User Role Restrictions

app/controllers/system_admin/applicants_controller.rb

@@ -4,6 +4,7 @@ module SystemAdmin
   class ApplicantsController < AdminController
     default_form_builder GOVUKDesignSystemFormBuilder::FormBuilder
 
+    before_action :check_user_roles
     before_action :find_applicant, only: %i[show edit update]
 
     include Pagy::Backend
@@ -62,5 +63,11 @@ def find_applicant
       @application = @applicant.application
       @progress = @application.application_progress
     end
+
+    def check_user_roles
+      unless current_user.has_role?(:servant)
+        redirect_to(root_path, alert: t("errors.access_denied"))
+      end
+    end
   end
 end

app/controllers/system_admin/reports_controller.rb

@@ -1,5 +1,7 @@
 module SystemAdmin
   class ReportsController < AdminController
+    before_action :check_user_roles
+
     def index; end
 
     def show
@@ -14,5 +16,18 @@ def show
     def report_params
       params.permit(:id, :status)
     end
+
+    def check_user_roles
+      case params[:id]
+      when "home_office", "standing_data", "payroll"
+        unless current_user.has_role?(:manager)
+          redirect_to(root_path, alert: t("errors.access_denied"))
+        end
+      when "applications", "qa"
+        unless current_user.has_role?(:admin)
+          redirect_to(root_path, alert: t("errors.access_denied"))
+        end
+      end
+    end
   end
 end

app/views/layouts/admin.html.erb

@@ -31,13 +31,14 @@
 
     <a href="#main-content" class="govuk-skip-link">Skip to main content</a>
     <%= govuk_header(service_name: "International relocation payment application management") do |header| %>
-      <%= header.with_navigation_item(text: "Applicants", href: applicants_path, active: request.path.include?('system-admin/applicants') ) %>
-      <%= header.with_navigation_item(text: "Duplicates", href: duplicates_path, active: request.path.include?('system-admin/duplicates') ) %>
-      <%= header.with_navigation_item(text: "Reports", href: reports_path, active: request.path.include?('/system-admin/reports')) %>
-      <%= header.with_navigation_item(text: "Dashboard", href: dashboard_path, active: request.path.include?('/system-admin/dashboard') ) %>
-      <%= header.with_navigation_item(text: "Users", href: users_path, active: request.path.include?('/system-admin/users') ) %>
-      <%= header.with_navigation_item(text: "Settings", href: edit_settings_path, active: request.path.include?('/system-admin/settings')) %>
-      <%= header.with_navigation_item(text: "Audits", href: audits_path, active: request.path.include?('/system-admin/audits')) %>
+      <%= header.with_navigation_item(text: "Applicants", href: applicants_path, active: request.path.include?('system-admin/applicants')) if current_user.has_role?(:servant) %>
+      <%= header.with_navigation_item(text: "Duplicates", href: duplicates_path, active: request.path.include?('system-admin/duplicates')) if current_user.has_role?(:servant) %>
+      <%= header.with_navigation_item(text: "Reports", href: reports_path, active: request.path.include?('/system-admin/reports')) if current_user.has_role?(:manager) %>
+      <%= header.with_navigation_item(text: "Dashboard", href: dashboard_path, active: request.path.include?('/system-admin/dashboard')) if current_user.has_role?(:spectator) %>
+      <%= header.with_navigation_item(text: "Users", href: users_path, active: request.path.include?('/system-admin/users')) if current_user.has_role?(:admin) %>
+      <%= header.with_navigation_item(text: "Settings", href: edit_settings_path, active: request.path.include?('/system-admin/settings')) if current_user.has_role?(:admin) %>
+      <%= header.with_navigation_item(text: "Audits", href: audits_path, active: request.path.include?('/system-admin/audits')) if current_user.has_role?(:admin) %>
+      <%= header.with_navigation_item(text: "Feature Flags", href: '/system_admin/features') if current_user.has_role?(:super_admin) %>
       <%= header.with_navigation_item(text: "Logout", href: destroy_user_session_path, active: false) %>
     <% end %>
 

app/views/system_admin/reports/index.html.erb

@@ -29,32 +29,34 @@
   </p>
 </div>
 
-<div class="applications">
-  <h2 class="govuk-heading-m">Applications Data report</h2>
-  <p class="govuk-body">
-    Download a CSV file of all applications
-  </p>
-  <p>
-    <%= link_to "Download", report_path(:applications), class: "govuk-button" %>
-  </p>
-</div>
+<% if current_user.has_role?(:admin) %>
+  <div class="applications">
+    <h2 class="govuk-heading-m">Applications Data report</h2>
+    <p class="govuk-body">
+      Download a CSV file of all applications
+    </p>
+    <p>
+      <%= link_to "Download", report_path(:applications), class: "govuk-button" %>
+    </p>
+  </div>
 
