[Automated] Merged master into target preview_envs_k8s

modules/mobile/spec/request/decision_letters_request_spec.rb

@@ -25,6 +25,15 @@
   # connect_vbms gem so it cannot intercept the actual HTTP request, making the use of VCRs not possible.
   # This means we cannot test error states for the index endpoint within specs
   describe 'GET /mobile/v0/decision-letters' do
+    context 'when user does not have access' do
+      let!(:user) { sis_user(participant_id: nil) }
+
+      it 'returns forbidden' do
+        get '/mobile/v0/claims/decision-letters', headers: sis_headers
+        expect(response).to have_http_status(:forbidden)
+      end
+    end
+
     context 'with a valid response' do
       context 'with mobile_filter_doc_27_decision_letters_out flag enabled' do
         it 'returns expected decision letters' do

modules/mobile/spec/request/disability_rating_request_spec.rb

@@ -51,6 +51,16 @@
   after { Flipper.disable(:mobile_lighthouse_disability_ratings) }
 
   describe 'Get /v0/disability-rating' do
+    context 'user without access' do
+      let!(:user) { sis_user(participant_id: nil) }
+
+      it 'returns 403' do
+        get '/mobile/v0/disability-rating', params: nil, headers: sis_headers
+
+        expect(response).to have_http_status(:forbidden)
+      end
+    end
+
     context 'with a valid 200 lighthouse response' do
       context 'with a single individual rating' do
         it 'matches the rated disabilities schema' do

modules/mobile/spec/request/legacy_disability_rating_request_spec.rb

@@ -40,6 +40,16 @@
   end
 
   describe 'Get /v0/disability-rating' do
+    context 'user without access' do
+      let!(:user) { sis_user(participant_id: nil) }
+
+      it 'returns 403' do
+        get '/mobile/v0/disability-rating', params: nil, headers: sis_headers
+
+        expect(response).to have_http_status(:forbidden)
+      end
+    end
+
     context 'with a valid 200 evss response' do
       it 'matches the rated disabilities schema' do
         VCR.use_cassette('mobile/profile/rating_info') do

modules/mobile/spec/request/legacy_letters_request_spec.rb

@@ -58,6 +58,15 @@
   end
 
   describe 'GET /mobile/v0/letters' do
+    context 'when user does not have access' do
+      let!(:user) { sis_user(participant_id: nil) }
+
+      it 'returns forbidden' do
+        get '/mobile/v0/letters', headers: sis_headers
+        expect(response).to have_http_status(:forbidden)
+      end
+    end
+
     context 'with a valid evss response' do
       it 'matches the letters schema' do
         VCR.use_cassette('evss/letters/letters') do
@@ -100,6 +109,15 @@
   end
 
   describe 'GET /mobile/v0/letters/beneficiary' do
+    context 'when user does not have access' do
+      let!(:user) { sis_user(participant_id: nil) }
+
+      it 'returns forbidden' do
+        get '/mobile/v0/letters/beneficiary', headers: sis_headers
+        expect(response).to have_http_status(:forbidden)
+      end
+    end
+
     context 'with a valid veteran response' do
       it 'matches the letter beneficiary schema' do
         VCR.use_cassette('evss/letters/beneficiary_veteran') do
@@ -142,6 +160,15 @@
   end
 
   describe 'POST /mobile/v0/letters/:type/download' do
+    context 'when user does not have access' do
+      let!(:user) { sis_user(participant_id: nil) }
+
+      it 'returns forbidden' do
+        post '/mobile/v0/letters/commissary/download', headers: sis_headers
+        expect(response).to have_http_status(:forbidden)
+      end
+    end
+
     context 'with no options' do
       it 'downloads a PDF' do
         VCR.use_cassette('evss/letters/download') do

modules/mobile/spec/request/legacy_payment_information_request_spec.rb

@@ -43,6 +43,16 @@
   end
 
   describe 'GET /mobile/v0/payment-information/benefits evss' do
+    context 'user without access' do
+      let!(:user) { sis_user(participant_id: nil) }
+
+      it 'returns 403' do
+        get '/mobile/v0/payment-information/benefits', headers: sis_headers
+
+        expect(response).to have_http_status(:forbidden)
+      end
+    end
+
     context 'with a valid response' do
       it 'matches the payment information schema' do
         VCR.use_cassette('evss/ppiu/payment_information') do
@@ -166,6 +176,17 @@
       }
     end
 
