diff --git a/app/controllers/system_admin/applicants_controller.rb b/app/controllers/system_admin/applicants_controller.rb index ac7da700..86944e00 100644 --- a/app/controllers/system_admin/applicants_controller.rb +++ b/app/controllers/system_admin/applicants_controller.rb @@ -4,6 +4,7 @@ module SystemAdmin class ApplicantsController < AdminController default_form_builder GOVUKDesignSystemFormBuilder::FormBuilder + before_action :check_user_roles before_action :find_applicant, only: %i[show edit update] include Pagy::Backend @@ -62,5 +63,11 @@ def find_applicant @application = @applicant.application @progress = @application.application_progress end + + def check_user_roles + unless current_user.has_role?(:servant) + redirect_to(root_path, alert: t("errors.access_denied")) + end + end end end diff --git a/app/controllers/system_admin/reports_controller.rb b/app/controllers/system_admin/reports_controller.rb index c7b51a29..830ca9f3 100644 --- a/app/controllers/system_admin/reports_controller.rb +++ b/app/controllers/system_admin/reports_controller.rb @@ -1,5 +1,7 @@ module SystemAdmin class ReportsController < AdminController + before_action :check_user_roles + def index; end def show @@ -14,5 +16,18 @@ def show def report_params params.permit(:id, :status) end + + def check_user_roles + case params[:id] + when "home_office", "standing_data", "payroll" + unless current_user.has_role?(:manager) + redirect_to(root_path, alert: t("errors.access_denied")) + end + when "applications", "qa" + unless current_user.has_role?(:admin) + redirect_to(root_path, alert: t("errors.access_denied")) + end + end + end end end diff --git a/app/views/layouts/admin.html.erb b/app/views/layouts/admin.html.erb index 55b7347c..5418ed4a 100644 --- a/app/views/layouts/admin.html.erb +++ b/app/views/layouts/admin.html.erb @@ -31,13 +31,14 @@ Skip to main content <%= govuk_header(service_name: "International relocation payment application management") do |header| %> - <%= header.with_navigation_item(text: "Applicants", href: applicants_path, active: request.path.include?('system-admin/applicants') ) %> - <%= header.with_navigation_item(text: "Duplicates", href: duplicates_path, active: request.path.include?('system-admin/duplicates') ) %> - <%= header.with_navigation_item(text: "Reports", href: reports_path, active: request.path.include?('/system-admin/reports')) %> - <%= header.with_navigation_item(text: "Dashboard", href: dashboard_path, active: request.path.include?('/system-admin/dashboard') ) %> - <%= header.with_navigation_item(text: "Users", href: users_path, active: request.path.include?('/system-admin/users') ) %> - <%= header.with_navigation_item(text: "Settings", href: edit_settings_path, active: request.path.include?('/system-admin/settings')) %> - <%= header.with_navigation_item(text: "Audits", href: audits_path, active: request.path.include?('/system-admin/audits')) %> + <%= header.with_navigation_item(text: "Applicants", href: applicants_path, active: request.path.include?('system-admin/applicants')) if current_user.has_role?(:servant) %> + <%= header.with_navigation_item(text: "Duplicates", href: duplicates_path, active: request.path.include?('system-admin/duplicates')) if current_user.has_role?(:servant) %> + <%= header.with_navigation_item(text: "Reports", href: reports_path, active: request.path.include?('/system-admin/reports')) if current_user.has_role?(:manager) %> + <%= header.with_navigation_item(text: "Dashboard", href: dashboard_path, active: request.path.include?('/system-admin/dashboard')) if current_user.has_role?(:spectator) %> + <%= header.with_navigation_item(text: "Users", href: users_path, active: request.path.include?('/system-admin/users')) if current_user.has_role?(:admin) %> + <%= header.with_navigation_item(text: "Settings", href: edit_settings_path, active: request.path.include?('/system-admin/settings')) if current_user.has_role?(:admin) %> + <%= header.with_navigation_item(text: "Audits", href: audits_path, active: request.path.include?('/system-admin/audits')) if current_user.has_role?(:admin) %> + <%= header.with_navigation_item(text: "Feature Flags", href: '/system_admin/features') if current_user.has_role?(:super_admin) %> <%= header.with_navigation_item(text: "Logout", href: destroy_user_session_path, active: false) %> <% end %> diff --git a/app/views/system_admin/reports/index.html.erb b/app/views/system_admin/reports/index.html.erb index 5e78d0f7..312872db 100644 --- a/app/views/system_admin/reports/index.html.erb +++ b/app/views/system_admin/reports/index.html.erb @@ -29,32 +29,34 @@

