From 5fa69ce0b62c844ad122de5adae813ec71deac74 Mon Sep 17 00:00:00 2001 From: Rachael Booth Date: Thu, 5 Dec 2024 11:38:14 +0000 Subject: [PATCH] CLDC-2128: Validate supplied year in bulk upload pages (#2839) * CLDC-2128: Validate supplied year in bulk upload pages * Fix lint * Refactor --- .../bulk_upload_lettings_logs_controller.rb | 23 +++- .../bulk_upload_sales_logs_controller.rb | 19 ++- .../forms/bulk_upload_lettings/needstype.rb | 39 ------ .../forms/needstype.erb | 23 ---- ...lk_upload_lettings_logs_controller_spec.rb | 111 ++++++++++++++++++ .../bulk_upload_sales_logs_controller_spec.rb | 111 ++++++++++++++++++ 6 files changed, 257 insertions(+), 69 deletions(-) delete mode 100644 app/models/forms/bulk_upload_lettings/needstype.rb delete mode 100644 app/views/bulk_upload_lettings_logs/forms/needstype.erb diff --git a/app/controllers/bulk_upload_lettings_logs_controller.rb b/app/controllers/bulk_upload_lettings_logs_controller.rb index a8ad14f9e..39bc05f7e 100644 --- a/app/controllers/bulk_upload_lettings_logs_controller.rb +++ b/app/controllers/bulk_upload_lettings_logs_controller.rb @@ -1,6 +1,7 @@ class BulkUploadLettingsLogsController < ApplicationController before_action :authenticate_user! - before_action :validate_data_protection_agrement_signed! + before_action :validate_data_protection_agreement_signed! + before_action :validate_year!, except: %w[start] def start if have_choice_of_year? @@ -24,12 +25,26 @@ class BulkUploadLettingsLogsController < ApplicationController private - def validate_data_protection_agrement_signed! + def validate_data_protection_agreement_signed! return if @current_user.organisation.data_protection_confirmed? redirect_to lettings_logs_path end + def validate_year! + return if params[:id] == "year" + return if params[:id] == "guidance" && params.dig(:form, :year).nil? + + allowed_years = [current_year] + allowed_years.push(current_year - 1) if FormHandler.instance.lettings_in_crossover_period? + allowed_years.push(current_year + 1) if FeatureToggle.allow_future_form_use? + + provided_year = params.dig(:form, :year)&.to_i + return if allowed_years.include?(provided_year) + + render_not_found + end + def current_year FormHandler.instance.current_collection_start_year end @@ -48,8 +63,6 @@ private Forms::BulkUploadLettings::PrepareYourFile.new(form_params) when "guidance" Forms::BulkUploadLettings::Guidance.new(form_params.merge(referrer: params[:referrer])) - when "needstype" - Forms::BulkUploadLettings::Needstype.new(form_params) when "upload-your-file" Forms::BulkUploadLettings::UploadYourFile.new(form_params.merge(current_user:)) when "checking-file" @@ -60,6 +73,6 @@ private end def form_params - params.fetch(:form, {}).permit(:year, :needstype, :file, :organisation_id) + params.fetch(:form, {}).permit(:year, :file, :organisation_id) end end diff --git a/app/controllers/bulk_upload_sales_logs_controller.rb b/app/controllers/bulk_upload_sales_logs_controller.rb index 2fd312d10..cb04cea95 100644 --- a/app/controllers/bulk_upload_sales_logs_controller.rb +++ b/app/controllers/bulk_upload_sales_logs_controller.rb @@ -1,6 +1,7 @@ class BulkUploadSalesLogsController < ApplicationController before_action :authenticate_user! - before_action :validate_data_protection_agrement_signed! + before_action :validate_data_protection_agreement_signed! + before_action :validate_year!, except: %w[start] def start if have_choice_of_year? @@ -24,12 +25,26 @@ class BulkUploadSalesLogsController < ApplicationController private - def validate_data_protection_agrement_signed! + def validate_data_protection_agreement_signed! return if @current_user.organisation.data_protection_confirmed? redirect_to sales_logs_path end + def validate_year! + return if params[:id] == "year" + return if params[:id] == "guidance" && params.dig(:form, :year).nil? + + allowed_years = [current_year] + allowed_years.push(current_year - 1) if FormHandler.instance.sales_in_crossover_period? + allowed_years.push(current_year + 1) if FeatureToggle.allow_future_form_use? + + provided_year = params.dig(:form, :year)&.to_i + return if allowed_years.include?