require "rails_helper" RSpec.describe "User Features" do let!(:user) { FactoryBot.create(:user, last_sign_in_at: Time.zone.now) } let(:reset_password_template_id) { User::RESET_PASSWORD_TEMPLATE_ID } let(:notify_client) { instance_double(Notifications::Client) } let(:reset_password_token) { "MCDH5y6Km-U7CFPgAMVS" } let(:devise_notify_mailer) { DeviseNotifyMailer.new } before do allow(DeviseNotifyMailer).to receive(:new).and_return(devise_notify_mailer) allow(devise_notify_mailer).to receive(:notify_client).and_return(notify_client) allow(notify_client).to receive(:send_email).and_return(true) allow(Devise.token_generator).to receive(:generate).and_return(reset_password_token) end context "when the user navigates to case logs" do it " is required to log in" do visit("/logs") expect(page).to have_current_path("/account/sign-in") expect(page).to have_content("Sign in to your account to submit CORE data") end it "does not see the default devise error message" do visit("/logs") expect(page).to have_no_content("You need to sign in or sign up before continuing.") end it " is redirected to case logs after signing in" do visit("/logs") fill_in("user[email]", with: user.email) fill_in("user[password]", with: "pAssword1") click_button("Sign in") expect(page).to have_current_path("/logs") end it " can log out again", js: true do visit("/logs") fill_in("user[email]", with: user.email) fill_in("user[password]", with: "pAssword1") click_button("Sign in") click_link("Sign out") expect(page).to have_current_path("/") expect(page).to have_content("Start now") end it " can log out again with js disabled" do visit("/logs") fill_in("user[email]", with: user.email) fill_in("user[password]", with: "pAssword1") click_button("Sign in") click_link("Sign out") expect(page).to have_current_path("/") expect(page).to have_content("Start now") end end context "when the user has forgotten their password" do it " is redirected to the reset password page when they click the reset password link" do visit("/logs") click_link("reset your password") expect(page).to have_current_path("/account/password/new") end it " is shown an error message if they submit without entering an email address" do visit("/account/password/new") click_button("Send email") expect(page).to have_selector("#error-summary-title") expect(page).to have_selector("#user-email-field-error") expect(page).to have_title("Error") end it " is shown an error message if they submit an invalid email address" do visit("/account/password/new") fill_in("user[email]", with: "thisisn'tanemail") click_button("Send email") expect(page).to have_selector("#error-summary-title") expect(page).to have_selector("#user-email-field-error") expect(page).to have_title("Error") end it " is redirected to check your email page after submitting an email on the reset password page" do visit("/account/password/new") fill_in("user[email]", with: user.email) click_button("Send email") expect(page).to have_content("Check your email") end it " is shown their email on the password reset confirmation page" do visit("/account/password/new") fill_in("user[email]", with: user.email) click_button("Send email") expect(page).to have_content(user.email) end it " is shown the reset password confirmation page even if their email doesn't exist in the system" do visit("/account/password/new") fill_in("user[email]", with: "idontexist@example.com") click_button("Send email") expect(page).to have_current_path("/account/password/reset-confirmation?email=idontexist%40example.com") end it " is sent a reset password email via Notify" do expect(notify_client).to receive(:send_email).with( { email_address: user.email, template_id: reset_password_template_id, personalisation: { name: user.name, email: user.email, organisation: user.organisation.name, link: "http://localhost:3000/account/password/edit?reset_password_token=#{reset_password_token}", }, }, ) visit("/account/password/new") fill_in("user[email]", with: user.email) click_button("Send email") end end context "when the user is not logged in" do it "'Your account' link does not display" do visit("/logs") expect(page).to have_no_link("Your account") end it "Can navigate and sign in page with sign in button" do visit("/") expect(page).to have_link("Sign in") click_link("Sign in") fill_in("user[email]", with: user.email) fill_in("user[password]", with: "pAssword1") click_button("Sign in") expect(page).to have_current_path("/logs") end it "tries to access account page, redirects to log in page" do visit("/users/#{user.id}") expect(page).to have_content("Sign in to your account to submit CORE data") end end context "when the user is trying to log in with incorrect credentials" do it "shows a gov uk error summary and no flash message" do visit("/logs") fill_in("user[email]", with: user.email) fill_in("user[password]", with: "nonsense") click_button("Sign in") expect(page).to have_selector("#error-summary-title") expect(page).to have_no_css(".govuk-notification-banner.govuk-notification-banner--success") expect(page).to have_title("Error") end it "show specific field error messages if a field was omitted" do visit("/logs") click_button("Sign in") expect(page).to have_selector("#error-summary-title") expect(page).to