MIA-85: RBAC for keyworkers homepage

ministryofjustice · Jan 17, 2025 · f07fb7b · f07fb7b
1 parent a2dc65e
commit f07fb7b
Show file tree

Hide file tree

Showing 8 changed files with 118 additions and 27 deletions.
diff --git a/.gitignore b/.gitignore
@@ -126,3 +126,6 @@ integration_tests/screenshots/
 */*.iml
 **/Chart.lock
 **/.DS_Store
+
+# wiremock
+wiremock.jar
diff --git a/integration_tests/mockApis/keyworkerApi.ts b/integration_tests/mockApis/keyworkerApi.ts
@@ -13,6 +13,21 @@ const stubKeyworkerApiHealth = () =>
     },
   })
 
+const stubKeyworkerApiStatusIsKeyworker = (isKeyworker: boolean) =>
+  stubFor({
+    request: {
+      method: 'GET',
+      urlPattern: '/keyworker-api/prisons/LEI/key-workers/USER1/status',
+    },
+    response: {
+      status: 200,
+      headers: { 'Content-Type': 'application/json;charset=UTF-8' },
+      jsonBody: { isKeyworker },
+    },
+  })
+
 export default {
   stubKeyworkerApiHealth,
+  stubKeyworkerApiStatusIsKeyworker: () => stubKeyworkerApiStatusIsKeyworker(true),
+  stubKeyworkerApiStatusIsNotKeyworker: () => stubKeyworkerApiStatusIsKeyworker(false),
 }
diff --git a/server/app.ts b/server/app.ts
@@ -72,6 +72,12 @@ export default function createApp(services: Services): express.Application {
   })
   app.use(breadcrumbs())
   app.use(dpsComponents.retrieveCaseLoadData({ logger }))
+
+  app.get('/not-authorised', (_, res) => {
+    res.status(403)
+    res.render('not-authorised', { showBreadcrumbs: true })
+  })
+
   app.use(populateUserPermissions())
   app.use(routes(services))
 

diff --git a/server/middleware/permissionsMiddleware.ts b/server/middleware/permissionsMiddleware.ts
@@ -23,10 +23,14 @@ export default function populateUserPermissions(): RequestHandler {
         res.locals.user.permissions.push('view')
       }
 
-      next()
+      if (!res.locals.user.permissions.length) {
+        return res.redirect('/not-authorised')
+      }
+
+      return next()
     } catch (e) {
       logger.error(e, `Failed to retrieve keyworker status: ${res.locals.user?.username}`)
-      next()
+      return next(e)
     }
   }
 }
diff --git a/server/routes/controller.ts b/server/routes/controller.ts
@@ -5,6 +5,8 @@ export class HomePageController {
     res.locals.breadcrumbs.popLastItem()
 
     return res.render('view', {
+      hasViewPermission: res.locals.user.permissions.includes('view'),
+      hasAllocatePermission: res.locals.user.permissions.includes('allocate'),
       showBreadcrumbs: true,
     })
   }

diff --git a/server/routes/test.cy.ts b/server/routes/test.cy.ts
@@ -3,9 +3,72 @@ context('test / homepage', () => {
     cy.task('reset')
   })
 
+  describe('Role based access', () => {
+    it('should redirect to not-authorised page if user has no permission', () => {
+      cy.task('stubSignIn', {
+        roles: [],
+      })
+      cy.task('stubKeyworkerApiStatusIsNotKeyworker')
+      navigateToTestPage()
+      cy.url().should('include', 'not-authorised')
+      cy.findByText('You do not have permission to access this page').should('be.visible')
+      cy.findByText('Contact the helpdesk').should('be.visible')
+    })
+
+    it('should show correct services when user has only a view permission', () => {
+      cy.task('stubSignIn', {
+        roles: [],
+      })
+      cy.task('stubKeyworkerApiStatusIsKeyworker')
+      navigateToTestPage()
+
+      cy.findByRole('heading', { name: /^Key workers$/i }).should('be.visible')
+
+      cy.findByRole('link', { name: /View all without a key worker$/i }).should('be.visible')
+
+      cy.findByRole('link', { name: /View by residential location$/i }).should('be.visible')
+
+      cy.findByRole('link', { name: /Search for a prisoner$/i }).should('be.visible')
+
+      cy.findByRole('link', { name: /View key workers in your establishment$/i }).should('be.visible')
+
+      cy.findByText('You can view a key worker’s availability and check their individual statistics.')
+
+      cy.findByRole('link', { name: /Key worker statistics$/i }).should('be.visible')
+
+      cy.findAllByRole('link', { name: /Manage your establishment’s key worker settings$/i }).should('not.exist')
+    })
+
+    it('should show correct services when user has allocate permission', () => {
+      cy.task('stubSignIn', {
+        roles: ['OMIC_ADMIN'],
+      })
+      cy.task('stubKeyworkerApiStatusIsNotKeyworker')
+      navigateToTestPage()
+
+      cy.findByRole('heading', { name: /^Key workers$/i }).should('be.visible')
+
+      cy.findByRole('link', { name: /View all without a key worker$/i }).should('be.visible')
+
+      cy.findByRole('link', { name: /View by residential location$/i }).should('be.visible')
+
+      cy.findByRole('link', { name: /Search for a prisoner$/i }).should('be.visible')
+
+      cy.findByRole('link', { name: /View key workers in your establishment$/i }).should('be.visible')
+
+      cy.findByText(
+        'You can manage a key worker’s availability, reassign their prisoners and check their individual statistics.',
+      )
+
+      cy.findByRole('link', { name: /Key worker statistics$/i }).should('be.visible')
+
+      cy.findAllByRole('link', { name: /Manage your establishment’s key worker settings$/i }).should('be.visible')
+    })
+  })
+
   it('shows all tiles when user has all required roles', () => {
     cy.task('stubSignIn', {
-      roles: [],
+      roles: ['OMIC_ADMIN', 'KEYWORKER_MONITOR'],
     })
     navigateToTestPage()
 