+    context 'user without access' do
+      let!(:user) { sis_user(participant_id: nil) }
+
+      it 'returns 403' do
+        put '/mobile/v0/payment-information/benefits', params: payment_info_request,
+                                                       headers: sis_headers(content_type)
+
+        expect(response).to have_http_status(:forbidden)
+      end
+    end
+
     context 'with a valid response' do
       it 'matches the ppiu schema' do
         allow(DirectDepositEmailJob).to receive(:send_to_emails)

modules/mobile/spec/request/letters_request_spec.rb

@@ -126,6 +126,15 @@
   end
 
   describe 'GET /mobile/v0/letters' do
+    context 'when user does not have access' do
+      let!(:user) { sis_user(participant_id: nil) }
+
+      it 'returns forbidden' do
+        get '/mobile/v0/letters', headers: sis_headers
+        expect(response).to have_http_status(:forbidden)
+      end
+    end
+
     context 'with a valid lighthouse response' do
       it 'matches the letters schema' do
         VCR.use_cassette('mobile/lighthouse_letters/letters_200', match_requests_on: %i[method uri]) do
@@ -149,6 +158,15 @@
   end
 
   describe 'GET /mobile/v0/letters/beneficiary' do
+    context 'when user does not have access' do
+      let!(:user) { sis_user(participant_id: nil) }
+
+      it 'returns forbidden' do
+        get '/mobile/v0/letters/beneficiary', headers: sis_headers
+        expect(response).to have_http_status(:forbidden)
+      end
+    end
+
     context 'with a valid lighthouse response' do
       it 'matches the letters beneficiary schema' do
         VCR.use_cassette('mobile/lighthouse_letters/letters_200', match_requests_on: %i[method uri]) do
@@ -162,6 +180,15 @@
   end
 
   describe 'POST /mobile/v0/letters/:type/download' do
+    context 'when user does not have access' do
+      let!(:user) { sis_user(participant_id: nil) }
+
+      it 'returns forbidden' do
+        post '/mobile/v0/letters/benefit_summary/download', headers: sis_headers
+        expect(response).to have_http_status(:forbidden)
+      end
+    end
+
     describe 'formats' do
       context 'when format is unspecified' do
         it 'downloads a PDF' do

modules/mobile/spec/request/message_drafts_request_spec.rb

@@ -24,6 +24,16 @@
     Timecop.return
   end
 
+  context 'when user does not have access' do
+    let!(:user) { sis_user(:mhv, mhv_account_type: 'Free') }
+
+    it 'returns forbidden' do
+      post('/mobile/v0/messaging/health/message_drafts', headers: sis_headers, params:)
+
+      expect(response).to have_http_status(:forbidden)
+    end
+  end
+
   context 'when not authorized' do
     it 'responds with 403 error' do
       VCR.use_cassette('mobile/messages/session_error') do

modules/mobile/spec/request/messages_request_spec.rb

@@ -19,6 +19,16 @@
   context 'when using old authorization policy' do
     before { Flipper.disable(:mobile_sm_session_policy) }
 
+    context 'when user does not have access' do
+      let!(:user) { sis_user(:mhv, mhv_account_type: 'Free') }
+
+      it 'returns forbidden' do
+        get '/mobile/v0/messaging/health/messages/categories', headers: sis_headers
+
+        expect(response).to have_http_status(:forbidden)
+      end
+    end
+
     it 'responds to GET messages/categories' do
       VCR.use_cassette('sm_client/session') do
         VCR.use_cassette('sm_client/messages/gets_message_categories') do
@@ -35,6 +45,16 @@
   context 'when using new session authorization policy' do
     before { Flipper.enable_actor(:mobile_sm_session_policy, user) }
 
+    context 'when user does not have access' do
+      let!(:user) { sis_user(:mhv, mhv_correlation_id: nil) }
+
+      it 'returns forbidden' do
+        get '/mobile/v0/messaging/health/messages/categories', headers: sis_headers
+
+        expect(response).to have_http_status(:forbidden)
+      end
+    end
+
     context 'when not authorized' do
       it 'responds with 403 error' do
         VCR.use_cassette('mobile/messages/session_error') do

modules/mobile/spec/request/military_information_request_spec.rb

@@ -165,6 +165,16 @@
                  'honorableServiceIndicator' => nil }] } } }
       end
 
