Browse Source
* Scope auth for org pages * Scope user methods * Refactor form UI controller * More tests for access * Consistently return not found for scoped auth * Add ADR * Authenticate bulk uploads * Authenticate soft validations controller * Scope bulk upload to user's org for now * Pass through current user * Update docs/adr/adr-012-controller-http-return-statuses.md Co-authored-by: Dushan <47317567+dushan-madetech@users.noreply.github.com> * Update spec/requests/case_log_controller_spec.rb Co-authored-by: Dushan <47317567+dushan-madetech@users.noreply.github.com> Co-authored-by: Dushan <47317567+dushan-madetech@users.noreply.github.com>pull/147/head
baarkerlounger
3 years ago
committed by
GitHub
16 changed files with 832 additions and 565 deletions
@ -0,0 +1,83 @@ |
|||||||
|
class FormController < ApplicationController |
||||||
|
before_action :authenticate_user! |
||||||
|
before_action :find_resource, only: [:submit_form] |
||||||
|
before_action :find_resource_by_named_id, except: [:submit_form] |
||||||
|
|
||||||
|
def submit_form |
||||||
|
form = FormHandler.instance.get_form("2021_2022") |
||||||
|
if @case_log |
||||||
|
page = form.get_page(params[:case_log][:page]) |
||||||
|
responses_for_page = responses_for_page(page) |
||||||
|
if @case_log.update(responses_for_page) && @case_log.has_no_unresolved_soft_errors? |
||||||
|
redirect_path = form.next_page_redirect_path(page, @case_log) |
||||||
|
redirect_to(send(redirect_path, @case_log)) |
||||||
|
else |
||||||
|
subsection = form.subsection_for_page(page) |
||||||
|
render "form/page", locals: { form: form, page: page, subsection: subsection.label }, status: :unprocessable_entity |
||||||
|
end |
||||||
|
else |
||||||
|
render_not_found_html |
||||||
|
end |
||||||
|
end |
||||||
|
|
||||||
|
def check_answers |
||||||
|
form = FormHandler.instance.get_form("2021_2022") |
||||||
|
if @case_log |
||||||
|
current_url = request.env["PATH_INFO"] |
||||||
|
subsection = form.get_subsection(current_url.split("/")[-2]) |
||||||
|
render "form/check_answers", locals: { subsection: subsection, form: form } |
||||||
|
else |
||||||
|
render_not_found_html |
||||||
|
end |
||||||
|
end |
||||||
|
|
||||||
|
form = FormHandler.instance.get_form("2021_2022") |
||||||
|
form.pages.map do |page| |
||||||
|
define_method(page.id) do |_errors = {}| |
||||||
|
if @case_log |
||||||
|
subsection = form.subsection_for_page(page) |
||||||
|
render "form/page", locals: { form: form, page: page, subsection: subsection.label } |
||||||
|
else |
||||||
|
render_not_found_html |
||||||
|
end |
||||||
|
end |
||||||
|
end |
||||||
|
|
||||||
|
private |
||||||
|
|
||||||
|
def responses_for_page(page) |
||||||
|
page.expected_responses.each_with_object({}) do |question, result| |
||||||
|
question_params = params["case_log"][question.id] |
||||||
|
if question.type == "date" |
||||||
|
day = params["case_log"]["#{question.id}(3i)"] |
||||||
|
month = params["case_log"]["#{question.id}(2i)"] |
||||||
|
year = params["case_log"]["#{question.id}(1i)"] |
||||||
|
next unless [day, month, year].any?(&:present?) |
||||||
|
|
||||||
|
result[question.id] = if day.to_i.between?(1, 31) && month.to_i.between?(1, 12) && year.to_i.between?(2000, 2200) |
||||||
|
Date.new(year.to_i, month.to_i, day.to_i) |
||||||
|
else |
||||||
|
Date.new(0, 1, 1) |
||||||
|
end |
||||||
|
end |
||||||
|
next unless question_params |
||||||
|
|
||||||
|
if %w[checkbox validation_override].include?(question.type) |
||||||
|