have_selector("#user-email-field-error") expect(page).to have_selector("#user-password-field-error") expect(page).to have_title("Error") end it "show specific field error messages if an invalid email address is entered" do visit("/logs") fill_in("user[email]", with: "thisisn'tanemail") click_button("Sign in") expect(page).to have_selector("#error-summary-title") expect(page).to have_selector("#user-email-field-error") expect(page).to have_content(/Enter an email address in the correct format, like name@example.com/) expect(page).to have_title("Error") end end context "when signed in as a data provider" do context "when viewing your account" do before do visit("/logs") fill_in("user[email]", with: user.email) fill_in("user[password]", with: "pAssword1") click_button("Sign in") end it "does not have change links for dpo and key contact" do visit("/users/#{user.id}") expect(page).not_to have_selector('[data-qa="change-are-you-a-data-protection-officer"]') expect(page).not_to have_selector('[data-qa="change-are-you-a-key-contact"]') end it "does not have dpo and key contact as editable fields" do visit("/users/#{user.id}/edit") expect(page).not_to have_field("user[is_dpo]") expect(page).not_to have_field("user[is_key_contact]") end end end context "when signed in as a data coordinator" do let!(:user) { FactoryBot.create(:user, :data_coordinator, last_sign_in_at: Time.zone.now) } context "when viewing your account" do before do visit("/logs") fill_in("user[email]", with: user.email) fill_in("user[password]", with: "pAssword1") click_button("Sign in") end it "shows 'Your account' link in navigation if logged in and redirect to correct page" do visit("/logs") expect(page).to have_link("Your account") click_link("Your account") expect(page).to have_current_path("/users/#{user.id}") end it "can navigate to change your password page from main account page" do visit("/users/#{user.id}") find('[data-qa="change-password"]').click expect(page).to have_content("Change your password") fill_in("user[password]", with: "Password123!") fill_in("user[password_confirmation]", with: "Password123!") click_button("Update") expect(page).to have_current_path("/users/#{user.id}") end it "allow user to change name" do visit("/users/#{user.id}") find('[data-qa="change-name"]').click expect(page).to have_content("Change your personal details") fill_in("user[name]", with: "Test New") click_button("Save changes") expect(page).to have_current_path("/users/#{user.id}") expect(page).to have_content("Test New") end it "has dpo and key contact as editable fields" do visit("/users/#{user.id}") expect(page).to have_selector('[data-qa="change-are-you-a-data-protection-officer"]') expect(page).to have_selector('[data-qa="change-are-you-a-key-contact"]') end end context "when adding a new user" do before do visit("/logs") fill_in("user[email]", with: user.email) fill_in("user[password]", with: "pAssword1") click_button("Sign in") end it "validates an email has been provided" do visit("users/new") fill_in("user[name]", with: "New User") click_button("Continue") expect(page).to have_selector("#error-summary-title") expect(page).to have_selector("#user-email-field-error") expect(page).to have_content(/Enter an email address/) expect(page).to have_title("Error") end it "validates email" do visit("users/new") fill_in("user[name]", with: "New User") fill_in("user[email]", with: "thisis'tanemail") click_button("Continue") expect(page).to have_selector("#error-summary-title") expect(page).to have_selector("#user-email-field-error") expect(page).to have_content(/Enter an email address in the correct format, like name@example.com/) expect(page).to have_title("Error") end it "sets name, email, role, is_dpo and is_key_contact fields" do visit("users/new") fill_in("user[name]", with: "New User") fill_in("user[email]", with: "newuser@example.com") choose("user-role-data-provider-field") choose("user-is-dpo-true-field") choose("user-is-key-contact-true-field") click_button("Continue") expect(User.find_by( name: "New User", email: "newuser@example.com", role: "data_provider", is_dpo: true, is_key_contact: true, )).to be_a(User) end it "defaults to is_dpo false" do visit("users/new") expect(page).to have_field("user[is_dpo]", with: false) end end context "when editing someone elses account details" do let!(:user) { FactoryBot.create(:user, :data_coordinator, last_sign_in_at: Time.zone.now) } let!(:other_user) { FactoryBot.create(:user, name: "Other name", is_dpo: true, organisation: user.organisation) } before do visit("/logs") fill_in("user[email]", with: user.email) fill_in("user[password]", with: "pAssword1") click_button("Sign in") end it "allows updating other users details" do visit("/organisations/#{user.organisation.id}") click_link("Users") click_link(other_user.name) expect(page).to have_title("Other name’s account") first(:link, "Change").click expect(page).to have_field("user[is_dpo]", with: true) choose("user-is-dpo-field") choose("user-is-key-contact-true-field") fill_in("user[name]", with: "Updated new name") click_button("Save changes") expect(page).to have_title("Updated new name’s account") expect(User.find_by( name: "Updated new name", role: "data_provider", is_dpo: false, is_key_contact: true, )).to be_a(User) end end end end