-
-

Applications Data report

-

- Download a CSV file of all applications -

-

- <%= link_to "Download", report_path(:applications), class: "govuk-button" %> -

-
+<% if current_user.has_role?(:admin) %> +
+

Applications Data report

+

+ Download a CSV file of all applications +

+

+ <%= link_to "Download", report_path(:applications), class: "govuk-button" %> +

+
-
-

QA reports

-

- Download a QA CSV file -

-

+

+

QA reports

+

+ Download a QA CSV file +

+

- <%= form_with(url: report_path(:qa), method: :get) do |f| %> -

-
- <%= f.govuk_select :status, application_statuses_options, label: { text: "Filter by application status" } %> -
-
- <%= f.govuk_submit 'Download', class: "govuk-button"%> -
-
- <% end %> -

-
+ <%= form_with(url: report_path(:qa), method: :get) do |f| %> +
+
+ <%= f.govuk_select :status, application_statuses_options, label: { text: "Filter by application status" } %> +
+
+ <%= f.govuk_submit 'Download', class: "govuk-button"%> +
+
+ <% end %> +

+
+<% end %> diff --git a/config/initializers/flipper.rb b/config/initializers/flipper.rb index b75f9716..83241525 100644 --- a/config/initializers/flipper.rb +++ b/config/initializers/flipper.rb @@ -4,3 +4,10 @@ def self.matches?(request) current_user.present? end end + +Flipper::UI.configure do |config| + config.banner_text = "#{Rails.env.capitalize} Environment" + config.banner_class = Rails.env.production? ? "danger" : "warning" + config.cloud_recommendation = false + config.fun = false +end diff --git a/config/locales/en.yml b/config/locales/en.yml index b7f6cb3d..78ead4b5 100644 --- a/config/locales/en.yml +++ b/config/locales/en.yml @@ -48,3 +48,5 @@ en: success: 'User was successfully removed.' omniauth_callbacks: no_account: 'You have not yet an account!' + errors: + access_denied: 'You do not have permission to access this page' diff --git a/db/seeds.rb b/db/seeds.rb index d8145132..7ab5ef2b 100644 --- a/db/seeds.rb +++ b/db/seeds.rb @@ -27,5 +27,13 @@ service_end_date: 1.year.from_now, ) +Role::ROLES_LIST.each do |role_name| + Role.find_or_create_by(name: role_name) +end + local_user_email = ENV.fetch("LOCAL_USER_EMAIL", nil) -User.create!(email: local_user_email) if local_user_email +if local_user_email + user = User.create!(email: local_user_email) + user.roles = Role.all + user.save! +end diff --git a/spec/features/admin_console/applications_list_spec.rb b/spec/features/admin_console/applications_list_spec.rb index 85a51dee..bcf5fbfe 100644 --- a/spec/features/admin_console/applications_list_spec.rb +++ b/spec/features/admin_console/applications_list_spec.rb @@ -7,21 +7,21 @@ it "shows the correct columns" do given_there_are_few_applications - given_i_am_signed_as_an_admin + given_i_am_signed_with_role(:servant) when_i_am_in_the_applications_list_page then_i_can_see_the_correct_columns end it "shows the pagination" do given_there_are_few_applications - given_i_am_signed_as_an_admin + given_i_am_signed_with_role(:servant) when_i_am_in_the_applications_list_page then_i_can_see_the_pagination end it "allows searching" do given_there_are_few_applications - given_i_am_signed_as_an_admin + given_i_am_signed_with_role(:servant) when_i_am_in_the_applications_list_page then_i_can_see_the_search_form then_i_can_search_by_urn @@ -29,14 +29,14 @@ it "highlights applications that breached SLA" do given_there_is_an_application_that_breached_sla - given_i_am_signed_as_an_admin + given_i_am_signed_with_role(:servant) when_i_am_in_the_applications_list_page