question.answer_options.keys.reject { |x| x.match(/divider/) }.each do |option| |
||||||
|
result[option] = question_params.include?(option) ? 1 : 0 |
||||||
|
end |
||||||
|
else |
||||||
|
result[question.id] = question_params |
||||||
|
end |
||||||
|
result |
||||||
|
end |
||||||
|
end |
||||||
|
|
||||||
|
def find_resource |
||||||
|
@case_log = current_user.case_logs.find_by(id: params[:id]) |
||||||
|
end |
||||||
|
|
||||||
|
def find_resource_by_named_id |
||||||
|
@case_log = current_user.case_logs.find_by(id: params[:case_log_id]) |
||||||
|
end |
||||||
|
end |
@ -0,0 +1,15 @@ |
|||||||
|
### ADR - 012: Controller HTTP return statuses |
||||||
|
|
||||||
|
Controllers assess authentication by 3 criteria: |
||||||
|
|
||||||
|
1. Are you signed in at all? |
||||||
|
2. Are you signed in and requesting an action that your role/user type has access to? |
||||||
|
3. Are you signed in, requesting an action that your role/user type has access to and requesting a resource that your user has access to. |
||||||
|
|
||||||
|
When these aren't met they fail with the following response types: |
||||||
|
|
||||||
|
1. 401: Unauthorized. Redirect to sign-in page. |
||||||
|
2. 401: Unauthorized |
||||||
|
3. 404: Not found. |
||||||
|
|
||||||
|
This helps make it harder to determine whether a resource exists or not just by enumerating ids. |
@ -1,172 +0,0 @@ |
|||||||
require "rails_helper" |
|
||||||
|
|
||||||
RSpec.describe CaseLogsController, type: :controller do |
|
||||||
let(:valid_session) { {} } |
|
||||||
let(:user) { FactoryBot.create(:user) } |
|
||||||
let(:case_log) do |
|
||||||
FactoryBot.create( |
|
||||||
:case_log, |
|
||||||
owning_organisation: user.organisation, |
|
||||||
managing_organisation: user.organisation, |
|
||||||
) |
|
||||||
end |
|
||||||
let(:id) { case_log.id } |
|
||||||
|
|
||||||
before do |
|
||||||
sign_in user |
|
||||||
end |
|
||||||
|
|
||||||
context "Collection routes" do |
|
||||||
describe "GET #index" do |
|
||||||
it "returns a success response" do |
|
||||||
get :index, params: {}, session: valid_session |
|
||||||
expect(response).to be_successful |
|
||||||
end |
|
||||||
end |
|
||||||
|
|
||||||
describe "Post #create" do |
|
||||||
let(:owning_organisation) { FactoryBot.create(:organisation) } |
|
||||||
let(:managing_organisation) { owning_organisation } |
|
||||||
let(:params) do |
|
||||||
{ |
|
||||||
"owning_organisation_id": owning_organisation.id, |
|
||||||
"managing_organisation_id": managing_organisation.id, |
|
||||||
} |
|
||||||
end |
|
||||||
|
|
||||||
it "creates a new case log record" do |
|
||||||
expect { |
|
||||||
post :create, params: params, session: valid_session |
|
||||||
}.to change(CaseLog, :count).by(1) |
|
||||||
end |
|
||||||
|
|
||||||
it "redirects to that case log" do |
|
||||||
post :create, params: params, session: valid_session |
|
||||||
expect(response.status).to eq(302) |
|
||||||
end |
|
||||||
end |
|
||||||
end |
|
||||||
|
|
||||||
context "Instance routes" do |
|
||||||
describe "GET #show" do |
|
||||||
it "returns a success response" do |
|
||||||
get :show, params: { id: id } |
|
||||||
expect(response).to be_successful |
|
||||||
end |
|
||||||
end |
|
||||||
|
|
||||||
describe "GET #edit" do |
|
||||||
it "returns a success response" do |
|
||||||
get :edit, params: { id: id } |
|
||||||
expect(response).to be_successful |
|
||||||
end |
|
||||||
end |
|
||||||
end |
|
||||||
|
|
||||||
describe "submit_form" do |
|
||||||
let(:case_log_form_params) do |
|
||||||
