diff --git a/app/models/edition.rb b/app/models/edition.rb index cbca11c49..065589a96 100644 --- a/app/models/edition.rb +++ b/app/models/edition.rb @@ -45,6 +45,7 @@ class ResurrectionError < RuntimeError lambda { |user| return all unless Flipflop.enabled?(:restrict_access_by_org) return all if user.gds_editor? + return all unless user.departmental_editor? where(owning_org_content_ids: user.organisation_content_id) } @@ -517,6 +518,7 @@ def paths def is_accessible_to?(user) return true unless Flipflop.enabled?(:restrict_access_by_org) return true if user.gds_editor? + return true unless user.departmental_editor? owning_org_content_ids.include?(user.organisation_content_id) end diff --git a/app/models/user.rb b/app/models/user.rb index 81a0666f3..586bd5cd4 100644 --- a/app/models/user.rb +++ b/app/models/user.rb @@ -84,6 +84,10 @@ def welsh_editor? permissions.include?("welsh_editor") end + def departmental_editor? + permissions.include?("departmental_editor") + end + def has_editor_permissions?(resource) govuk_editor? || (welsh_editor? && resource.artefact.welsh?) end diff --git a/test/functional/editions_controller_test.rb b/test/functional/editions_controller_test.rb index 4c63a2bd1..3a0dc897d 100644 --- a/test/functional/editions_controller_test.rb +++ b/test/functional/editions_controller_test.rb @@ -46,14 +46,22 @@ class EditionsControllerTest < ActionController::TestCase end context "when 'restrict_access_by_org' feature toggle is disabled" do - %i[show metadata history admin related_external_links unpublish].each do |action| + %i[show metadata history related_external_links].each do |action| context "##{action}" do setup do @edition = FactoryBot.create(:edition, owning_org_content_ids: %w[org-two]) end - should "return a 200 when requesting an edition owned by a different organisation" do - login_as(FactoryBot.create(:user, :govuk_editor, organisation_content_id: "org-one")) + should "return a 200 when requesting the #{action} tab on an edition owned by a different organisation and user has departmental_editor permission" do + login_as(FactoryBot.create(:user, :departmental_editor, organisation_content_id: "org-one")) + + get action, params: { id: @edition.id } + + assert_response :ok + end + + should "return a 200 when requesting the #{action} tab on an edition owned by a different organisation and user does not have departmental_editor permission" do + login_as(FactoryBot.create(:user, organisation_content_id: "org-one")) get action, params: { id: @edition.id } @@ -80,8 +88,8 @@ class EditionsControllerTest < ActionController::TestCase @edition = FactoryBot.create(:edition, owning_org_content_ids: %w[org-two]) end - should "return a 404 when requesting an edition owned by a different organisation" do - login_as(FactoryBot.create(:user, organisation_content_id: "org-one")) + should "return a 404 when requesting the #{action} tab on an edition owned by a different organisation and user has departmental_editor permission" do + login_as(FactoryBot.create(:user, :departmental_editor, organisation_content_id: "org-one")) get action, params: { id: @edition.id } diff --git a/test/functional/legacy_editions_controller_test.rb b/test/functional/legacy_editions_controller_test.rb index fd3825d87..c67ea73dd 100644 --- a/test/functional/legacy_editions_controller_test.rb +++ b/test/functional/legacy_editions_controller_test.rb @@ -1315,7 +1315,15 @@ class LegacyEditionsControllerTest < ActionController::TestCase @edition = FactoryBot.create(:edition, owning_org_content_ids: %w[org-two]) end - should "return a 200 when requesting an edition owned by a different organisation" do + should "return a 200 when requesting the #{action} tab on an edition owned by a different organisation and user has departmental_editor permission" do + login_as(FactoryBot.create(:user, :departmental_editor, organisation_content_id: "org-one")) + + get action, params: { id: @edition.id } + + assert_response :ok + end + + should "return a 200 when requesting the #{action} tab on an edition owned by a different organisation and user does not have departmental_editor permission" do login_as(FactoryBot.create(:user, organisation_content_id: "org-one")) get action, params: { id: @edition.id } @@ -1343,8 +1351,8 @@ class LegacyEditionsControllerTest < ActionController::TestCase @edition = FactoryBot.create(:edition, owning_org_content_ids: %w[org-two]) end - should "return a 404 when requesting an edition owned by a different organisation" do - login_as(FactoryBot.create(:user, :govuk_editor, organisation_content_id: "org-one")) + should "return a 404 when requesting the #{action} tab on an edition owned by a different organisation and user has departmental_editor permission" do + login_as(FactoryBot.create(:user, :departmental_editor, organisation_content_id: "org-one")) get action, params: { id: @edition.id } diff --git a/test/models/edition_test.rb b/test/models/edition_test.rb index 31fd3e252..a0920b993 100644 --- a/test/models/edition_test.rb +++ b/test/models/edition_test.rb @@ -1271,36 +1271,36 @@ def draft_second_edition_from(published_edition) end context "accessible_to