Browse Source

Don't allow data coordinators to assign support role

pull/460/head
baarkerlounger 3 years ago
parent
commit
30083933b9
  1. 7
      app/models/user.rb
  2. 5
      app/views/users/edit.html.erb
  3. 34
      app/views/users/new.html.erb
  4. 35
      spec/models/user_spec.rb
  5. 9
      spec/requests/users_controller_spec.rb

7
app/models/user.rb

@ -81,4 +81,11 @@ class User < ApplicationRecord
personalisation = { otp: code } personalisation = { otp: code }
DeviseNotifyMailer.new.send_email(email, template_id, personalisation) DeviseNotifyMailer.new.send_email(email, template_id, personalisation)
end end
def assignable_roles
return {} unless data_coordinator? || support?
return ROLES if support?
ROLES.except(:support)
end
end end

5
app/views/users/edit.html.erb

@ -26,8 +26,9 @@
spellcheck: "false" spellcheck: "false"
%> %>
<% if current_user.data_coordinator? %> <% if current_user.data_coordinator? || current_user.support? %>
<%= roles = User::ROLES.map { |key, _| OpenStruct.new(id: key, name: key.to_s.humanize) } <%= roles = current_user.assignable_roles.map { |key, _| OpenStruct.new(id: key, name: key.to_s.humanize) }
f.govuk_collection_radio_buttons :role, roles, :id, :name, legend: { text: "Role", size: "m" } f.govuk_collection_radio_buttons :role, roles, :id, :name, legend: { text: "Role", size: "m" }
%> %>

34
app/views/users/new.html.erb

@ -27,27 +27,25 @@
value: @resource.email value: @resource.email
%> %>
<%= roles = User::ROLES.map { |key, _| OpenStruct.new(id: key, name: key.to_s.humanize) } <%= roles = current_user.assignable_roles.map { |key, _| OpenStruct.new(id: key, name: key.to_s.humanize) }
f.govuk_collection_radio_buttons :role, roles, :id, :name, legend: { text: "Role", size: "m" } f.govuk_collection_radio_buttons :role, roles, :id, :name, legend: { text: "Role", size: "m" }
%> %>
<% if current_user.data_coordinator? %> <%= f.govuk_collection_radio_buttons :is_dpo,
<%= f.govuk_collection_radio_buttons :is_dpo, [OpenStruct.new(id: false, name: "No"), OpenStruct.new(id: true, name: "Yes")],
[OpenStruct.new(id: false, name: "No"), OpenStruct.new(id: true, name: "Yes")], :id,
:id, :name,
:name, inline: true,
inline: true, legend: { text: "Are #{pronoun(@user, current_user)} a data protection officer?", size: "m" }
legend: { text: "Are #{pronoun(@user, current_user)} a data protection officer?", size: "m" } %>
%>
<%= f.govuk_collection_radio_buttons :is_key_contact,
<%= f.govuk_collection_radio_buttons :is_key_contact, [OpenStruct.new(id: false, name: "No"), OpenStruct.new(id: true, name: "Yes")],
[OpenStruct.new(id: false, name: "No"), OpenStruct.new(id: true, name: "Yes")], :id,
:id, :name,
:name, inline: true,
inline: true, legend: { text: "Are #{pronoun(@user, current_user)} a key contact?", size: "m" }
legend: { text: "Are #{pronoun(@user, current_user)} a key contact?", size: "m" } %>
%>
<% end %>
<%= f.govuk_submit "Continue" %> <%= f.govuk_submit "Continue" %>
</div> </div>

35
spec/models/user_spec.rb

@ -69,6 +69,32 @@ RSpec.describe User, type: :model do
expect(user.need_two_factor_authentication?(nil)).to be false expect(user.need_two_factor_authentication?(nil)).to be false
end end
context "when the user is a data provider" do
it "cannot assign roles" do
expect(user.assignable_roles).to eq({})
end
end
context "when the user is a data accessor" do
let(:user) { FactoryBot.create(:user, :data_accessor) }
it "cannot assign roles" do
expect(user.assignable_roles).to eq({})
end
end
context "when the user is a data coordinator" do
let(:user) { FactoryBot.create(:user, :data_coordinator) }
it "can assign all roles except support" do
expect(user.assignable_roles).to eq({
data_accessor: 0,
data_provider: 1,
data_coordinator: 2,
})
end
end
context "when the user is a Customer Support person" do context "when the user is a Customer Support person" do
let(:user) { FactoryBot.create(:user, :support) } let(:user) { FactoryBot.create(:user, :support) }
let!(:other_orgs_log) { FactoryBot.create(:case_log) } let!(:other_orgs_log) { FactoryBot.create(:case_log) }
@ -80,6 +106,15 @@ RSpec.describe User, type: :model do
it "requires 2FA" do it "requires 2FA" do
expect(user.need_two_factor_authentication?(nil)).to be true expect(user.need_two_factor_authentication?(nil)).to be true
end end
it "can assign all roles" do
expect(user.assignable_roles).to eq({
data_accessor: 0,
data_provider: 1,
data_coordinator: 2,
support: 99,
})
end
end end
end end

9
spec/requests/users_controller_spec.rb

@ -413,6 +413,10 @@ RSpec.describe UsersController, type: :request do
expect(page).to have_field("user[is_dpo]") expect(page).to have_field("user[is_dpo]")
expect(page).to have_field("user[is_key_contact]") expect(page).to have_field("user[is_key_contact]")
end end
it "does not allow setting the role to `support`" do
expect(page).not_to have_field("user-role-support-field")
end
end end
context "when the current user does not matches the user ID" do context "when the current user does not matches the user ID" do
@ -638,6 +642,11 @@ RSpec.describe UsersController, type: :request do
expect(response).to redirect_to("/organisations/#{user.organisation.id}/users") expect(response).to redirect_to("/organisations/#{user.organisation.id}/users")
end end
it "cannot assign support role to the new user" do
request
expect(page).not_to have_field("user-role-support-field")
end
context "when the email is already taken" do context "when the email is already taken" do
before do before do
FactoryBot.create(:user, email: "new_user@example.com") FactoryBot.create(:user, email: "new_user@example.com")

Loading…
Cancel
Save