Browse Source

CLDC-1117: Allow data providers to see but not edit users in their org (#442)

* Allow data providers to see but not edit users in their org

* Don't actually need octal literals
pull/445/head
baarkerlounger 3 years ago committed by GitHub
parent
commit
3acf1c65e2
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
  1. 4
      app/controllers/organisations_controller.rb
  2. 2
      app/controllers/users_controller.rb
  3. 9
      app/helpers/tab_nav_helper.rb
  4. 2
      app/views/organisations/users.html.erb
  5. 8
      app/views/users/show.html.erb
  6. 8
      spec/factories/case_log.rb
  7. 5
      spec/features/organisation_spec.rb
  8. 5
      spec/helpers/tab_nav_helper_spec.rb
  9. 2
      spec/models/organisation_spec.rb
  10. 4
      spec/requests/organisations_controller_spec.rb
  11. 20
      spec/requests/users_controller_spec.rb

4
app/controllers/organisations_controller.rb

@ -8,11 +8,7 @@ class OrganisationsController < ApplicationController
end end
def users def users
if current_user.data_coordinator?
render "users" render "users"
else
head :unauthorized
end
end end
def details def details

2
app/controllers/users_controller.rb

@ -96,7 +96,7 @@ private
else else
render_not_found and return unless current_user.organisation == @user.organisation render_not_found and return unless current_user.organisation == @user.organisation
render_not_found and return if action_name == "edit_password" && current_user != @user render_not_found and return if action_name == "edit_password" && current_user != @user
render_not_found and return unless current_user.data_coordinator? || current_user == @user render_not_found and return unless action_name == "show" || current_user.data_coordinator? || current_user == @user
end end
end end
end end

9
app/helpers/tab_nav_helper.rb

@ -11,10 +11,9 @@ module TabNavHelper
end end
def tab_items(user) def tab_items(user)
items = [{ name: t("Details"), url: details_organisation_path(user.organisation) }] [
if user.data_coordinator? { name: t("Details"), url: details_organisation_path(user.organisation) },
items << { name: t("Users"), url: users_organisation_path(user.organisation) } { name: t("Users"), url: users_organisation_path(user.organisation) },
end ]
items
end end
end end

2
app/views/organisations/users.html.erb

@ -4,7 +4,9 @@
<%= "Users" %> <%= "Users" %>
<% end %> <% end %>
<% if current_user.data_coordinator? %>
<%= govuk_button_link_to "Invite user", new_user_path, html: { method: :get } %> <%= govuk_button_link_to "Invite user", new_user_path, html: { method: :get } %>
<% end %>
<%= govuk_table do |table| %> <%= govuk_table do |table| %>
<%= table.head do |head| %> <%= table.head do |head| %>
<%= head.row do |row| <%= head.row do |row|

8
app/views/users/show.html.erb

@ -14,13 +14,21 @@
<%= summary_list.row do |row| <%= summary_list.row do |row|
row.key { 'Name' } row.key { 'Name' }
row.value { @user.name } row.value { @user.name }
if current_user == @user || current_user.data_coordinator?
row.action(visually_hidden_text: 'name', href: edit_user_path, html_attributes: { 'data-qa': 'change-name' }) row.action(visually_hidden_text: 'name', href: edit_user_path, html_attributes: { 'data-qa': 'change-name' })
else
row.action()
end
end %> end %>
<%= summary_list.row() do |row| <%= summary_list.row() do |row|
row.key { 'Email address' } row.key { 'Email address' }
row.value { @user.email } row.value { @user.email }
if current_user == @user || current_user.data_coordinator?
row.action(visually_hidden_text: 'email address', href: edit_user_path, html_attributes: { 'data-qa': 'change-email' }) row.action(visually_hidden_text: 'email address', href: edit_user_path, html_attributes: { 'data-qa': 'change-email' })
else
row.action()
end
end %> end %>
<%= summary_list.row do |row| <%= summary_list.row do |row|

