Merge pull request #3464 from AtlasOfLivingAustralia/feature/issue3441

Allow read only user to view sites #3441

Author: salomon-j

grails-app/controllers/au/org/ala/merit/SiteController.groovy

@@ -39,15 +39,16 @@ class SiteController {
 
             def user = userService.getUser()
 
-            // permissions check - can't use annotation as we have to know the projectId in order to lookup access right
-            if (!isUserMemberOfSiteProjects(site)) {
+            List userProjects = site.projects?.findAll { projectService.canUserViewProject(user?.userId, it.projectId) }
+            // permissions check - can't use an annotation as we have to know the projectId.
+            // The rule applied here is if the user can view any project they are allowed to view the sites associated with
+            // that project as they are already displayed on the Sites tab anyway.
+            if (!userProjects) {
                 flash.message = "Access denied: User does not have permission to view site: ${id}"
                 redirect(controller:'home', action:'index')
                 return
             }
 
-            List userProjects = site.projects?.findAll { projectService.canUserViewProject(user?.userId, it.projectId) }
-
             // Tracks navigation and provides context to the "create activity" feature on the site page.
             Map selectedProject = null
             if (params.projectId) {

src/test/groovy/au/org/ala/merit/SiteControllerSpec.groovy

@@ -1,5 +1,6 @@
 package au.org.ala.merit
 
+import au.org.ala.merit.config.ProgramConfig
 import grails.converters.JSON
 import net.sf.json.JSONNull
 import org.apache.http.HttpStatus
@@ -13,12 +14,14 @@ class SiteControllerSpec extends Specification implements ControllerUnitTest<Sit
     UserService userService = Mock(UserService)
     ProjectService projectService = Mock(ProjectService)
     SettingService settingService = Mock(SettingService)
+    ProjectConfigurationService projectConfigurationService = Mock(ProjectConfigurationService)
 
     def setup() {
         controller.siteService = siteService
         controller.userService = userService
         controller.projectService = projectService
         controller.settingService = settingService
+        controller.projectConfigurationService = projectConfigurationService
 
         // From Bootstrap.groovy
         JSON.createNamedConfig("nullSafe", { cfg ->
@@ -260,4 +263,26 @@ class SiteControllerSpec extends Specification implements ControllerUnitTest<Sit
         and:
         model.siteTypes.collect{it.value} == ['worksArea', 'surveyArea', 'projectArea']
     }
+
+    def "A user can view a site if they can view any of the projects associated with that site"() {
+        setup:
+        Map project = [projectId:'p1', name:'project', sites:[[name:'name', externalId:'e1', type:'projectArea']]]
+        String siteId = 's1'
+        Map site = [siteId:siteId, name:"Site 1", projects:[project]]
+
+        when:
+        Map model = controller.index(siteId)
+
+        then:
+        1 * siteService.get(siteId) >> site
+        1 * userService.getUser() >> [userId:"u1"]
+        1 * projectService.canUserViewProject("u1", "p1") >> true
+        1 * projectService.get("p1") >> project
+        1 * projectConfigurationService.getProjectConfiguration(project) >> [projectTemplate:ProjectController.RLP_TEMPLATE]
+
+        and:
+        model.site == site
+        model.project == project
+
+    }
 }