(id: key, name: key.to_s.humanize) } f.govuk_collection_radio_buttons :role, roles, :id, :name, legend: { text: "Role", size: "m" } %> - <% if current_user.data_coordinator? %> - <%= f.govuk_collection_radio_buttons :is_dpo, - [OpenStruct.new(id: false, name: "No"), OpenStruct.new(id: true, name: "Yes")], - :id, - :name, - inline: true, - legend: { text: "Are #{pronoun(@user, current_user)} a data protection officer?", size: "m" } - %> - - <%= f.govuk_collection_radio_buttons :is_key_contact, - [OpenStruct.new(id: false, name: "No"), OpenStruct.new(id: true, name: "Yes")], - :id, - :name, - inline: true, - legend: { text: "Are #{pronoun(@user, current_user)} a key contact?", size: "m" } - %> - <% end %> + <%= f.govuk_collection_radio_buttons :is_dpo, + [OpenStruct.new(id: false, name: "No"), OpenStruct.new(id: true, name: "Yes")], + :id, + :name, + inline: true, + legend: { text: "Are #{pronoun(@user, current_user)} a data protection officer?", size: "m" } + %> + + <%= f.govuk_collection_radio_buttons :is_key_contact, + [OpenStruct.new(id: false, name: "No"), OpenStruct.new(id: true, name: "Yes")], + :id, + :name, + inline: true, + legend: { text: "Are #{pronoun(@user, current_user)} a key contact?", size: "m" } + %> <%= f.govuk_submit "Continue" %> diff --git a/spec/models/user_spec.rb b/spec/models/user_spec.rb index e8d0008a9..da518eb34 100644 --- a/spec/models/user_spec.rb +++ b/spec/models/user_spec.rb @@ -69,6 +69,32 @@ RSpec.describe User, type: :model do expect(user.need_two_factor_authentication?(nil)).to be false end + context "when the user is a data provider" do + it "cannot assign roles" do + expect(user.assignable_roles).to eq({}) + end + end + + context "when the user is a data accessor" do + let(:user) { FactoryBot.create(:user, :data_accessor) } + + it "cannot assign roles" do + expect(user.assignable_roles).to eq({}) + end + end + + context "when the user is a data coordinator" do + let(:user) { FactoryBot.create(:user, :data_coordinator) } + + it "can assign all roles except support" do + expect(user.assignable_roles).to eq({ + data_accessor: 0, + data_provider: 1, + data_coordinator: 2, + }) + end + end + context "when the user is a Customer Support person" do let(:user) { FactoryBot.create(:user, :support) } let!(:other_orgs_log) { FactoryBot.create(:case_log) } @@ -80,6 +106,15 @@ RSpec.describe User, type: :model do it "requires 2FA" do expect(user.need_two_factor_authentication?(nil)).to be true end + + it "can assign all roles" do + expect(user.assignable_roles).to eq({ + data_accessor: 0, + data_provider: 1, + data_coordinator: 2, + support: 99, + }) + end end end diff --git a/spec/requests/users_controller_spec.rb b/spec/requests/users_controller_spec.rb index 26ada9557..34a2c9668 100644 --- a/spec/requests/users_controller_spec.rb +++ b/spec/requests/users_controller_spec.rb @@ -413,6 +413,10 @@ RSpec.describe UsersController, type: :request do expect(page).to have_field("user[is_dpo]") expect(page).to have_field("user[is_key_contact]") end + + it "does not allow setting the role to `support`" do + expect(page).not_to have_field("user-role-support-field") + end end context "when the current user does not matches the user ID" do @@ -638,6 +642,11 @@ RSpec.describe UsersController, type: :request do expect(response).to redirect_to("/organisations/#{user.organisation.id}/users") end + it "cannot assign support role to the new user" do + request + expect(page).not_to have_field("user-role-support-field") + end + context "when the email is already taken" do before do FactoryBot.create(:user, email: "new_user@example.com")