8
spec/factories/case_log.rb

@ -129,13 +129,13 @@ FactoryBot.define do
ppostc1 { "w3" } ppostc1 { "w3" }
ppostc2 { "w3" } ppostc2 { "w3" }
property_relet { 0 } property_relet { 0 }
mrcdate { Time.utc(2020, 0o5, 0o5, 10, 36, 49) } mrcdate { Time.utc(2020, 5, 0o5, 10, 36, 49) }
mrcday { mrcdate.day } mrcday { mrcdate.day }
mrcmonth { mrcdate.month } mrcmonth { mrcdate.month }
mrcyear { mrcdate.year } mrcyear { mrcdate.year }
incref { 0 } incref { 0 }
sale_completion_date { nil } sale_completion_date { nil }
startdate { Time.utc(2022, 0o2, 0o2, 10, 36, 49) } startdate { Time.utc(2022, 2, 2, 10, 36, 49) }
day { startdate.day } day { startdate.day }
month { startdate.month } month { startdate.month }
year { startdate.year } year { startdate.year }
@ -148,7 +148,7 @@ FactoryBot.define do
la_known { 1 } la_known { 1 }
declaration { 1 } declaration { 1 }
end end
created_at { Time.utc(2022, 0o2, 8, 16, 52, 15) } created_at { Time.utc(2022, 2, 8, 16, 52, 15) }
updated_at { Time.utc(2022, 0o2, 8, 16, 52, 15) } updated_at { Time.utc(2022, 2, 8, 16, 52, 15) }
end end
end end

5
spec/features/organisation_spec.rb

@ -70,11 +70,12 @@ RSpec.describe "User Features" do
let(:user) { FactoryBot.create(:user) } let(:user) { FactoryBot.create(:user) }
context "when viewing organisation page" do context "when viewing organisation page" do
it "can only see the details tab" do it "can see the details tab and users tab" do
visit("/logs") visit("/logs")
click_link("Your organisation") click_link("Your organisation")
expect(page).to have_current_path("/organisations/#{org_id}/details") expect(page).to have_current_path("/organisations/#{org_id}/details")
expect(page).to have_no_link("Users") expect(page).to have_link("Details")
expect(page).to have_link("Users")
end end
end end
end end

5
spec/helpers/tab_nav_helper_spec.rb

@ -31,10 +31,11 @@ RSpec.describe TabNavHelper do
end end
context "when user is a data_provider" do context "when user is a data_provider" do
it "returns details tab only" do it "returns details and user tabs" do
result = tab_items(user).map { |i| i[:name] } result = tab_items(user).map { |i| i[:name] }
expect(result.count).to eq(1) expect(result.count).to eq(2)
expect(result.first).to match("Details") expect(result.first).to match("Details")
expect(result.second).to match("Users")
end end
end end
end end

2
spec/models/organisation_spec.rb

@ -3,7 +3,7 @@ require "rails_helper"
RSpec.describe Organisation, type: :model do RSpec.describe Organisation, type: :model do
describe "#new" do describe "#new" do
let(:user) { FactoryBot.create(:user) } let(:user) { FactoryBot.create(:user) }
let(:organisation) { user.organisation } let!(:organisation) { user.organisation }
it "has expected fields" do it "has expected fields" do
expect(organisation.attribute_names).to include("name", "phone", "provider_type") expect(organisation.attribute_names).to include("name", "phone", "provider_type")

4
spec/requests/organisations_controller_spec.rb

@ -257,8 +257,8 @@ RSpec.describe OrganisationsController, type: :request do
get "/organisations/#{organisation.id}/users", headers: headers, params: {} get "/organisations/#{organisation.id}/users", headers: headers, params: {}
end end
it "returns unauthorized 401" do it "returns 200" do
expect(response).to have_http_status(:unauthorized) expect(response).to have_http_status(:ok)
end end
end end

20
spec/requests/users_controller_spec.rb

@ -138,6 +138,25 @@ RSpec.describe UsersController, type: :request do
get "/users/#{other_user.id}", headers: headers, params: {} get "/users/#{other_user.id}", headers: headers, params: {}
end end
context "when the user is part of the same organisation" do
let(:other_user) { FactoryBot.create(:user, organisation: user.organisation) }
it "shows their details" do
expect(response).to have_http_status(:ok)
expect(page).to have_content("#{other_user.name}’s account")
end
it "does not have edit links" do
expect(page).not_to have_link("Change", text: "name")
expect(page).not_to have_link("Change", text: "email address")
expect(page).not_to have_link("Change", text: "password")
expect(page).not_to have_link("Change", text: "role")
expect(page).not_to have_link("Change", text: "are you a data protection officer?")
expect(page).not_to have_link("Change", text: "are you a key contact?")
end
end
context "when the user is not part of the same organisation" do
it "returns not found 404" do it "returns not found 404" do
expect(response).to have_http_status(:not_found) expect(response).to have_http_status(:not_found)
end end
@ -147,6 +166,7 @@ RSpec.describe UsersController, type: :request do
end end
end end
end end
end
describe "#edit" do describe "#edit" do
context "when the current user matches the user ID" do context "when the current user matches the user ID" do

Loading…
Cancel
Save