From 0897574e17e049b45098f2a3838e443c3f6d1d86 Mon Sep 17 00:00:00 2001 From: Thomas Leese Date: Fri, 6 Oct 2023 13:55:58 +0100 Subject: [PATCH 1/2] Add AssessmentRecommendationPolicy This adds a policy which allows both admins and assessors to make a recommendation. The recommendation can only be made if the admin or assessor has already completed the previous steps, of which they are limited by who can perform the tasks. --- .../assessment_recommendation_policy.rb | 7 +++ .../assessment_recommendation_policy_spec.rb | 59 +++++++++++++++++++ 2 files changed, 66 insertions(+) create mode 100644 app/policies/assessor_interface/assessment_recommendation_policy.rb create mode 100644 spec/policies/assessor_interface/assessment_recommendation_policy_spec.rb diff --git a/app/policies/assessor_interface/assessment_recommendation_policy.rb b/app/policies/assessor_interface/assessment_recommendation_policy.rb new file mode 100644 index 0000000000..1a87f2465e --- /dev/null +++ b/app/policies/assessor_interface/assessment_recommendation_policy.rb @@ -0,0 +1,7 @@ +# frozen_string_literal: true + +class AssessorInterface::AssessmentRecommendationPolicy < ApplicationPolicy + def update? + user.award_decline_permission || user.verify_permission + end +end diff --git a/spec/policies/assessor_interface/assessment_recommendation_policy_spec.rb b/spec/policies/assessor_interface/assessment_recommendation_policy_spec.rb new file mode 100644 index 0000000000..4514388be7 --- /dev/null +++ b/spec/policies/assessor_interface/assessment_recommendation_policy_spec.rb @@ -0,0 +1,59 @@ +# frozen_string_literal: true + +require "rails_helper" + +RSpec.describe AssessorInterface::AssessmentRecommendationPolicy do + it_behaves_like "a policy" + + let(:user) { nil } + let(:record) { nil } + + subject(:policy) { described_class.new(user, record) } + + describe "#index?" do + subject(:index?) { policy.index? } + + let(:user) { create(:staff, :confirmed) } + it { is_expected.to be false } + end + + describe "#show?" do + subject(:show?) { policy.show? } + + let(:user) { create(:staff, :confirmed) } + it { is_expected.to be false } + end + + describe "#create?" do + subject(:create?) { policy.create? } + + let(:user) { create(:staff, :confirmed) } + it { is_expected.to be false } + end + + describe "#new?" do + subject(:new?) { policy.new? } + + let(:user) { create(:staff, :confirmed) } + it { is_expected.to be false } + end + + describe "#update?" do + subject(:update?) { policy.update? } + it_behaves_like "a policy method requiring the award decline permission" + it_behaves_like "a policy method requiring the verify permission" + end + + describe "#edit?" do + subject(:edit?) { policy.edit? } + it_behaves_like "a policy method requiring the award decline permission" + it_behaves_like "a policy method requiring the verify permission" + end + + describe "#destroy?" do + subject(:destroy?) { policy.destroy? } + + let(:user) { create(:staff, :confirmed) } + it { is_expected.to be false } + end +end From 2429d9cc41eec09502273aa2ff0a25fff01a2ab0 Mon Sep 17 00:00:00 2001 From: Thomas Leese Date: Fri, 6 Oct 2023 14:00:50 +0100 Subject: [PATCH 2/2] Use AssessmentRecommendationPolicy This updates the controllers related to making assessment recommendation to use the new policy which allows assessors and admins to make a recommendation. --- ...essment_recommendation_award_controller.rb | 17 ++++++----- ...sment_recommendation_decline_controller.rb | 12 ++++---- ...ssment_recommendation_verify_controller.rb | 30 +++++++++++-------- .../assessments_controller.rb | 7 ++++- 4 files changed, 40 insertions(+), 26 deletions(-) diff --git a/app/controllers/assessor_interface/assessment_recommendation_award_controller.rb b/app/controllers/assessor_interface/assessment_recommendation_award_controller.rb index a7c3ba714f..9df33e9183 100644 --- a/app/controllers/assessor_interface/assessment_recommendation_award_controller.rb +++ b/app/controllers/assessor_interface/assessment_recommendation_award_controller.rb @@ -2,16 +2,19 @@ module AssessorInterface class AssessmentRecommendationAwardController < BaseController - before_action :authorize_assessor, only: %i[edit update] before_action :ensure_can_award before_action :load_assessment_and_application_form before_action :load_important_notes, only: %i[edit update] def edit + authorize %i[assessor_interface assessment_recommendation] + @form = AssessmentDeclarationAwardForm.new end def update + authorize %i[assessor_interface assessment_recommendation] + @form = AssessmentDeclarationAwardForm.new( declaration: @@ -35,11 +38,11 @@ def update end def age_range_subjects - authorize :assessor, :edit? + authorize %i[assessor_interface assessment_recommendation], :edit? end def edit_age_range_subjects - authorize :assessor, :edit? + authorize %i[assessor_interface assessment_recommendation], :edit? @form = ConfirmAgeRangeSubjectsForm.new( @@ -53,7 +56,7 @@ def edit_age_range_subjects end def update_age_range_subjects - authorize :assessor, :update? + authorize %i[assessor_interface assessment_recommendation], :update? @form = ConfirmAgeRangeSubjectsForm.new( @@ -76,16 +79,16 @@ def update_age_range_subjects end def preview - authorize :assessor, :edit? + authorize %i[assessor_interface assessment_recommendation], :edit? end def edit_confirm - authorize :assessor, :edit? + authorize %i[assessor_interface assessment_recommendation], :edit? @form = AssessmentConfirmationForm.new end def update_confirm - authorize :assessor, :update? + authorize %i[assessor_interface assessment_recommendation], :update? @form = AssessmentConfirmationForm.new( diff --git a/app/controllers/assessor_interface/assessment_recommendation_decline_controller.rb b/app/controllers/assessor_interface/assessment_recommendation_decline_controller.rb index 7f76acdb7c..2fc28b1f77 100644 --- a/app/controllers/assessor_interface/assessment_recommendation_decline_controller.rb +++ b/app/controllers/assessor_interface/assessment_recommendation_decline_controller.rb @@ -2,16 +2,18 @@ module AssessorInterface class AssessmentRecommendationDeclineController < BaseController - before_action :authorize_assessor, - except: %i[preview edit_confirm update_confirm] before_action :ensure_can_decline before_action :load_assessment_and_application_form def edit + authorize %i[assessor_interface assessment_recommendation] + @form = AssessmentDeclarationDeclineForm.new end def update + authorize %i[assessor_interface assessment_recommendation] + @form = AssessmentDeclarationDeclineForm.new( declaration: @@ -42,16 +44,16 @@ def update end def preview - authorize :assessor, :edit? + authorize %i[assessor_interface assessment_recommendation], :edit? end def edit_confirm - authorize :assessor, :edit? + authorize %i[assessor_interface assessment_recommendation], :edit? @form = AssessmentConfirmationForm.new end def update_confirm - authorize :assessor, :update? + authorize %i[assessor_interface assessment_recommendation], :update? @form = AssessmentConfirmationForm.new( diff --git a/app/controllers/assessor_interface/assessment_recommendation_verify_controller.rb b/app/controllers/assessor_interface/assessment_recommendation_verify_controller.rb index b33633abf0..3fe5a7b49e 100644 --- a/app/controllers/assessor_interface/assessment_recommendation_verify_controller.rb +++ b/app/controllers/assessor_interface/assessment_recommendation_verify_controller.rb @@ -2,11 +2,12 @@ module AssessorInterface class AssessmentRecommendationVerifyController < BaseController - before_action :authorize_assessor, only: %i[edit update] before_action :ensure_can_verify before_action :load_assessment_and_application_form def edit + authorize %i[assessor_interface