{ accessibility_requirements: |
|
||||||
%w[ housingneeds_a |
|
||||||
housingneeds_b |
|
||||||
housingneeds_c], |
|
||||||
page: "accessibility_requirements" } |
|
||||||
end |
|
||||||
|
|
||||||
let(:new_case_log_form_params) do |
|
||||||
{ |
|
||||||
accessibility_requirements: %w[housingneeds_c], |
|
||||||
page: "accessibility_requirements", |
|
||||||
} |
|
||||||
end |
|
||||||
|
|
||||||
it "sets checked items to true" do |
|
||||||
post :submit_form, params: { id: id, case_log: case_log_form_params } |
|
||||||
case_log.reload |
|
||||||
|
|
||||||
expect(case_log.housingneeds_a).to eq("Yes") |
|
||||||
expect(case_log.housingneeds_b).to eq("Yes") |
|
||||||
expect(case_log.housingneeds_c).to eq("Yes") |
|
||||||
end |
|
||||||
|
|
||||||
it "sets previously submitted items to false when resubmitted with new values" do |
|
||||||
post :submit_form, params: { id: id, case_log: new_case_log_form_params } |
|
||||||
case_log.reload |
|
||||||
|
|
||||||
expect(case_log.housingneeds_a).to eq("No") |
|
||||||
expect(case_log.housingneeds_b).to eq("No") |
|
||||||
expect(case_log.housingneeds_c).to eq("Yes") |
|
||||||
end |
|
||||||
|
|
||||||
context "given a page with checkbox and non-checkbox questions" do |
|
||||||
let(:tenant_code) { "BZ355" } |
|
||||||
let(:case_log_form_params) do |
|
||||||
{ accessibility_requirements: |
|
||||||
%w[ housingneeds_a |
|
||||||
housingneeds_b |
|
||||||
housingneeds_c], |
|
||||||
tenant_code: tenant_code, |
|
||||||
page: "accessibility_requirements" } |
|
||||||
end |
|
||||||
let(:questions_for_page) do |
|
||||||
[ |
|
||||||
Form::Question.new( |
|
||||||
"accessibility_requirements", |
|
||||||
{ |
|
||||||
"type" => "checkbox", |
|
||||||
"answer_options" => |
|
||||||
{ "housingneeds_a" => "Fully wheelchair accessible housing", |
|
||||||
"housingneeds_b" => "Wheelchair access to essential rooms", |
|
||||||
"housingneeds_c" => "Level access housing", |
|
||||||
"housingneeds_f" => "Other disability requirements", |
|
||||||
"housingneeds_g" => "No disability requirements", |
|
||||||
"divider_a" => true, |
|
||||||
"housingneeds_h" => "Do not know", |
|
||||||
"divider_b" => true, |
|
||||||
"accessibility_requirements_prefer_not_to_say" => "Prefer not to say" }, |
|
||||||
}, nil |
|
||||||
), |
|
||||||
Form::Question.new("tenant_code", { "type" => "text" }, nil), |
|
||||||
] |
|
||||||
end |
|
||||||
|
|
||||||
it "updates both question fields" do |
|
||||||
allow_any_instance_of(Form::Page).to receive(:expected_responses).and_return(questions_for_page) |
|
||||||
post :submit_form, params: { id: id, case_log: case_log_form_params } |
|
||||||
case_log.reload |
|
||||||
|
|
||||||
expect(case_log.housingneeds_a).to eq("Yes") |
|
||||||
expect(case_log.housingneeds_b).to eq("Yes") |
|
||||||
expect(case_log.housingneeds_c).to eq("Yes") |
|
||||||
expect(case_log.tenant_code).to eq(tenant_code) |
|
||||||
end |
|
||||||
end |
|
||||||
|
|
||||||
context "conditional routing" do |
|
||||||
before do |
|
||||||
allow_any_instance_of(CaseLogValidator).to receive(:validate_pregnancy).and_return(true) |
|
||||||
end |
|
||||||
|
|
||||||
let(:case_log_form_conditional_question_yes_params) do |
|
||||||
{ |
|
||||||
preg_occ: "Yes", |
|
||||||
page: "conditional_question", |
|
||||||
} |
|
||||||
end |
|
||||||
|
|
||||||
let(:case_log_form_conditional_question_no_params) do |
|
||||||
{ |
|
||||||
preg_occ: "No", |
|
||||||
page: "conditional_question", |
|
||||||
} |
|
||||||
end |
|
||||||
|
|
||||||
