From 5c5b0cbe9463298ff78385ba28cdf5de1dc4f195 Mon Sep 17 00:00:00 2001 From: Mike Patrick Date: Thu, 7 Sep 2023 16:59:41 +0100 Subject: [PATCH] Prevent updating permissions This form is the second step of the batch invitation creation process. Once a batch invitation's permissions have been set, it's considered to be "in progress" and these details shouldn't be changed. --- ...batch_invitation_permissions_controller.rb | 8 ++++++++ ..._invitation_permissions_controller_test.rb | 20 +++++++++++++++++++ 2 files changed, 28 insertions(+) diff --git a/app/controllers/batch_invitation_permissions_controller.rb b/app/controllers/batch_invitation_permissions_controller.rb index 80329c46cd..af73635c12 100644 --- a/app/controllers/batch_invitation_permissions_controller.rb +++ b/app/controllers/batch_invitation_permissions_controller.rb @@ -3,6 +3,7 @@ class BatchInvitationPermissionsController < ApplicationController before_action :authenticate_user! before_action :load_batch_invitation before_action :authorise_to_manage_permissions + before_action :prevent_updating helper_method :applications_and_permissions @@ -29,6 +30,13 @@ def authorise_to_manage_permissions authorize @batch_invitation, :manage_permissions? end + def prevent_updating + if @batch_invitation.has_permissions? + flash[:alert] = "Permissions have already been set for this batch of users" + redirect_to batch_invitation_path(@batch_invitation) + end + end + def grant_default_permissions(batch_invitation) SupportedPermission.default.each do |default_permission| batch_invitation.grant_permission(default_permission) diff --git a/test/controllers/batch_invitation_permissions_controller_test.rb b/test/controllers/batch_invitation_permissions_controller_test.rb index 714e851045..59e82e838f 100644 --- a/test/controllers/batch_invitation_permissions_controller_test.rb +++ b/test/controllers/batch_invitation_permissions_controller_test.rb @@ -25,6 +25,16 @@ class BatchInvitationPermissionsControllerTest < ActionController::TestCase end context "GET new" do + should "not allow access if batch invitation already has permissions" do + @batch_invitation.supported_permission_ids = [@app.signin_permission.id] + @batch_invitation.save! + + get :new, params: { batch_invitation_id: @batch_invitation.id } + + assert_match(/Permissions have already been set for this batch of users/, flash[:alert]) + assert_redirected_to "/batch_invitations/#{@batch_invitation.id}" + end + should "allow selection of application permissions to grant to users" do get :new, params: { batch_invitation_id: @batch_invitation.id } @@ -36,6 +46,16 @@ class BatchInvitationPermissionsControllerTest < ActionController::TestCase end context "POST create" do + should "not accept submission if batch invitation already has permissions" do + @batch_invitation.supported_permission_ids = [@app.signin_permission.id] + @batch_invitation.save! + + post :create, params: { batch_invitation_id: @batch_invitation.id } + + assert_match(/Permissions have already been set for this batch of users/, flash[:alert]) + assert_redirected_to "/batch_invitations/#{@batch_invitation.id}" + end + should "grant selected permissions and default permissions to BatchInvitation" do support_app = create(:application, name: "Support") support_app.signin_permission.update!(default: true)