-<div class="applications-qa">
-  <h2 class="govuk-heading-m">QA reports</h2>
-  <p class="govuk-body">
-    Download a QA CSV file
-  </p>
-  <p>
+  <div class="applications-qa">
+    <h2 class="govuk-heading-m">QA reports</h2>
+    <p class="govuk-body">
+      Download a QA CSV file
+    </p>
+    <p>
 
-    <%= form_with(url: report_path(:qa), method: :get) do |f| %>
-    <div class="row">
-      <div class="column">
-        <%= f.govuk_select :status, application_statuses_options, label: { text: "Filter by application status" } %>
-      </div>
-      <div class="full-width">
-        <%= f.govuk_submit 'Download', class: "govuk-button"%>
-      </div>
-    </div>
-    <% end %>
-  </p>
-</div>
+      <%= form_with(url: report_path(:qa), method: :get) do |f| %>
+        <div class="row">
+          <div class="column">
+            <%= f.govuk_select :status, application_statuses_options, label: { text: "Filter by application status" } %>
+          </div>
+          <div class="full-width">
+            <%= f.govuk_submit 'Download', class: "govuk-button"%>
+          </div>
+        </div>
+      <% end %>
+    </p>
+  </div>
+<% end %>

config/initializers/flipper.rb

@@ -4,3 +4,10 @@ def self.matches?(request)
     current_user.present?
   end
 end
+
+Flipper::UI.configure do |config|
+  config.banner_text = "#{Rails.env.capitalize} Environment"
+  config.banner_class = Rails.env.production? ? "danger" : "warning"
+  config.cloud_recommendation = false
+  config.fun = false
+end

config/locales/en.yml

@@ -48,3 +48,5 @@ en:
       success: 'User was successfully removed.'
   omniauth_callbacks:
     no_account: 'You have not yet an account!'
+  errors:
+    access_denied: 'You do not have permission to access this page'

db/seeds.rb

@@ -27,5 +27,13 @@
   service_end_date: 1.year.from_now,
 )
 
+Role::ROLES_LIST.each do |role_name|
+  Role.find_or_create_by(name: role_name)
+end
+
 local_user_email = ENV.fetch("LOCAL_USER_EMAIL", nil)
-User.create!(email: local_user_email) if local_user_email
+if local_user_email
+  user = User.create!(email: local_user_email)
+  user.roles = Role.all
+  user.save!
+end

spec/features/admin_console/applications_list_spec.rb

@@ -7,51 +7,51 @@
 
   it "shows the correct columns" do
     given_there_are_few_applications
-    given_i_am_signed_as_an_admin
+    given_i_am_signed_with_role(:servant)
     when_i_am_in_the_applications_list_page
     then_i_can_see_the_correct_columns
   end
 
   it "shows the pagination" do
     given_there_are_few_applications
-    given_i_am_signed_as_an_admin
+    given_i_am_signed_with_role(:servant)
     when_i_am_in_the_applications_list_page
     then_i_can_see_the_pagination
   end
 
   it "allows searching" do
     given_there_are_few_applications
-    given_i_am_signed_as_an_admin
+    given_i_am_signed_with_role(:servant)
     when_i_am_in_the_applications_list_page
     then_i_can_see_the_search_form
     then_i_can_search_by_urn
   end
 
   it "highlights applications that breached SLA" do
     given_there_is_an_application_that_breached_sla
-    given_i_am_signed_as_an_admin
+    given_i_am_signed_with_role(:servant)
     when_i_am_in_the_applications_list_page
     then_i_can_see_the_application_is_highlighted
   end
 
   it "allows filtering by status" do
     given_there_are_applications_with_different_dates
-    given_i_am_signed_as_an_admin
+    given_i_am_signed_with_role(:servant)
     when_i_am_in_the_applications_list_page
     then_i_can_see_the_status_filter_form
     then_i_can_filter_by_status
   end
 
   it "displays timestamps correctly" do
     given_there_is_an_application_with_all_dates
-    given_i_am_signed_as_an_admin
+    given_i_am_signed_with_role(:servant)
     when_i_am_in_the_applications_list_page
     then_i_can_see_correct_timestamps
   end
 
   it "allows filtering by breached SLA" do
     given_there_is_an_application_that_breached_sla
-    given_i_am_signed_as_an_admin
+    given_i_am_signed_with_role(:servant)
     when_i_am_in_the_applications_list_page
     then_i_can_see_the_sla_filter_form
     then_i_can_filter_by_sla_breach

spec/features/admin_console/dashboard_spec.rb

@@ -7,105 +7,105 @@
 
   it "shows the Total Applications widget" do
     given_there_are_5_applications
-    given_i_am_signed_as_an_admin
+    given_i_am_signed_with_role(:spectator)
     when_i_am_in_the_dashboard_page
     then_i_can_see_the_applications_widget
   end
 
   it "shows the Total Rejections widget" do
     given_there_are_rejected_applications
-    given_i_am_signed_as_an_admin
+    given_i_am_signed_with_role(:spectator)
     when_i_am_in_the_dashboard_page
     then_i_can_see_the_total_rejections_widget
   end
 