it "routes to the appropriate conditional page based on the question answer of the current page" do |
|
||||||
post :submit_form, params: { id: id, case_log: case_log_form_conditional_question_yes_params } |
|
||||||
expect(response).to redirect_to("/case-logs/#{id}/conditional-question-yes-page") |
|
||||||
|
|
||||||
post :submit_form, params: { id: id, case_log: case_log_form_conditional_question_no_params } |
|
||||||
expect(response).to redirect_to("/case-logs/#{id}/conditional-question-no-page") |
|
||||||
end |
|
||||||
end |
|
||||||
end |
|
||||||
end |
|
@ -0,0 +1,278 @@ |
|||||||
|
require "rails_helper" |
||||||
|
|
||||||
|
RSpec.describe FormController, type: :request do |
||||||
|
let(:user) { FactoryBot.create(:user) } |
||||||
|
let(:organisation) { user.organisation } |
||||||
|
let(:other_organisation) { FactoryBot.create(:organisation) } |
||||||
|
let!(:case_log) do |
||||||
|
FactoryBot.create( |
||||||
|
:case_log, |
||||||
|
owning_organisation: organisation, |
||||||
|
managing_organisation: organisation, |
||||||
|
) |
||||||
|
end |
||||||
|
let!(:unauthorized_case_log) do |
||||||
|
FactoryBot.create( |
||||||
|
:case_log, |
||||||
|
owning_organisation: other_organisation, |
||||||
|
managing_organisation: other_organisation, |
||||||
|
) |
||||||
|
end |
||||||
|
let(:headers) { { "Accept" => "text/html" } } |
||||||
|
|
||||||
|
context "a not signed in user" do |
||||||
|
describe "GET" do |
||||||
|
it "does not let you get case logs pages you don't have access to" do |
||||||
|
get "/case-logs/#{case_log.id}/person-1-age", headers: headers, params: {} |
||||||
|
expect(response).to redirect_to("/users/sign-in") |
||||||
|
end |
||||||
|
|
||||||
|
it "does not let you get case log check answer pages you don't have access to" do |
||||||
|
get "/case-logs/#{case_log.id}/household-characteristics/check-answers", headers: headers, params: {} |
||||||
|
expect(response).to redirect_to("/users/sign-in") |
||||||
|
end |
||||||
|
end |
||||||
|
|
||||||
|
describe "POST" do |
||||||
|
it "does not let you post form answers to case logs you don't have access to" do |
||||||
|
post "/case-logs/#{case_log.id}/form", params: {} |
||||||
|
expect(response).to redirect_to("/users/sign-in") |
||||||
|
end |
||||||
|
end |
||||||
|
end |
||||||
|
|
||||||
|
context "a signed in user" do |
||||||
|
before do |
||||||
|
sign_in user |
||||||
|
end |
||||||
|
|
||||||
|
describe "GET" do |
||||||
|
context "form pages" do |
||||||
|
context "case logs that are not owned or managed by your organisation" do |
||||||
|
it "does not show form pages for case logs you don't have access to" do |
||||||
|
get "/case-logs/#{unauthorized_case_log.id}/person-1-age", headers: headers, params: {} |
||||||
|
expect(response).to have_http_status(:not_found) |
||||||
|
end |
||||||
|
end |
||||||
|
end |
||||||
|
|
||||||
|
context "check answers pages" do |
||||||
|
context "case logs that are not owned or managed by your organisation" do |
||||||
|
it "does not show a check answers for case logs you don't have access to" do |
||||||
|
get "/case-logs/#{unauthorized_case_log.id}/household-characteristics/check-answers", headers: headers, params: {} |
||||||
|
expect(response).to have_http_status(:not_found) |
||||||
|
end |
||||||
|
end |
||||||
|
end |
||||||
|
end |
||||||
|
|
||||||
|
describe "Submit Form" do |
||||||
|
context "a form page" do |
||||||
|
let(:user) { FactoryBot.create(:user) } |
||||||
|
let(:form) { Form.new("spec/fixtures/forms/test_form.json") } |
