Prevent deletion of vaccination records from NHS immunisations API

samcoy3 · samcoy3 · commit 072dd22ff38b · 2025-08-26T17:03:17.000+01:00
This PR prevents all users from deleting vaccination records where `source = nhs_immunisations_api`.

Users are already unable to edit such records, because only records with an associated session can be edited.

Jira-Issue: MAV-1772
diff --git a/app/policies/vaccination_record_policy.rb b/app/policies/vaccination_record_policy.rb
@@ -19,7 +19,8 @@ def update?
   end
 
   def destroy?
-    user.is_superuser?
+    # binding.irb
+    user.is_superuser? && record.source != "nhs_immunisations_api"
   end
 
   class Scope < ApplicationPolicy::Scope
diff --git a/spec/policies/vaccination_record_policy_spec.rb b/spec/policies/vaccination_record_policy_spec.rb
@@ -3,12 +3,12 @@
 describe VaccinationRecordPolicy do
   subject(:policy) { described_class.new(user, vaccination_record) }
 
+  let(:programme) { create(:programme) }
+  let(:team) { create(:team, programmes: [programme]) }
+
   describe "update?" do
     subject(:update?) { policy.update? }
 
-    let(:programme) { create(:programme) }
-    let(:team) { create(:team, programmes: [programme]) }
-
     let(:vaccination_record) { create(:vaccination_record, programme:) }
 
     context "with an admin" do
@@ -45,29 +45,58 @@
   describe "destroy?" do
     subject(:destroy?) { policy.destroy? }
 
-    let(:vaccination_record) { create(:vaccination_record) }
+    context "when vaccination record is from the nhs immunisations api" do
+      let(:vaccination_record) do
+        create(:vaccination_record, programme:, source: "nhs_immunisations_api")
+      end
 
-    context "with an admin" do
-      let(:user) { build(:admin) }
+      context "with an admin with superuser access" do
+        let(:user) { build(:admin, :superuser) }
 
-      it { should be(false) }
+        it { should be(false) }
+      end
 
-      context "and superuser access" do
-        let(:user) { build(:admin, :superuser) }
+      context "with a nurse with superuser access" do
+        let(:user) { build(:nurse, :superuser) }
 
-        it { should be(true) }
+        it { should be(false) }
       end
     end
 
-    context "with a nurse" do
-      let(:user) { build(:nurse) }
+    context "when vaccination record is managed in mavis" do
+      let(:session) { create(:session, team:, programmes: [programme]) }
+      let(:vaccination_record) do
+        create(
+          :vaccination_record,
+          team:,
+          programme:,
+          source: "mavis",
+          session:
+        )
+      end
 
-      it { should be(false) }
+      context "with an admin" do
+        let(:user) { build(:admin) }
 
-      context "and superuser access" do
-        let(:user) { build(:nurse, :superuser) }
+        it { should be(false) }
 
-        it { should be(true) }
+        context "and superuser access" do
+          let(:user) { build(:admin, :superuser) }
+
+          it { should be(true) }
+        end
+      end
+
+      context "with a nurse" do
+        let(:user) { build(:nurse) }
+
+        it { should be(false) }
+
+        context "and superuser access" do
+          let(:user) { build(:nurse, :superuser) }
+
+          it { should be(true) }
+        end
       end
     end
   end