@@ -42,15 +105,6 @@ context('test / homepage', () => {
       .and('to.equal', 'https://legacy.key-workers.url/manage-key-worker-settings')
   })
 
-  it.skip('shows unauthorised message if user does not have any of the required roles', () => {
-    cy.task('stubSignIn', {
-      roles: [],
-    })
-    navigateToTestPage()
-    cy.findByText('You are not authorised to use this application.').should('be.visible')
-    cy.findByRole('heading', { name: /^Key workers$/i }).should('not.exist')
-  })
-
   const navigateToTestPage = () => {
     cy.signIn({ failOnStatusCode: false })
     cy.visit('/', { failOnStatusCode: false })

diff --git a/server/routes/view.njk b/server/routes/view.njk
@@ -40,14 +40,20 @@
                           </div>
                         </div>
 
-                        <div class="govuk-grid-column-one-third card-group__item">
-                          <div class="card card--clickable">
-                            <h2 class="govuk-heading-m card__heading">
-                              <a class="govuk-link govuk-link--no-visited-state card__link" href="{{ legacyKeyWorkersUiUrl }}/key-worker-search">View key workers in your establishment</a>
-                            </h2>
-                            <p class="govuk-body card__description">You can manage a key worker’s availability, reassign their prisoners and check their individual statistics.</p>
+                        {% if hasViewPermission or hasAllocatePermission %}
+                          <div class="govuk-grid-column-one-third card-group__item">
+                            <div class="card card--clickable">
+                              <h2 class="govuk-heading-m card__heading">
+                                <a class="govuk-link govuk-link--no-visited-state card__link" href="{{ legacyKeyWorkersUiUrl }}/key-worker-search">View key workers in your establishment</a>
+                              </h2>
+                              {% if hasAllocatePermission %}
+                                <p class="govuk-body card__description">You can manage a key worker’s availability, reassign their prisoners and check their individual statistics.</p>
+                              {% else %}
+                                <p class="govuk-body card__description">You can view a key worker’s availability and check their individual statistics.</p>
+                              {% endif %}
+                            </div>
                           </div>
-                        </div>
+                        {% endif %}
 
                         <div class="govuk-grid-column-one-third card-group__item">
                           <div class="card card--clickable">
@@ -57,15 +63,16 @@
                             <p class="govuk-body card__description">View the statistics for your establishment’s key workers.</p>
                           </div>
                         </div>
-
-                        <div class="govuk-grid-column-one-third card-group__item">
-                          <div class="card card--clickable">
-                            <h2 class="govuk-heading-m card__heading">
-                              <a class="govuk-link govuk-link--no-visited-state card__link" href="{{ legacyKeyWorkersUiUrl }}/manage-key-worker-settings">Manage your establishment’s key worker settings</a>
-                            </h2>
-                            <p class="govuk-body card__description">Allow auto-allocation, edit key worker capacity and session frequency.</p>
+                        {% if hasAllocatePermission %}
+                          <div class="govuk-grid-column-one-third card-group__item">
+                            <div class="card card--clickable">
+                              <h2 class="govuk-heading-m card__heading">
+                                <a class="govuk-link govuk-link--no-visited-state card__link" href="{{ legacyKeyWorkersUiUrl }}/manage-key-worker-settings">Manage your establishment’s key worker settings</a>
+                              </h2>
+                              <p class="govuk-body card__description">Allow auto-allocation, edit key worker capacity and session frequency.</p>
+                            </div>
                           </div>
-                        </div>
+                        {% endif %}
 
                       </div>
                   </div>

diff --git a/server/views/partials/not-authorised.njk → server/views/not-authorised.njk b/server/views/partials/not-authorised.njk → server/views/not-authorised.njk