||||||
|
let(:organisation) { user.organisation } |
||||||
|
let(:case_log) do |
||||||
|
FactoryBot.create( |
||||||
|
:case_log, |
||||||
|
owning_organisation: organisation, |
||||||
|
managing_organisation: organisation, |
||||||
|
) |
||||||
|
end |
||||||
|
let(:page_id) { "person_1_age" } |
||||||
|
let(:params) do |
||||||
|
{ |
||||||
|
id: case_log.id, |
||||||
|
case_log: { |
||||||
|
page: page_id, |
||||||
|
age1: answer, |
||||||
|
}, |
||||||
|
} |
||||||
|
end |
||||||
|
|
||||||
|
before do |
||||||
|
allow(FormHandler.instance).to receive(:get_form).and_return(form) |
||||||
|
post "/case-logs/#{case_log.id}/form", params: params |
||||||
|
end |
||||||
|
|
||||||
|
context "invalid answers" do |
||||||
|
let(:answer) { 2000 } |
||||||
|
|
||||||
|
it "re-renders the same page with errors if validation fails" do |
||||||
|
expect(response).to have_http_status(:unprocessable_entity) |
||||||
|
end |
||||||
|
end |
||||||
|
|
||||||
|
context "valid answers" do |
||||||
|
let(:answer) { 20 } |
||||||
|
|
||||||
|
it "re-renders the same page with errors if validation fails" do |
||||||
|
expect(response).to have_http_status(:redirect) |
||||||
|
end |
||||||
|
|
||||||
|
let(:params) do |
||||||
|
{ |
||||||
|
id: case_log.id, |
||||||
|
case_log: { |
||||||
|
page: page_id, |
||||||
|
age1: answer, |
||||||
|
age2: 2000, |
||||||
|
}, |
||||||
|
} |
||||||
|
end |
||||||
|
|
||||||
|
it "only updates answers that apply to the page being submitted" do |
||||||
|
case_log.reload |
||||||
|
expect(case_log.age1).to eq(answer) |
||||||
|
expect(case_log.age2).to be nil |
||||||
|
end |
||||||
|
end |
||||||
|
end |
||||||
|
|
||||||
|
context "checkbox questions" do |
||||||
|
let(:case_log_form_params) do |
||||||
|
{ |
||||||
|
id: case_log.id, |
||||||
|
case_log: { |
||||||
|
page: "accessibility_requirements", |
||||||
|
accessibility_requirements: |
||||||
|
%w[ housingneeds_a |
||||||
|
housingneeds_b |
||||||
|
housingneeds_c], |
||||||
|
}, |
||||||
|
} |
||||||
|
end |
||||||
|
|
||||||
|
let(:new_case_log_form_params) do |
||||||
|
{ |
||||||
|
id: case_log.id, |
||||||
|
case_log: { |
||||||
|
page: "accessibility_requirements", |
||||||
|
accessibility_requirements: %w[housingneeds_c], |
||||||
|
}, |
||||||
|
} |
||||||
|
end |
||||||
|
|
||||||
|
it "sets checked items to true" do |
||||||
|
post "/case-logs/#{case_log.id}/form", params: case_log_form_params |
||||||
|
case_log.reload |
||||||
|
|
||||||
|
expect(case_log.housingneeds_a).to eq("Yes") |
||||||
|
expect(case_log.housingneeds_b).to eq("Yes") |
||||||
|
expect(case_log.housingneeds_c).to eq("Yes") |
||||||
|
end |
||||||
|
|
||||||
|
it "sets previously submitted items to false when resubmitted with new values" do |
||||||
|
post "/case-logs/#{case_log.id}/form", params: new_case_log_form_params |
||||||
|
case_log.reload |
||||||
|
|
||||||
|
expect(case_log.housingneeds_a).to eq("No") |
||||||
|
expect(case_log.housingneeds_b).to eq("No") |
||||||
|
expect(case_log.housingneeds_c).to eq("Yes") |
||||||
|
end |
||||||
|
|
||||||
|
context "given a page with checkbox and non-checkbox questions" do |
||||||
|
let(:tenant_code) { "BZ355" } |
||||||
|
let(:case_log_form_params) do |
||||||
|
{ |
||||||
|
id: case_log.id, |
||||||
|
case_log: { |
||||||
|
page: "accessibility_requirements", |
||||||
|
accessibility_requirements: |
||||||
|
%w[ housingneeds_a |
||||||
|
housingneeds_b |
||||||
|
housingneeds_c], |
||||||
|
tenant_code: tenant_code, |
||||||
|
