From c2688542790eaef79b55f52ae74d191de220e143 Mon Sep 17 00:00:00 2001
From: baarkerlounger <db@slothlife.xyz>
Date: Fri, 3 Dec 2021 10:02:35 +0000
Subject: [PATCH] More tests for access

---
 spec/requests/case_log_controller_spec.rb |  87 +++---
 spec/requests/form_controller_spec.rb     | 355 ++++++++++++----------
 2 files changed, 235 insertions(+), 207 deletions(-)

diff --git a/spec/requests/case_log_controller_spec.rb b/spec/requests/case_log_controller_spec.rb
index fb889948c..ac9c65505 100644
--- a/spec/requests/case_log_controller_spec.rb
+++ b/spec/requests/case_log_controller_spec.rb
@@ -180,54 +180,63 @@ RSpec.describe CaseLogsController, type: :request do
           allow(FormHandler.instance).to receive(:get_form).and_return(form)
         end
 
-        context "case logs that are owned or managed by your organisation" do
-          before do
-            sign_in user
+        context "a user that is not signed in" do
+          it "does not let you get case log tasklist pages you don't have access to" do
             get "/case-logs/#{case_log.id}", headers: headers, params: {}
-          end
-
-          it "shows the tasklist for case logs you have access to" do
-            expect(response.body).to match("Case log")
-            expect(response.body).to match(case_log.id.to_s)
-          end
-
-          it "displays a section status for a case log" do
-            assert_select ".govuk-tag", text: /Not started/, count: 8
-            assert_select ".govuk-tag", text: /Completed/, count: 0
-            assert_select ".govuk-tag", text: /Cannot start yet/, count: 1
+            expect(response).to redirect_to("/users/sign-in")
           end
         end
 
-        context "case log with a single section complete" do
-          let(:section_completed_case_log) do
-            FactoryBot.create(
-              :case_log,
-              :conditional_section_complete,
-              owning_organisation: organisation,
-              managing_organisation: organisation,
-            )
+        context "a signed in user" do
+          context "case logs that are owned or managed by your organisation" do
+            before do
+              sign_in user
+              get "/case-logs/#{case_log.id}", headers: headers, params: {}
+            end
+
+            it "shows the tasklist for case logs you have access to" do
+              expect(response.body).to match("Case log")
+              expect(response.body).to match(case_log.id.to_s)
+            end
+
+            it "displays a section status for a case log" do
+              assert_select ".govuk-tag", text: /Not started/, count: 8
+              assert_select ".govuk-tag", text: /Completed/, count: 0
+              assert_select ".govuk-tag", text: /Cannot start yet/, count: 1
+            end
           end
 
-          before do
-            sign_in user
-            get "/case-logs/#{section_completed_case_log.id}", headers: headers, params: {}
+          context "case log with a single section complete" do
+            let(:section_completed_case_log) do
+              FactoryBot.create(
+                :case_log,
+                :conditional_section_complete,
+                owning_organisation: organisation,
+                managing_organisation: organisation,
+              )
+            end
+
+            before do
+              sign_in user
+              get "/case-logs/#{section_completed_case_log.id}", headers: headers, params: {}
+            end
+
+            it "displays a section status for a case log" do
+              assert_select ".govuk-tag", text: /Not started/, count: 7
+              assert_select ".govuk-tag", text: /Completed/, count: 1
+              assert_select ".govuk-tag", text: /Cannot start yet/, count: 1
+            end
           end
 
-          it "displays a section status for a case log" do
-            assert_select ".govuk-tag", text: /Not started/, count: 7
-            assert_select ".govuk-tag", text: /Completed/, count: 1
-            assert_select ".govuk-tag", text: /Cannot start yet/, count: 1
-          end
-        end
-
-        context "case logs that are not owned or managed by your organisation" do
-          before do
-            sign_in user
-            get "/case-logs/#{unauthorized_case_log.id}", headers: headers, params: {}
-          end
+          context "case logs that are not owned or managed by your organisation" do
+            before do
+              sign_in user
+              get "/case-logs/#{unauthorized_case_log.id}", headers: headers, params: {}
+            end
 
-          it "does not show the tasklist for case logs you don't have access to" do
-            expect(response).to have_http_status(:not_found)
+            it "does not show the tasklist for case logs you don't have access to" do
+              expect(response).to have_http_status(:not_found)
+            end
           end
         end
       end
diff --git a/spec/requests/form_controller_spec.rb b/spec/requests/form_controller_spec.rb
index 218f34407..6e2fa50c5 100644
--- a/spec/requests/form_controller_spec.rb
+++ b/spec/requests/form_controller_spec.rb
@@ -20,136 +20,111 @@ RSpec.describe FormController, type: :request do
   end
   let(:headers) { { "Accept" => "text/html" } }
 