then_i_can_see_the_application_is_highlighted end it "allows filtering by status" do given_there_are_applications_with_different_dates - given_i_am_signed_as_an_admin + given_i_am_signed_with_role(:servant) when_i_am_in_the_applications_list_page then_i_can_see_the_status_filter_form then_i_can_filter_by_status @@ -44,14 +44,14 @@ it "displays timestamps correctly" do given_there_is_an_application_with_all_dates - given_i_am_signed_as_an_admin + given_i_am_signed_with_role(:servant) when_i_am_in_the_applications_list_page then_i_can_see_correct_timestamps end it "allows filtering by breached SLA" do given_there_is_an_application_that_breached_sla - given_i_am_signed_as_an_admin + given_i_am_signed_with_role(:servant) when_i_am_in_the_applications_list_page then_i_can_see_the_sla_filter_form then_i_can_filter_by_sla_breach diff --git a/spec/features/admin_console/dashboard_spec.rb b/spec/features/admin_console/dashboard_spec.rb index 67247c5e..7c046158 100644 --- a/spec/features/admin_console/dashboard_spec.rb +++ b/spec/features/admin_console/dashboard_spec.rb @@ -7,105 +7,105 @@ it "shows the Total Applications widget" do given_there_are_5_applications - given_i_am_signed_as_an_admin + given_i_am_signed_with_role(:spectator) when_i_am_in_the_dashboard_page then_i_can_see_the_applications_widget end it "shows the Total Rejections widget" do given_there_are_rejected_applications - given_i_am_signed_as_an_admin + given_i_am_signed_with_role(:spectator) when_i_am_in_the_dashboard_page then_i_can_see_the_total_rejections_widget end it "shows the Average Age widget" do given_there_are_3_applicants_with_ages - given_i_am_signed_as_an_admin + given_i_am_signed_with_role(:spectator) when_i_am_in_the_dashboard_page then_i_can_see_the_average_age_widget end it "shows the Total Paid widget" do given_there_are_paid_applications - given_i_am_signed_as_an_admin + given_i_am_signed_with_role(:spectator) when_i_am_in_the_dashboard_page then_i_can_see_the_total_paid_widget end it "shows the Route Breakdown widget" do given_there_are_few_applications - given_i_am_signed_as_an_admin + given_i_am_signed_with_role(:spectator) when_i_am_in_the_dashboard_page then_i_can_see_the_route_breakdown_widget end it "shows the Subject Breakdown widget" do given_there_are_few_applications - given_i_am_signed_as_an_admin + given_i_am_signed_with_role(:spectator) when_i_am_in_the_dashboard_page then_i_can_see_the_subject_breakdown_widget end it "shows the Visa Breakdown widget" do given_there_are_few_applications_with_visas - given_i_am_signed_as_an_admin + given_i_am_signed_with_role(:spectator) when_i_am_in_the_dashboard_page then_i_can_see_the_visa_breakdown_widget end it "shows the Nationalities Breakdown widget" do given_there_are_few_applications_with_nationalities - given_i_am_signed_as_an_admin + given_i_am_signed_with_role(:spectator) when_i_am_in_the_dashboard_page then_i_can_see_the_nationalities_breakdown_widget end it "shows the Gender Breakdown widget" do given_there_are_few_applications - given_i_am_signed_as_an_admin + given_i_am_signed_with_role(:spectator) when_i_am_in_the_dashboard_page then_i_can_see_the_gender_breakdown_widget end it "shows the Rejection Reason Breakdown widget" do given_there_are_applications_with_rejection_reasons - given_i_am_signed_as_an_admin + given_i_am_signed_with_role(:spectator) when_i_am_in_the_dashboard_page then_i_can_see_the_rejection_reason_breakdown_widget end