}, |
||||||
|
} |
||||||
|
end |
||||||
|
let(:questions_for_page) do |
||||||
|
[ |
||||||
|
Form::Question.new( |
||||||
|
"accessibility_requirements", |
||||||
|
{ |
||||||
|
"type" => "checkbox", |
||||||
|
"answer_options" => |
||||||
|
{ "housingneeds_a" => "Fully wheelchair accessible housing", |
||||||
|
"housingneeds_b" => "Wheelchair access to essential rooms", |
||||||
|
"housingneeds_c" => "Level access housing", |
||||||
|
"housingneeds_f" => "Other disability requirements", |
||||||
|
"housingneeds_g" => "No disability requirements", |
||||||
|
"divider_a" => true, |
||||||
|
"housingneeds_h" => "Do not know", |
||||||
|
"divider_b" => true, |
||||||
|
"accessibility_requirements_prefer_not_to_say" => "Prefer not to say" }, |
||||||
|
}, nil |
||||||
|
), |
||||||
|
Form::Question.new("tenant_code", { "type" => "text" }, nil), |
||||||
|
] |
||||||
|
end |
||||||
|
|
||||||
|
it "updates both question fields" do |
||||||
|
allow_any_instance_of(Form::Page).to receive(:expected_responses).and_return(questions_for_page) |
||||||
|
post "/case-logs/#{case_log.id}/form", params: case_log_form_params |
||||||
|
case_log.reload |
||||||
|
|
||||||
|
expect(case_log.housingneeds_a).to eq("Yes") |
||||||
|
expect(case_log.housingneeds_b).to eq("Yes") |
||||||
|
expect(case_log.housingneeds_c).to eq("Yes") |
||||||
|
expect(case_log.tenant_code).to eq(tenant_code) |
||||||
|
end |
||||||
|
end |
||||||
|
end |
||||||
|
|
||||||
|
context "conditional routing" do |
||||||
|
before do |
||||||
|
allow_any_instance_of(CaseLogValidator).to receive(:validate_pregnancy).and_return(true) |
||||||
|
end |
||||||
|
|
||||||
|
let(:case_log_form_conditional_question_yes_params) do |
||||||
|
{ |
||||||
|
id: case_log.id, |
||||||
|
case_log: { |
||||||
|
page: "conditional_question", |
||||||
|
preg_occ: "Yes", |
||||||
|
}, |
||||||
|
} |
||||||
|
end |
||||||
|
|
||||||
|
let(:case_log_form_conditional_question_no_params) do |
||||||
|
{ |
||||||
|
id: case_log.id, |
||||||
|
case_log: { |
||||||
|
page: "conditional_question", |
||||||
|
preg_occ: "No", |
||||||
|
}, |
||||||
|
} |
||||||
|
end |
||||||
|
|
||||||
|
it "routes to the appropriate conditional page based on the question answer of the current page" do |
||||||
|
post "/case-logs/#{case_log.id}/form", params: case_log_form_conditional_question_yes_params |
||||||
|
expect(response).to redirect_to("/case-logs/#{case_log.id}/conditional-question-yes-page") |
||||||
|
|
||||||
|
post "/case-logs/#{case_log.id}/form", params: case_log_form_conditional_question_no_params |
||||||
|
expect(response).to redirect_to("/case-logs/#{case_log.id}/conditional-question-no-page") |
||||||
|
end |
||||||
|
end |
||||||
|
|
||||||
|
context "case logs that are not owned or managed by your organisation" do |
||||||
|
let(:answer) { 25 } |
||||||
|
let(:other_organisation) { FactoryBot.create(:organisation) } |
||||||
|
let(:unauthorized_case_log) do |
||||||
|
FactoryBot.create( |
||||||
|
:case_log, |
||||||
|
owning_organisation: other_organisation, |
||||||
|
managing_organisation: other_organisation, |
||||||
|
) |
||||||
|
end |
||||||
|
|
||||||
|
before do |
||||||
|
post "/case-logs/#{unauthorized_case_log.id}/form", params: {} |
||||||
|
end |
||||||
|
|
||||||
|
it "does not let you post form answers to case logs you don't have access to" do |
||||||
|
expect(response).to have_http_status(:not_found) |
||||||
|
end |
||||||
|
end |
||||||
|
end |
||||||
|
end |
||||||
|
end |
Loading…
Reference in new issue