-  before do
-    sign_in user
-  end
+  context "a not signed in user" do
+    it "does not let you get case logs pages you don't have access to" do
+      get "/case-logs/#{case_log.id}/person-1-age", headers: headers, params: {}
+      expect(response).to redirect_to("/users/sign-in")
+    end
 
-  describe "GET" do
-    context "form pages" do
-      context "case logs that are not owned or managed by your organisation" do
-        it "does not show form pages for case logs you don't have access to" do
-          get "/case-logs/#{unauthorized_case_log.id}/person-1-age", headers: headers, params: {}
-          expect(response).to have_http_status(:not_found)
-        end
-      end
+    it "does not let you get case log check answer pages you don't have access to" do
+      get "/case-logs/#{case_log.id}/household-characteristics/check-answers", headers: headers, params: {}
+      expect(response).to redirect_to("/users/sign-in")
     end
 
-    context "check answers pages" do
-      context "case logs that are not owned or managed by your organisation" do
-        it "does not show a check answers for case logs you don't have access to" do
-          get "/case-logs/#{unauthorized_case_log.id}/household-characteristics/check-answers", headers: headers, params: {}
-          expect(response).to have_http_status(:not_found)
-        end
-      end
+    it "does not let you post form answers to case logs you don't have access to" do
+      post "/case-logs/#{case_log.id}/form", params: {}
+      expect(response).to redirect_to("/users/sign-in")
     end
   end
 
-  describe "Submit Form" do
-    context "a form page" do
-      let(:user) { FactoryBot.create(:user) }
-      let(:form) { Form.new("spec/fixtures/forms/test_form.json") }
-      let(:organisation) { user.organisation }
-      let(:case_log) do
-        FactoryBot.create(
-          :case_log,
-          owning_organisation: organisation,
-          managing_organisation: organisation,
-        )
-      end
-      let(:page_id) { "person_1_age" }
-      let(:params) do
-        {
-          id: case_log.id,
-          case_log: {
-            page: page_id,
-            age1: answer,
-          },
-        }
-      end
+  context "a signed in user" do
+    before do
+      sign_in user
+    end
 
-      before do
-        allow(FormHandler.instance).to receive(:get_form).and_return(form)
-        post "/case-logs/#{case_log.id}/form", params: params
+    describe "GET" do
+      context "form pages" do
+        context "case logs that are not owned or managed by your organisation" do
+          it "does not show form pages for case logs you don't have access to" do
+            get "/case-logs/#{unauthorized_case_log.id}/person-1-age", headers: headers, params: {}
+            expect(response).to have_http_status(:not_found)
+          end
+        end
       end
 
-      context "invalid answers" do
-        let(:answer) { 2000 }
-
-        it "re-renders the same page with errors if validation fails" do
-          expect(response).to have_http_status(:unprocessable_entity)
+      context "check answers pages" do
+        context "case logs that are not owned or managed by your organisation" do
+          it "does not show a check answers for case logs you don't have access to" do
+            get "/case-logs/#{unauthorized_case_log.id}/household-characteristics/check-answers", headers: headers, params: {}
+            expect(response).to have_http_status(:not_found)
+          end
         end
       end
+    end
 
-      context "valid answers" do
-        let(:answer) { 20 }
-
-        it "re-renders the same page with errors if validation fails" do
-          expect(response).to have_http_status(:redirect)
+    describe "Submit Form" do
+      context "a form page" do
+        let(:user) { FactoryBot.create(:user) }
+        let(:form) { Form.new("spec/fixtures/forms/test_form.json") }
+        let(:organisation) { user.organisation }
+        let(:case_log) do
+          FactoryBot.create(
+            :case_log,
+            owning_organisation: organisation,
+            managing_organisation: organisation,
+          )
         end
-
+        let(:page_id) { "person_1_age" }
         let(:params) do
           {
             id: case_log.id,
             case_log: {
               page: page_id,
               age1: answer,
-              age2: 2000,
             },
           }
         end
 
-        it "only updates answers that apply to the page being submitted" do
-          case_log.reload
-          expect(case_log.age1).to eq(answer)
-          expect(case_log.age2).to be nil
+        before do
+          allow(FormHandler.instance).to receive(:get_form).and_return(form)
+          post "/case-logs/#{case_log.id}/form", params: params
         end
-      end
-    end
 
-    context "checkbox questions" do
-      let(:case_log_form_params) do
-        {
-          id: case_log.id,
-          case_log: {
-            page: "accessibility_requirements",
-            accessibility_requirements:
-                                   %w[ housingneeds_a
-                                       housingneeds_b
-                                       housingneeds_c],
-          },
-        }
-      end
+        context "invalid answers" do
+          let(:answer) { 2000 }
 
