From 235a5aadb350f380702538a56dbe74f4dbb7a56b Mon Sep 17 00:00:00 2001
From: vacabor <166112501+vacabor@users.noreply.github.com>
Date: Fri, 4 Oct 2024 10:05:07 +0100
Subject: [PATCH] [LUPEYALPHA-1109] Bug: Clear the employee-email slug on form
 failure so it is not bypassed (#3253)

---
 app/controllers/claims_form_callbacks.rb      |  5 ++
 .../authenticated/employee_email_spec.rb      | 75 +++++++++++++++++++
 2 files changed, 80 insertions(+)
 create mode 100644 spec/features/early_years_payment/provider/authenticated/employee_email_spec.rb

diff --git a/app/controllers/claims_form_callbacks.rb b/app/controllers/claims_form_callbacks.rb
index 3634ba3c16..356a54218c 100644
--- a/app/controllers/claims_form_callbacks.rb
+++ b/app/controllers/claims_form_callbacks.rb
@@ -64,6 +64,11 @@ def check_your_answers_after_form_save_success
     create_and_save_claim_form
   end
 
+  def employee_email_after_form_save_failure
+    session[:slugs].delete("employee-email")
+    render_template_for_current_slug
+  end
+
   private
 
   def set_backlink_override_to_current_slug
diff --git a/spec/features/early_years_payment/provider/authenticated/employee_email_spec.rb b/spec/features/early_years_payment/provider/authenticated/employee_email_spec.rb
new file mode 100644
index 0000000000..e03b088d19
--- /dev/null
+++ b/spec/features/early_years_payment/provider/authenticated/employee_email_spec.rb
@@ -0,0 +1,75 @@
+require "rails_helper"
+
+RSpec.feature "Early years payment provider" do
+  let(:email_address) { "johndoe@example.com" }
+  let(:journey_session) { Journeys::EarlyYearsPayment::Provider::Authenticated::Session.last }
+  let(:mail) { ActionMailer::Base.deliveries.last }
+  let(:magic_link) { mail[:personalisation].unparsed_value[:magic_link] }
+  let!(:nursery) { create(:eligible_ey_provider, primary_key_contact_email_address: email_address) }
+
+  scenario "preventing the user from bypassing employee email" do
+    when_early_years_payment_provider_authenticated_journey_configuration_exists
+    when_early_years_payment_provider_start_journey_completed
+
+    visit magic_link
+    expect(journey_session.reload.answers.email_address).to eq email_address
+    expect(journey_session.reload.answers.email_verified).to be true
+    expect(page).to have_content("Declaration of Employee Consent")
+    expect(page.current_path).to eq "/early-years-payment-provider/consent"
+    check "I confirm that I have obtained consent from my employee and have provided them with the relevant privacy notice."
+    click_button "Continue"
+
+    expect(page.current_path).to eq "/early-years-payment-provider/current-nursery"
+    choose nursery.nursery_name
+    click_button "Continue"
+
+    expect(page.current_path).to eq "/early-years-payment-provider/paye-reference"
+    expect(page).to have_content("What is #{nursery.nursery_name}’s employer PAYE reference?")
+    fill_in "claim-paye-reference-field", with: "123/123456SE90"
+    click_button "Continue"
+
+    expect(page.current_path).to eq "/early-years-payment-provider/claimant-name"
+    fill_in "First name", with: "Bobby"
+    fill_in "Last name", with: "Bobberson"
+    click_button "Continue"
+
+    expect(page.current_path).to eq "/early-years-payment-provider/start-date"
+    date = Date.yesterday
+    fill_in("Day", with: date.day)
+    fill_in("Month", with: date.month)
+    fill_in("Year", with: date.year)
+    click_button "Continue"
+
+    expect(page.current_path).to eq "/early-years-payment-provider/child-facing"
+    choose "Yes"
+    click_button "Continue"
+
+    expect(page.current_path).to eq "/early-years-payment-provider/returner"
+    choose "Yes"
+    click_button "Continue"
+
+    expect(page.current_path).to eq "/early-years-payment-provider/returner-worked-with-children"
+    choose "Yes"
+    click_button "Continue"
+
+    expect(page.current_path).to eq "/early-years-payment-provider/returner-contract-type"
+    choose "casual or temporary"
+    click_button "Continue"
+
+    expect(page.current_path).to eq "/early-years-payment-provider/employee-email"
+    click_button "Continue"
+    expect(page).to have_content("Error: Enter a valid email address")
+
+    click_link "Back"
+    expect(page.current_path).to eq "/early-years-payment-provider/returner-contract-type"
+    choose "voluntary or unpaid"
+    click_button "Continue"
+
+    expect(page.current_path).to eq "/early-years-payment-provider/employee-email"
+    fill_in "claim-practitioner-email-address-field", with: "practitioner@example.com"
+    click_button "Continue"
+
+    expect(page.current_path).to eq "/early-years-payment-provider/check-your-answers"
+    expect(page).to have_content("Check your answers before submitting this claim")
+  end
+end