it "shows the Initial Checks Approval time widget" do given_there_are_applications_with_initial_checks - given_i_am_signed_as_an_admin + given_i_am_signed_with_role(:spectator) when_i_am_in_the_dashboard_page then_i_can_see_the_initial_checks_approval_average_time_widget end it "shows the Home Office Checks Approval time widget" do given_there_are_applications_with_home_office_checks - given_i_am_signed_as_an_admin + given_i_am_signed_with_role(:spectator) when_i_am_in_the_dashboard_page then_i_can_see_the_home_office_checks_time_widget end it "shows the School Checks Approval time widget" do given_there_are_applications_with_school_checks - given_i_am_signed_as_an_admin + given_i_am_signed_with_role(:spectator) when_i_am_in_the_dashboard_page then_i_can_see_the_school_checks_time_widget end it "shows the Banking Approval time widget" do given_there_are_applications_with_banking_approval - given_i_am_signed_as_an_admin + given_i_am_signed_with_role(:spectator) when_i_am_in_the_dashboard_page then_i_can_see_the_banking_approval_completed_time_widget end it "shows the Payment Confirmation time widget" do given_there_are_applications_with_payment_confirmation - given_i_am_signed_as_an_admin + given_i_am_signed_with_role(:spectator) when_i_am_in_the_dashboard_page then_i_can_see_the_payment_confirmation_time_widget end diff --git a/spec/features/admin_console/duplicates_search_spec.rb b/spec/features/admin_console/duplicates_search_spec.rb index c4f64ce3..d786d3c0 100644 --- a/spec/features/admin_console/duplicates_search_spec.rb +++ b/spec/features/admin_console/duplicates_search_spec.rb @@ -17,19 +17,19 @@ end it "Admin can search for duplicates by email" do - given_i_am_signed_as_an_admin + given_i_am_signed_with_role(:servant) when_i_search_for_a_duplicate_by("email") then_i_see_matching_duplicates end it "Admin can search for duplicates by phone number" do - given_i_am_signed_as_an_admin + given_i_am_signed_with_role(:servant) when_i_search_for_a_duplicate_by("phone number") then_i_see_matching_duplicates_by_phone_number end it "Admin can search for duplicates by passport number" do - given_i_am_signed_as_an_admin + given_i_am_signed_with_role(:servant) when_i_search_for_a_duplicate_by("passport number") then_i_see_matching_duplicates_by_passport_number end diff --git a/spec/features/admin_console/reports_spec.rb b/spec/features/admin_console/reports_spec.rb index 2db39a78..7463dced 100644 --- a/spec/features/admin_console/reports_spec.rb +++ b/spec/features/admin_console/reports_spec.rb @@ -6,7 +6,7 @@ include AdminHelpers it "exports Home Office CSV" do - given_i_am_signed_as_an_admin + given_i_am_signed_with_role(:manager) when_i_am_in_the_reports_page and_i_click_on_the_home_office_csv_link @@ -14,7 +14,7 @@ end it "exports Standing Data CSV" do - given_i_am_signed_as_an_admin + given_i_am_signed_with_role(:manager) when_i_am_in_the_reports_page and_i_click_on_the_standing_data_csv_link @@ -22,7 +22,7 @@ end it "exports Payroll Data CSV" do - given_i_am_signed_as_an_admin + given_i_am_signed_with_role(:manager) when_i_am_in_the_reports_page and_i_click_on_the_payroll_data_csv_link @@ -30,7 +30,7 @@ end it "exports Application CSV" do - given_i_am_signed_as_an_admin + given_i_am_signed_with_role(:admin) when_i_am_in_the_reports_page and_i_click_on_the_applications_csv_link @@ -38,7 +38,7 @@ end it "exports Qa report CSV" do - given_i_am_signed_as_an_admin + given_i_am_signed_with_role(:admin) when_i_am_in_the_reports_page