(provided_year) + + render_not_found + end + def current_year FormHandler.instance.current_collection_start_year end diff --git a/app/models/forms/bulk_upload_lettings/needstype.rb b/app/models/forms/bulk_upload_lettings/needstype.rb deleted file mode 100644 index b15c05b52..000000000 --- a/app/models/forms/bulk_upload_lettings/needstype.rb +++ /dev/null @@ -1,39 +0,0 @@ -module Forms - module BulkUploadLettings - class Needstype - include ActiveModel::Model - include ActiveModel::Attributes - include Rails.application.routes.url_helpers - - attribute :needstype, :integer - attribute :year, :integer - attribute :organisation_id, :integer - - validates :needstype, presence: true - - def view_path - "bulk_upload_lettings_logs/forms/needstype" - end - - def options - [OpenStruct.new(id: 1, name: "General needs"), OpenStruct.new(id: 2, name: "Supported housing")] - end - - def back_path - bulk_upload_lettings_log_path(id: "prepare-your-file", form: { year:, needstype:, organisation_id: }.compact) - end - - def next_path - bulk_upload_lettings_log_path(id: "upload-your-file", form: { year:, needstype:, organisation_id: }.compact) - end - - def year_combo - "#{year} to #{year + 1}" - end - - def save! - true - end - end - end -end diff --git a/app/views/bulk_upload_lettings_logs/forms/needstype.erb b/app/views/bulk_upload_lettings_logs/forms/needstype.erb deleted file mode 100644 index 644dd9f5f..000000000 --- a/app/views/bulk_upload_lettings_logs/forms/needstype.erb +++ /dev/null @@ -1,23 +0,0 @@ -<% content_for :before_content do %> - <%= govuk_back_link href: @form.back_path %> -<% end %> - -
-
- <%= form_with model: @form, scope: :form, url: bulk_upload_lettings_log_path(id: "needstype"), method: :patch do |f| %> - <%= f.govuk_error_summary %> - <%= f.hidden_field :year %> - <%= f.hidden_field :organisation_id %> - - <%= f.govuk_collection_radio_buttons :needstype, - @form.options, - :id, - :name, - hint: { text: I18n.t("hints.bulk_upload.needstype") }, - legend: { text: "What is the needs type?", size: "l" }, - caption: { text: "Upload lettings logs in bulk (#{@form.year_combo})", size: "l" } %> - - <%= f.govuk_submit %> - <% end %> -
-
diff --git a/spec/requests/bulk_upload_lettings_logs_controller_spec.rb b/spec/requests/bulk_upload_lettings_logs_controller_spec.rb index 18b208e74..c9a22768d 100644 --- a/spec/requests/bulk_upload_lettings_logs_controller_spec.rb +++ b/spec/requests/bulk_upload_lettings_logs_controller_spec.rb @@ -73,5 +73,116 @@ RSpec.describe BulkUploadLettingsLogsController, type: :request do expect(response.body).to include("How to upload logs in bulk") end end + + context "when no year is specified" do + it "shows guidance page with links defaulting to the current year" do + get "/lettings-logs/bulk-upload-logs/guidance" + + expect(response.body).to include("Download the lettings bulk upload template (#{current_collection_start_year} to #{current_collection_start_year + 1})") + end + end + + context "when an invalid year is specified" do + it "shows not found" do + get "/lettings-logs/bulk-upload-logs/guidance?form%5Byear%5D=10000" + + expect(response).to be_not_found + end + end + end + + describe "GET /lettings-logs/bulk-upload-logs/year" do + it "does not require a year to be specified" do + get "/lettings-logs/bulk-upload-logs/year" + + expect(response).to be_ok + end + end + + pages_requiring_year_specification = %w[prepare-your-file upload-your-file checking-file] + pages_requiring_year_specification.each do |page_id| + describe "GET /lettings-logs/bulk-upload-logs/#{page_id}" do + context "when no year is provided" do + it "returns not found" do + get "/lettings-logs/bulk-upload-logs/#{page_id}" + + expect(response).to be_not_found + end + end + + context "when requesting the previous year in a crossover period" do + before do + allow(FormHandler.instance).to receive(:lettings_in_crossover_period?).and_return(true) + end + + it "succeeds" do + get "/lettings-logs/bulk-upload-logs/#{page_id}?form%5Byear%5D=#{current_collection_start_year - 1}" + + expect(response).to be_ok + end + end + + context "when requesting the previous year outside a crossover period" do + before do + allow(FormHandler.instance).to receive(:lettings_in_crossover_period?).and_return(false) + end + + it "returns not found" do + get "/lettings-logs/bulk-upload-logs/#{page_id}?form%5Byear%5D=#{current_collection_start_year - 1}" + + expect(response).to be_not_found + end + end + + context "when requesting the current year" do + it "succeeds" do + get "/lettings-logs/bulk-upload-logs/#{page_id}?form%5Byear%5D=#{current_collection_start_year}" + + expect(response).to be_ok + end + end + + if page_id != "prepare-your-file" + context "when requesting the next year with future form use toggled on" do + before do + allow(FeatureToggle).to receive(:allow_future_form_use?).and_return(true) + end + + it "succeeds" do + get "/lettings-logs/bulk-upload-logs/#{page_id}?form%5Byear%5D=#{current_collection_start_year + 1}" + + expect(response).to be_ok + end + end + end + + context "when requesting the next year with future form use toggled off" do + before do + allow(FeatureToggle).to receive(:allow_future_form_use?).and_return(false) + end + + it "returns not found" do + get "/lettings-logs/bulk-upload-logs/#{page_id}?form%5Byear%5D=#{current_collection_start_year + 1}" + + expect(response).to be_not_found + end + end + + context "when requesting a far future year" do + it "returns not found" do + get "/lettings-logs/bulk-upload-logs/#{page_id}?form%5Byear%5D=9990" + + expect(response).to be_not_found + end + end + + context "when requesting a nonsense value for year" do + it "returns not found" do + get "/lettings-logs/bulk-upload-logs/#{page_id}?form%5Byear%5D=thisisnotayear" + + expect(response).to be_not_found + end + end + end end end diff --git a/spec/requests/bulk_upload_sales_logs_controller_spec.rb b/spec/requests/bulk_upload_sales_logs_controller_spec.rb index 7cd6d4be8..4c20482be 100644 --- a/spec/requests/bulk_upload_sales_logs_controller_spec.rb +++ b/spec/requests/bulk_upload_sales_logs_controller_spec.rb @@ -73,5 +73,116 @@ RSpec.describe BulkUploadSalesLogsController, type: :request do expect(response.body).to include("How to upload logs in bulk") end end + + context "when no year is specified" do + it "shows guidance page with links defaulting to the current year" do + get "/sales-logs/bulk-upload-logs/guidance" + + expect(response.body).to include("Download the sales bulk upload template (#{current_collection_start_year} to #{current_collection_start_year + 1})") + end + end + + context "when an invalid year is specified" do + it "shows not found" do + get "/sales-logs/bulk-upload-logs/guidance?form%5Byear%5D=10000" + + expect(response).to be_not_found + end + end + end + + describe "GET /sales-logs/bulk-upload-logs/year" do + it "does not require a year to be specified" do + get "/sales-logs/bulk-upload-logs/year" + + expect(response).to be_ok + end + end + + pages_requiring_year_specification = %w[prepare-your-file upload-your-file checking-file] + pages_requiring_year_specification.each do |page_id| + describe "GET /sales-logs/bulk-upload-logs/#{page_id}" do + context "when no year is provided" do + it "returns not found" do + get "/sales-logs/bulk-upload-logs/#{page_id}" + + expect(response).to be_not_found + end + end + + context "when requesting the previous year in a crossover period" do + before do + allow(FormHandler.instance).to receive(:sales_in_crossover_period?).and_return(true) + end + + it "succeeds" do + get "/sales-logs/bulk-upload-logs/#{page_id}?form%5Byear%5D=#{current_collection_start_year - 1}" + + expect(response).to be_ok + end + end + + context "when requesting the previous year outside a crossover period" do + before do + allow(FormHandler.instance).to receive(:sales_in_crossover_period?).and_return(false) + end + + it "returns not found" do + get "/sales-logs/bulk-upload-logs/#{page_id}?form%5Byear%5D=#{current_collection_start_year - 1}" + + expect(response).to be_not_found + end + end + + context "when requesting the current year" do + it "succeeds" do + get "/sales-logs/bulk-upload-logs/#{page_id}?form%5Byear%5D=#{current_collection_start_year}" + + expect(response).to be_ok + end + end + + if page_id != "prepare-your-file" + context "when requesting the next year with future form use toggled on" do + before do + allow(FeatureToggle).to receive(:allow_future_form_use?).and_return(true) + end + + it "succeeds" do + get "/sales-logs/bulk-upload-logs/#{page_id}?form%5Byear%5D=#{current_collection_start_year + 1}" + + expect(response).to be_ok + end + end + end + + context "when requesting the next year with future form use toggled off" do + before do + allow(FeatureToggle).to receive(:allow_future_form_use?).and_return(false) + end + + it "returns not found" do + get "/sales-logs/bulk-upload-logs/#{page_id}?form%5Byear%5D=#{current_collection_start_year + 1}" + + expect(response).to be_not_found + end + end + + context "when requesting a far future year" do + it "returns not found" do + get "/sales-logs/bulk-upload-logs/#{page_id}?form%5Byear%5D=9990" + + expect(response).to be_not_found + end + end + + context "when requesting a nonsense value for year" do + it "returns not found" do + get "/sales-logs/bulk-upload-logs/#{page_id}?form%5Byear%5D=thisisnotayear" + + expect(response).to be_not_found + end + end + end end end