-      let(:new_case_log_form_params) do
-        {
-          id: case_log.id,
-          case_log: {
-            page: "accessibility_requirements",
-            accessibility_requirements: %w[housingneeds_c],
-          },
-        }
-      end
+          it "re-renders the same page with errors if validation fails" do
+            expect(response).to have_http_status(:unprocessable_entity)
+          end
+        end
 
-      it "sets checked items to true" do
-        post "/case-logs/#{case_log.id}/form", params: case_log_form_params
-        case_log.reload
+        context "valid answers" do
+          let(:answer) { 20 }
 
-        expect(case_log.housingneeds_a).to eq("Yes")
-        expect(case_log.housingneeds_b).to eq("Yes")
-        expect(case_log.housingneeds_c).to eq("Yes")
-      end
+          it "re-renders the same page with errors if validation fails" do
+            expect(response).to have_http_status(:redirect)
+          end
 
-      it "sets previously submitted items to false when resubmitted with new values" do
-        post "/case-logs/#{case_log.id}/form", params: new_case_log_form_params
-        case_log.reload
+          let(:params) do
+            {
+              id: case_log.id,
+              case_log: {
+                page: page_id,
+                age1: answer,
+                age2: 2000,
+              },
+            }
+          end
 
-        expect(case_log.housingneeds_a).to eq("No")
-        expect(case_log.housingneeds_b).to eq("No")
-        expect(case_log.housingneeds_c).to eq("Yes")
+          it "only updates answers that apply to the page being submitted" do
+            case_log.reload
+            expect(case_log.age1).to eq(answer)
+            expect(case_log.age2).to be nil
+          end
+        end
       end
 
-      context "given a page with checkbox and non-checkbox questions" do
-        let(:tenant_code) { "BZ355" }
+      context "checkbox questions" do
         let(:case_log_form_params) do
           {
             id: case_log.id,
@@ -159,96 +134,140 @@ RSpec.describe FormController, type: :request do
                                      %w[ housingneeds_a
                                          housingneeds_b
                                          housingneeds_c],
-              tenant_code: tenant_code,
             },
           }
         end
-        let(:questions_for_page) do
-          [
-            Form::Question.new(
-              "accessibility_requirements",
-              {
-                "type" => "checkbox",
-                "answer_options" =>
-                { "housingneeds_a" => "Fully wheelchair accessible housing",
-                  "housingneeds_b" => "Wheelchair access to essential rooms",
-                  "housingneeds_c" => "Level access housing",
-                  "housingneeds_f" => "Other disability requirements",
-                  "housingneeds_g" => "No disability requirements",
-                  "divider_a" => true,
-                  "housingneeds_h" => "Do not know",
-                  "divider_b" => true,
-                  "accessibility_requirements_prefer_not_to_say" => "Prefer not to say" },
-              }, nil
-            ),
-            Form::Question.new("tenant_code", { "type" => "text" }, nil),
-          ]
-        end
-
-        it "updates both question fields" do
-          allow_any_instance_of(Form::Page).to receive(:expected_responses).and_return(questions_for_page)
+
+        let(:new_case_log_form_params) do
+          {
+            id: case_log.id,
+            case_log: {
+              page: "accessibility_requirements",
+              accessibility_requirements: %w[housingneeds_c],
+            },
+          }
+        end
+
+        it "sets checked items to true" do
           post "/case-logs/#{case_log.id}/form", params: case_log_form_params
           case_log.reload
 
           expect(case_log.housingneeds_a).to eq("Yes")
           expect(case_log.housingneeds_b).to eq("Yes")
           expect(case_log.housingneeds_c).to eq("Yes")
-          expect(case_log.tenant_code).to eq(tenant_code)
         end
-      end
-    end
 
-    context "conditional routing" do
-      before do
-        allow_any_instance_of(CaseLogValidator).to receive(:validate_pregnancy).and_return(true)
-      end
+        it "sets previously submitted items to false when resubmitted with new values" do
+          post "/case-logs/#{case_log.id}/form", params: new_case_log_form_params
+          case_log.reload
 
-      let(:case_log_form_conditional_question_yes_params) do
-        {
-          id: case_log.id,
-          case_log: {
-            page: "conditional_question",
-            preg_occ: "Yes",
-          },
-        }
-      end
+          expect(case_log.housingneeds_a).to eq("No")
+          expect(case_log.housingneeds_b).to eq("No")
+          expect(case_log.housingneeds_c).to eq("Yes")
+        end
 