scope" do - should "omit editions that are owned by an organisation that is different to the user's" do + should "omit editions that are owned by an organisation that is different to the user's when user has departmental_editor permission" do FactoryBot.create(:edition, owning_org_content_ids: %w[one]) - user = FactoryBot.create(:user, organisation_content_id: "two") + user = FactoryBot.create(:user, :departmental_editor, organisation_content_id: "two") query_result = Edition.accessible_to(user) assert_empty query_result end - should "omit editions that are owned by an organisation when the user has no organisation" do + should "omit editions that are owned by an organisation when the user has no organisation and has departmental_editor permission" do FactoryBot.create(:edition, owning_org_content_ids: %w[one]) - user = FactoryBot.create(:user, organisation_content_id: nil) + user = FactoryBot.create(:user, :departmental_editor, organisation_content_id: nil) query_result = Edition.accessible_to(user) assert_empty query_result end - should "omit editions not owned by any organisation" do + should "omit editions not owned by any organisation when user has departmental_editor permission" do FactoryBot.create(:edition, owning_org_content_ids: []) - user = FactoryBot.create(:user, organisation_content_id: "two") + user = FactoryBot.create(:user, :departmental_editor, organisation_content_id: "two") query_result = Edition.accessible_to(user) assert_empty query_result end - should "omit editions not owned by any organisation when the user has no organisation" do + should "omit editions not owned by any organisation when the user has no organisation and has departmental_editor permission" do FactoryBot.create(:edition, owning_org_content_ids: []) - user = FactoryBot.create(:user, organisation_content_id: nil) + user = FactoryBot.create(:user, :departmental_editor, organisation_content_id: nil) query_result = Edition.accessible_to(user) @@ -1336,30 +1336,30 @@ def draft_second_edition_from(published_edition) end context "#is_accessible_to?" do - should "return false for editions that are owned by an organisation that is different to the user's" do + should "return false for editions that are owned by an organisation that is different to the user's and user has departmental_editor permission" do edition = FactoryBot.create(:edition, owning_org_content_ids: %w[one]) - user = FactoryBot.create(:user, organisation_content_id: "two") + user = FactoryBot.create(:user, :departmental_editor, organisation_content_id: "two") assert_not edition.is_accessible_to?(user) end - should "return false for editions that are owned by an organisation when the user has no organisation" do + should "return false for editions that are owned by an organisation when the user has no organisation and has departmental_editor permission" do edition = FactoryBot.create(:edition, owning_org_content_ids: %w[one]) - user = FactoryBot.create(:user, organisation_content_id: nil) + user = FactoryBot.create(:user, :departmental_editor, organisation_content_id: nil) assert_not edition.is_accessible_to?(user) end - should "return false for editions not owned by any organisation" do + should "return false for editions not owned by any organisation and user has departmental_editor permission" do edition = FactoryBot.create(:edition, owning_org_content_ids: []) - user = FactoryBot.create(:user, organisation_content_id: "two") + user = FactoryBot.create(:user, :departmental_editor, organisation_content_id: "two") assert_not edition.is_accessible_to?(user) end - should "return false for editions not owned by any organisation when the user has no organisation" do + should "return false for editions not owned by any organisation when the user has no organisation and has departmental_editor permission" do edition = FactoryBot.create(:edition, owning_org_content_ids: []) - user = FactoryBot.create(:user, organisation_content_id: nil) + user = FactoryBot.create(:user, :departmental_editor, organisation_content_id: nil) assert_not edition.is_accessible_to?(user) end diff --git a/test/support/factories.rb b/test/support/factories.rb index 81e9df794..2b2e5558d 100644 --- a/test/support/factories.rb +++ b/test/support/factories.rb @@ -21,6 +21,10 @@ trait :welsh_editor do permissions { %w[welsh_editor signin] } end + + trait :departmental_editor do + permissions { %w[departmental_editor signin] } + end end trait :homepage_editor do diff --git a/test/unit/presenters/filtered_editions_presenter_test.rb b/test/unit/presenters/filtered_editions_presenter_test.rb index da6cf9c3d..eed12eccb 100644 --- a/test/unit/presenters/filtered_editions_presenter_test.rb +++ b/test/unit/presenters/filtered_editions_presenter_test.rb @@ -161,7 +161,7 @@ def a_gds_user end should "filter out editions not accessible to the user" do - user = FactoryBot.create(:user, organisation_content_id: "an-org") + user = FactoryBot.create(:user, :departmental_editor, organisation_content_id: "an-org") FactoryBot.create(:guide_edition, owning_org_content_ids: %w[another-org]) filtered_editions = FilteredEditionsPresenter.new(user).editions