Only show complainant details on case added activity if user is colla…

…borating on the case (#696)

* Only show complainant details on case added activity if user is collaborating on the case

* Change copy when user cannot view contact details on case created activity

CHANGELOG.md

@@ -1,6 +1,9 @@
 # Changelog
 All notable changes to this project will be documented in this file.
 
+## 2020-06-12
+- Users of all teams added to a case can now view complainant contact details on the case activity page.
+
 ## 2020-06-05
 – Added the ability to view the details of correspondence added to the case on their own page.
 

psd-web/app/helpers/investigations/display_text_helper.rb

@@ -84,7 +84,7 @@ def gdpr_restriction_text
 
   def should_be_hidden(result, source, investigation)
     return true if correspondence_should_be_hidden(result, source, investigation)
-    return true if (source.include? "complainant") && !investigation&.complainant&.can_be_displayed?(current_user)
+    return true if (source.include? "complainant") && !policy(investigation).view_protected_details?
 
     false
   end

psd-web/app/models/audit_activity/investigation/add.rb

@@ -45,7 +45,7 @@ def title(_user)
   def can_display_all_data?(user)
     return true if self[:metadata].present? || investigation.complainant.blank?
 
-    investigation.complainant.can_be_displayed?(user)
+    Pundit.policy(user, investigation).view_protected_details?
   end
 
   # Only used for old records prior to metadata implementation

psd-web/app/models/complainant.rb

@@ -19,16 +19,4 @@ class Complainant < ApplicationRecord
 
   validates :name, length: { maximum: 100 }
   validates :other_details, length: { maximum: 10_000 }
-
-  def can_be_displayed?(user)
-    can_be_seen_by_user?(user) || investigation.child_should_be_displayed?(user)
-  end
-
-private
-
-  def can_be_seen_by_user?(user)
-    return true if investigation.creator_user.has_gdpr_access?(user)
-
-    complainant_type != "Consumer"
-  end
 end

psd-web/app/views/investigations/activities/investigation/_add_project.html.erb

@@ -1,7 +1,5 @@
 <h4 class="govuk-heading-s">Project details</h4>
 
-
-
 <% if activity.metadata['investigation']['coronavirus_related'] %>
   <p class="govuk-body">
     <%= t("audit_activity.investigation.coronavirus_related") %>

psd-web/app/views/investigations/activities/investigation/_complainant.html.erb

@@ -8,11 +8,10 @@
 <% end %>
 
 <%# Teams not involved in a case shouldn't complianant contact details %>
-<% if !complainant.can_be_displayed?(current_user) %>
-  <%= render "restricted", activity: activity %>
+<% if !policy(@investigation).view_protected_details? %>
+  <p class="govuk-hint"><%= t("case.protected_details", data_type: "#{@investigation.case_type} contact details") %></p>
 
 <% else %>
-
   <% complainant_info = [] %>
 
   <% if complainant.name.present? %>

psd-web/spec/features/create_allegation_as_opss_user_spec.rb

@@ -191,8 +191,7 @@ def expect_case_activity_page_to_show_restricted_information(allegation)
     expect(page).to have_text("Hazard type: #{allegation.fetch(:hazard_type)}")
     expect(page).to have_text(allegation.fetch(:description))
 
-    expect(page).to have_text("Restricted access")
-    expect(page).to have_text("Consumer contact details hidden to comply with GDPR legislation. Contact test organisation, who created this activity, to obtain these details if required.")
+    expect(page).to have_css("p", text: "Only teams added to the case can view allegation contact details")
 
     expect(page).not_to have_text("Name")
     expect(page).not_to have_text("Email address")

psd-web/spec/features/create_enquiry_as_opss_user_spec.rb

@@ -171,8 +171,7 @@ def expect_case_activity_page_to_show_restricted_information(enquiry)
       expect(page).to have_css("p", text: "Case is related to the coronavirus outbreak.")
       expect(page).to have_css("p", text: enquiry.fetch(:enquiry_description))
 
-      expect(page).to have_text("Restricted access")
-      expect(page).to have_text("Consumer contact details hidden to comply with GDPR legislation. Contact test organisation, who created this activity, to obtain these details if required.")
+      expect(page).to have_css("p", text: "Only teams added to the case can view enquiry contact details")
 
       expect(page).not_to have_text("Name")
       expect(page).not_to have_text("Email address")

psd-web/spec/support/audit_activity_investigation.rb

@@ -155,15 +155,21 @@
 
       context "when there is a complainant" do
         let(:factory_trait) { :with_complainant }
-        let(:complainant) { investigation.complainant }
 
-        before do
-          allow(complainant).to receive(:can_be_displayed?).with(user).and_return(true)
+        context "when the user is on a team collaborating on the case" do
+          before do
+            create(:collaboration_edit_access, investigation: investigation, collaborator: user.team)
+          end
+
+          it "returns true" do
+            expect(can_display).to be true
+          end
         end
 
-        it "returns the value of complainant#can_be_displayed?", :aggregate_failures do
-          expect(can_display).to be true
-          expect(complainant).to have_received(:can_be_displayed?).with(user).once
+        context "when the user is not on a team collaborating on the case" do
+          it "returns false" do
+            expect(can_display).to be false
+          end
         end
       end
     end