+      context 'when user does not have access' do
+        let!(:user) { sis_user(edipi: nil) }
+
+        it 'returns forbidden' do
+          get '/mobile/v0/military-service-history', headers: sis_headers
+
+          expect(response).to have_http_status(:forbidden)
+        end
+      end
+
       context 'with multiple military service episodes' do
         it 'matches the mobile service history schema' do
           VCR.use_cassette('mobile/va_profile/post_read_service_histories_200') do
@@ -241,14 +251,5 @@
         expect(response).to have_http_status(:not_found)
       end
     end
-
-    context 'with a user not authorized' do
-      let!(:user) { sis_user(edipi: nil) }
-
-      it 'returns a forbidden response' do
-        get '/mobile/v0/military-service-history', headers: sis_headers
-        expect(response).to have_http_status(:forbidden)
-      end
-    end
   end
 end

modules/mobile/spec/request/payment_information_request_spec.rb

@@ -44,6 +44,16 @@
   end
 
   describe 'GET /mobile/v0/payment-information/benefits lighthouse' do
+    context 'user without access' do
+      let!(:user) { sis_user(:api_auth, :loa1) }
+
+      it 'returns 403' do
+        get '/mobile/v0/payment-information/benefits', headers: sis_headers
+
+        expect(response).to have_http_status(:forbidden)
+      end
+    end
+
     context 'with a valid response' do
       it 'matches the payment information schema' do
         VCR.use_cassette('lighthouse/direct_deposit/show/200_valid') do
@@ -156,6 +166,17 @@
       }
     end
 
+    context 'user without access' do
+      let!(:user) { sis_user(:api_auth, :loa1) }
+
+      it 'returns 403' do
+        put '/mobile/v0/payment-information/benefits', params: payment_info_request,
+                                                       headers: sis_headers(json: true)
+
+        expect(response).to have_http_status(:forbidden)
+      end
+    end
+
     context 'with a valid response' do
       it 'matches the ppiu schema' do
         allow(DirectDepositEmailJob).to receive(:send_to_emails)

modules/mobile/spec/request/preferred_name_request_spec.rb

@@ -18,6 +18,42 @@
     let(:csd) { 'LGN' }
 
     describe 'PUT /mobile/v0/profile/preferred_names' do
+      context 'when user does not have demographics access' do
+        let!(:user) do
+          sis_user(
+            idme_uuid: nil,
+            logingov_uuid: nil
+          )
+        end
+
+        it 'returns forbidden' do
+          preferred_name = VAProfile::Models::PreferredName.new(text: 'Pat')
+          put('/mobile/v0/user/preferred_name', params: preferred_name.to_h, headers: sis_headers)
+
+          expect(response).to have_http_status(:forbidden)
+        end
+      end
+
+      context 'when user does not have mpi access' do
+        let!(:user) do
+          sis_user(
+            icn: nil,
+            first_name: nil,
+            last_name: nil,
+            birth_date: nil,
+            ssn: nil,
+            gender: nil
+          )
+        end
+
+        it 'returns forbidden' do
+          preferred_name = VAProfile::Models::PreferredName.new(text: 'Pat')
+          put('/mobile/v0/user/preferred_name', params: preferred_name.to_h, headers: sis_headers)
+
+          expect(response).to have_http_status(:forbidden)
+        end
+      end
+
       context 'when text is valid' do
         it 'returns 204', :aggregate_failures do
           preferred_name = VAProfile::Models::PreferredName.new(text: 'Pat')

modules/mobile/spec/request/v1/messages_request_spec.rb

@@ -16,6 +16,16 @@
     Timecop.return
   end
 
+  context 'when user does not have access' do
+    let!(:user) { sis_user(:mhv, mhv_account_type: 'Free') }
+
+    it 'returns forbidden' do
+      get '/mobile/v0/messaging/health/messages/categories', headers: sis_headers
+
+      expect(response).to have_http_status(:forbidden)
+    end
+  end
+
   context 'when not authorized' do
     it 'responds with 403 error' do
       VCR.use_cassette('mobile/messages/session_error') do