and_i_click_on_the_qa_report_csv_button diff --git a/spec/features/admin_console/settings_spec.rb b/spec/features/admin_console/settings_spec.rb index 6628d64d..6c48621c 100644 --- a/spec/features/admin_console/settings_spec.rb +++ b/spec/features/admin_console/settings_spec.rb @@ -7,13 +7,13 @@ include_context "with common application form steps" it "shows the app_settings page" do - given_i_am_signed_as_an_admin + given_i_am_signed_with_role(:admin) when_i_visit_the_settings_page then_i_should_see_the_settings_page end it "updates the app_settings page" do - given_i_am_signed_as_an_admin + given_i_am_signed_with_role(:admin) when_i_visit_the_settings_page and_i_update_the_settings_page then_i_should_see_the_settings_updated diff --git a/spec/features/admin_console/update_progress_spec.rb b/spec/features/admin_console/update_progress_spec.rb index 4a2b8c40..fe19d855 100644 --- a/spec/features/admin_console/update_progress_spec.rb +++ b/spec/features/admin_console/update_progress_spec.rb @@ -5,7 +5,7 @@ let(:application) { create(:application) } it "validates the date fields" do - given_i_am_signed_as_an_admin + given_i_am_signed_with_role(:servant) given_i_am_on_the_edit_application_page when_i_submit_an_invalid_date then_i_see_an_error_message @@ -15,7 +15,7 @@ end it "validates the rejection reason and details fields" do - given_i_am_signed_as_an_admin + given_i_am_signed_with_role(:servant) given_i_am_on_the_edit_application_page when_i_submit_a_rejection_without_reason diff --git a/spec/features/admin_console/users_spec.rb b/spec/features/admin_console/users_spec.rb index 351bc1da..59dd4b38 100644 --- a/spec/features/admin_console/users_spec.rb +++ b/spec/features/admin_console/users_spec.rb @@ -7,27 +7,27 @@ it "List Users" do given_there_are_users - given_i_am_signed_as_an_admin + given_i_am_signed_with_role(:admin) when_i_am_in_the_users_page then_i_can_see_the_users_list end it "Create User" do - given_i_am_signed_as_an_admin + given_i_am_signed_with_role(:admin) when_i_am_in_the_users_page then_i_can_create_a_user end it "Update User" do given_there_are_users - given_i_am_signed_as_an_admin + given_i_am_signed_with_role(:admin) when_i_am_in_the_users_page then_i_can_update_a_user end it "Delete User" do given_there_are_users - given_i_am_signed_as_an_admin + given_i_am_signed_with_role(:admin) when_i_am_in_the_users_page then_i_can_delete_a_user end diff --git a/spec/features/open_close_spec.rb b/spec/features/open_close_spec.rb index 991df050..20b3a480 100644 --- a/spec/features/open_close_spec.rb +++ b/spec/features/open_close_spec.rb @@ -19,7 +19,7 @@ end it "allows the user access to the admin tool" do - given_i_am_signed_as_an_admin + given_i_am_signed_with_role(:admin) visit applicants_path expect(page).to have_text("Applications") @@ -38,7 +38,7 @@ end it "allows the user access to the admin tool" do - given_i_am_signed_as_an_admin + given_i_am_signed_with_role(:admin) visit applicants_path expect(page).to have_text("Applications") diff --git a/spec/support/admin_helpers.rb b/spec/support/admin_helpers.rb index bdad1b93..8990a0b0 100644 --- a/spec/support/admin_helpers.rb +++ b/spec/support/admin_helpers.rb @@ -1,5 +1,8 @@ module AdminHelpers - def given_i_am_signed_as_an_admin - sign_in create(:user) + def given_i_am_signed_with_role(role_name) + role = Role.find_or_create_by(name: role_name) + user = create(:user) + user.add_role(role.name) + sign_in user end end