assessment_recommendation] + redirect_to [ :verify_qualifications, :assessor_interface, @@ -17,6 +18,8 @@ def edit end def update + authorize %i[assessor_interface assessment_recommendation] + VerifyAssessment.call( assessment:, user: current_staff, @@ -33,12 +36,13 @@ def update end def edit_verify_qualifications - authorize :assessor, :edit? + authorize %i[assessor_interface assessment_recommendation], :edit? + @form = VerifyQualificationsForm.new end def update_verify_qualifications - authorize :assessor, :update? + authorize %i[assessor_interface assessment_recommendation], :update? @form = VerifyQualificationsForm.new( @@ -71,7 +75,7 @@ def update_verify_qualifications end def edit_qualification_requests - authorize :assessor, :edit? + authorize %i[assessor_interface assessment_recommendation], :edit? @form = SelectQualificationsForm.new( @@ -82,7 +86,7 @@ def edit_qualification_requests end def update_qualification_requests - authorize :assessor, :update? + authorize %i[assessor_interface assessment_recommendation], :update? qualification_ids = params.dig( @@ -111,14 +115,14 @@ def update_qualification_requests end def email_consent_letters - authorize :assessor, :edit? + authorize %i[assessor_interface assessment_recommendation], :edit? @qualifications = application_form.qualifications.where(id: session[:qualification_ids]) end def edit_verify_professional_standing - authorize :assessor, :edit? + authorize %i[assessor_interface assessment_recommendation], :edit? if application_form.teaching_authority_provides_written_statement redirect_to [ @@ -135,7 +139,7 @@ def edit_verify_professional_standing end def update_verify_professional_standing - authorize :assessor, :update? + authorize %i[assessor_interface assessment_recommendation], :update? @form = VerifyProfessionalStandingForm.new( @@ -168,11 +172,11 @@ def update_verify_professional_standing end def contact_professional_standing - authorize :assessor, :edit? + authorize %i[assessor_interface assessment_recommendation], :edit? end def edit_reference_requests - authorize :assessor, :edit? + authorize %i[assessor_interface assessment_recommendation], :edit? @form = SelectWorkHistoriesForm.new( @@ -183,7 +187,7 @@ def edit_reference_requests end def update_reference_requests - authorize :assessor, :update? + authorize %i[assessor_interface assessment_recommendation], :update? work_history_ids = params.dig( @@ -212,12 +216,12 @@ def update_reference_requests end def preview_referee - authorize :assessor, :edit? + authorize %i[assessor_interface assessment_recommendation], :edit? @reference_requests = assessment.reference_requests end def preview_teacher - authorize :assessor, :edit? + authorize %i[assessor_interface assessment_recommendation], :edit? end private diff --git a/app/controllers/assessor_interface/assessments_controller.rb b/app/controllers/assessor_interface/assessments_controller.rb index 8244a15081..afd93583fe 100644 --- a/app/controllers/assessor_interface/assessments_controller.rb +++ b/app/controllers/assessor_interface/assessments_controller.rb @@ -2,14 +2,17 @@ module AssessorInterface class AssessmentsController < BaseController - before_action { authorize [:assessor_interface, assessment] } before_action :load_assessment_and_application_form def edit + authorize %i[assessor_interface assessment_recommendation] + @form = AssessmentRecommendationForm.new(assessment:) end def update + authorize %i[assessor_interface assessment_recommendation] + @form = AssessmentRecommendationForm.new( assessment:, @@ -28,9 +31,11 @@ def update end def rollback + authorize [:assessor_interface, assessment] end def destroy + authorize [:assessor_interface, assessment] RollbackAssessment.call(assessment:, user: current_staff) redirect_to [:assessor_interface, application_form] rescue RollbackAssessment::InvalidState => e