   it "shows the Average Age widget" do
     given_there_are_3_applicants_with_ages
-    given_i_am_signed_as_an_admin
+    given_i_am_signed_with_role(:spectator)
     when_i_am_in_the_dashboard_page
     then_i_can_see_the_average_age_widget
   end
 
   it "shows the Total Paid widget" do
     given_there_are_paid_applications
-    given_i_am_signed_as_an_admin
+    given_i_am_signed_with_role(:spectator)
     when_i_am_in_the_dashboard_page
     then_i_can_see_the_total_paid_widget
   end
 
   it "shows the Route Breakdown widget" do
     given_there_are_few_applications
-    given_i_am_signed_as_an_admin
+    given_i_am_signed_with_role(:spectator)
     when_i_am_in_the_dashboard_page
     then_i_can_see_the_route_breakdown_widget
   end
 
   it "shows the Subject Breakdown widget" do
     given_there_are_few_applications
-    given_i_am_signed_as_an_admin
+    given_i_am_signed_with_role(:spectator)
     when_i_am_in_the_dashboard_page
     then_i_can_see_the_subject_breakdown_widget
   end
 
   it "shows the Visa Breakdown widget" do
     given_there_are_few_applications_with_visas
-    given_i_am_signed_as_an_admin
+    given_i_am_signed_with_role(:spectator)
     when_i_am_in_the_dashboard_page
     then_i_can_see_the_visa_breakdown_widget
   end
 
   it "shows the Nationalities Breakdown widget" do
     given_there_are_few_applications_with_nationalities
-    given_i_am_signed_as_an_admin
+    given_i_am_signed_with_role(:spectator)
     when_i_am_in_the_dashboard_page
     then_i_can_see_the_nationalities_breakdown_widget
   end
 
   it "shows the Gender Breakdown widget" do
     given_there_are_few_applications
-    given_i_am_signed_as_an_admin
+    given_i_am_signed_with_role(:spectator)
     when_i_am_in_the_dashboard_page
     then_i_can_see_the_gender_breakdown_widget
   end
 
   it "shows the Rejection Reason Breakdown widget" do
     given_there_are_applications_with_rejection_reasons
-    given_i_am_signed_as_an_admin
+    given_i_am_signed_with_role(:spectator)
     when_i_am_in_the_dashboard_page
     then_i_can_see_the_rejection_reason_breakdown_widget
   end
 
   it "shows the Initial Checks Approval time widget" do
     given_there_are_applications_with_initial_checks
-    given_i_am_signed_as_an_admin
+    given_i_am_signed_with_role(:spectator)
     when_i_am_in_the_dashboard_page
     then_i_can_see_the_initial_checks_approval_average_time_widget
   end
 
   it "shows the Home Office Checks Approval time widget" do
     given_there_are_applications_with_home_office_checks
-    given_i_am_signed_as_an_admin
+    given_i_am_signed_with_role(:spectator)
     when_i_am_in_the_dashboard_page
     then_i_can_see_the_home_office_checks_time_widget
   end
 
   it "shows the School Checks Approval time widget" do
     given_there_are_applications_with_school_checks
-    given_i_am_signed_as_an_admin
+    given_i_am_signed_with_role(:spectator)
     when_i_am_in_the_dashboard_page
     then_i_can_see_the_school_checks_time_widget
   end
 
   it "shows the Banking Approval time widget" do
     given_there_are_applications_with_banking_approval
-    given_i_am_signed_as_an_admin
+    given_i_am_signed_with_role(:spectator)
     when_i_am_in_the_dashboard_page
     then_i_can_see_the_banking_approval_completed_time_widget
   end
 
   it "shows the Payment Confirmation time widget" do
     given_there_are_applications_with_payment_confirmation
-    given_i_am_signed_as_an_admin
+    given_i_am_signed_with_role(:spectator)
     when_i_am_in_the_dashboard_page
     then_i_can_see_the_payment_confirmation_time_widget
   end

spec/features/admin_console/duplicates_search_spec.rb

@@ -17,19 +17,19 @@
   end
 
   it "Admin can search for duplicates by email" do
-    given_i_am_signed_as_an_admin
+    given_i_am_signed_with_role(:servant)
     when_i_search_for_a_duplicate_by("email")
     then_i_see_matching_duplicates
   end
 
   it "Admin can search for duplicates by phone number" do
-    given_i_am_signed_as_an_admin
+    given_i_am_signed_with_role(:servant)
     when_i_search_for_a_duplicate_by("phone number")
     then_i_see_matching_duplicates_by_phone_number
   end
 
   it "Admin can search for duplicates by passport number" do
-    given_i_am_signed_as_an_admin
+    given_i_am_signed_with_role(:servant)
     when_i_search_for_a_duplicate_by("passport number")
     then_i_see_matching_duplicates_by_passport_number
   end