-      let(:case_log_form_conditional_question_no_params) do
-        {
-          id: case_log.id,
-          case_log: {
-            page: "conditional_question",
-            preg_occ: "No",
-          },
-        }
-      end
+        context "given a page with checkbox and non-checkbox questions" do
+          let(:tenant_code) { "BZ355" }
+          let(:case_log_form_params) do
+            {
+              id: case_log.id,
+              case_log: {
+                page: "accessibility_requirements",
+                accessibility_requirements:
+                                       %w[ housingneeds_a
+                                           housingneeds_b
+                                           housingneeds_c],
+                tenant_code: tenant_code,
+              },
+            }
+          end
+          let(:questions_for_page) do
+            [
+              Form::Question.new(
+                "accessibility_requirements",
+                {
+                  "type" => "checkbox",
+                  "answer_options" =>
+                  { "housingneeds_a" => "Fully wheelchair accessible housing",
+                    "housingneeds_b" => "Wheelchair access to essential rooms",
+                    "housingneeds_c" => "Level access housing",
+                    "housingneeds_f" => "Other disability requirements",
+                    "housingneeds_g" => "No disability requirements",
+                    "divider_a" => true,
+                    "housingneeds_h" => "Do not know",
+                    "divider_b" => true,
+                    "accessibility_requirements_prefer_not_to_say" => "Prefer not to say" },
+                }, nil
+              ),
+              Form::Question.new("tenant_code", { "type" => "text" }, nil),
+            ]
+          end
 
-      it "routes to the appropriate conditional page based on the question answer of the current page" do
-        post "/case-logs/#{case_log.id}/form", params: case_log_form_conditional_question_yes_params
-        expect(response).to redirect_to("/case-logs/#{case_log.id}/conditional-question-yes-page")
+          it "updates both question fields" do
+            allow_any_instance_of(Form::Page).to receive(:expected_responses).and_return(questions_for_page)
+            post "/case-logs/#{case_log.id}/form", params: case_log_form_params
+            case_log.reload
 
-        post "/case-logs/#{case_log.id}/form", params: case_log_form_conditional_question_no_params
-        expect(response).to redirect_to("/case-logs/#{case_log.id}/conditional-question-no-page")
+            expect(case_log.housingneeds_a).to eq("Yes")
+            expect(case_log.housingneeds_b).to eq("Yes")
+            expect(case_log.housingneeds_c).to eq("Yes")
+            expect(case_log.tenant_code).to eq(tenant_code)
+          end
+        end
       end
-    end
 
-    context "case logs that are not owned or managed by your organisation" do
-      let(:answer) { 25 }
-      let(:other_organisation) { FactoryBot.create(:organisation) }
-      let(:unauthorized_case_log) do
-        FactoryBot.create(
-          :case_log,
-          owning_organisation: other_organisation,
-          managing_organisation: other_organisation,
-        )
-      end
+      context "conditional routing" do
+        before do
+          allow_any_instance_of(CaseLogValidator).to receive(:validate_pregnancy).and_return(true)
+        end
 
-      before do
-        post "/case-logs/#{unauthorized_case_log.id}/form", params: {}
+        let(:case_log_form_conditional_question_yes_params) do
+          {
+            id: case_log.id,
+            case_log: {
+              page: "conditional_question",
+              preg_occ: "Yes",
+            },
+          }
+        end
+
+        let(:case_log_form_conditional_question_no_params) do
+          {
+            id: case_log.id,
+            case_log: {
+              page: "conditional_question",
+              preg_occ: "No",
+            },
+          }
+        end
+
+        it "routes to the appropriate conditional page based on the question answer of the current page" do
+          post "/case-logs/#{case_log.id}/form", params: case_log_form_conditional_question_yes_params
+          expect(response).to redirect_to("/case-logs/#{case_log.id}/conditional-question-yes-page")
+
+          post "/case-logs/#{case_log.id}/form", params: case_log_form_conditional_question_no_params
+          expect(response).to redirect_to("/case-logs/#{case_log.id}/conditional-question-no-page")
+        end
       end
 
-      it "does not let you post form answers to case logs you don't have access to" do
-        expect(response).to have_http_status(:not_found)
+      context "case logs that are not owned or managed by your organisation" do
+        let(:answer) { 25 }
+        let(:other_organisation) { FactoryBot.create(:organisation) }
+        let(:unauthorized_case_log) do
+          FactoryBot.create(
+            :case_log,
+            owning_organisation: other_organisation,
+            managing_organisation: other_organisation,
+          )
+        end
+
+        before do
+          post "/case-logs/#{unauthorized_case_log.id}/form", params: {}
+        end
+
+        it "does not let you post form answers to case logs you don't have access to" do
+          expect(response).to have_http_status(:not_found)
+        end
       end
     end
   end