Choose team when signing in

This is the final part of the teams/organisations restructuring, which
requires users to select the team they want to sign in to when they
sign in. This is necessary as a single organisation can be part of
multiple teams.

Jira-Issue: MAV-1280

Author: thomasleese

app/controllers/application_controller.rb

@@ -6,7 +6,7 @@ class ApplicationController < ActionController::Base
 
   before_action :store_user_location!
   before_action :authenticate_user!
-  before_action :set_selected_team
+  before_action :ensure_team_is_selected
   before_action :set_user_cis2_info
   before_action :set_disable_cache_headers
   before_action :set_header_path
@@ -35,18 +35,16 @@ class UnprocessableEntity < StandardError
 
   rescue_from Pundit::NotAuthorizedError, with: :user_not_authorized
 
+  def current_organisation = current_user&.selected_organisation
+
   def current_team = current_user&.selected_team
 
-  helper_method :current_team
+  helper_method :current_organisation, :current_team
 
   private
 
-  def set_selected_team
-    return if Settings.cis2.enabled
-    return unless current_user
-    return if cis2_info.signed_in?
-
-    redirect_to new_users_teams_path
+  def ensure_team_is_selected
+    redirect_to new_users_teams_path if current_user && cis2_info.team.nil?
   end
 
   def set_header_path

app/controllers/concerns/authentication_concern.rb

@@ -12,11 +12,11 @@ def authenticate_user!
           store_location_for(:user, request.fullpath)
         end
 
-        if Settings.cis2.enabled || request.path != new_user_session_path
+        if cis2_enabled? || request.path != new_user_session_path
           flash[:info] = "You must be logged in to access this page."
           redirect_to start_path
         end
-      elsif cis2_session?
+      elsif cis2_enabled?
         if !selected_cis2_workgroup_is_valid?
           redirect_to users_workgroup_not_found_path
         elsif !selected_cis2_role_is_valid?
@@ -27,9 +27,9 @@ def authenticate_user!
       end
     end
 
-    def cis2_info = CIS2Info.new(request_session: session)
+    def cis2_enabled? = Settings.cis2.enabled
 
-    def cis2_session? = cis2_info.present?
+    def cis2_info = CIS2Info.new(request_session: session)
 
     def selected_cis2_org_is_registered?
       Organisation.exists?(ods_code: cis2_info.organisation_code)
@@ -76,7 +76,7 @@ def after_sign_in_path_for(scope)
     end
 
     def user_signed_in?
-      super && (Settings.cis2.enabled ? cis2_session? : true)
+      super && (cis2_enabled? ? cis2_info.present? : true)
     end
 
     def set_user_cis2_info

app/controllers/users/errors_controller.rb

@@ -3,6 +3,7 @@
 class Users::ErrorsController < ::ApplicationController
   skip_before_action :store_user_location!
   skip_before_action :authenticate_user!
+  skip_before_action :ensure_team_is_selected
   skip_after_action :verify_policy_scoped
 
   before_action :set_cis2_info

app/controllers/users/omniauth_callbacks_controller.rb

@@ -5,6 +5,7 @@ class Users::OmniauthCallbacksController < Devise::OmniauthCallbacksController
   include CIS2LogoutConcern
 
   skip_before_action :authenticate_user!
+  skip_before_action :ensure_team_is_selected
   skip_after_action :verify_policy_scoped
   skip_before_action :verify_authenticity_token, only: [:cis2_logout]
   skip_before_action :authenticate_basic, only: [:cis2_logout]
@@ -21,7 +22,7 @@ def cis2
     elsif !selected_cis2_org_is_registered?
       redirect_to users_organisation_not_found_path
     else
-      @user = User.find_or_create_from_cis2_oidc(user_cis2_info, teams)
+      @user = User.find_or_create_from_cis2_oidc(user_cis2_info, valid_teams)
 
       # Force is set to true because the `session_token` might have changed
       # even if the same user is logging in.
@@ -92,14 +93,13 @@ def raw_cis2_info
     user_cis2_info["extra"]["raw_info"]
   end
 
-  def organisation
-    @organisation ||=
-      Organisation.find_by(ods_code: selected_cis2_org["org_code"])
-  end
-
-  def teams
-    # TODO: Select the right team based on the user's workgroup.
-    organisation.teams
+  def valid_teams
+    Team.joins(:organisation).where(
+      workgroup: selected_cis2_nrbac_role["workgroups"],
+      organisation: {
+        ods_code: selected_cis2_org["org_code"]
+      }
+    )
   end
 
   def set_cis2_session_info

app/controllers/users/teams_controller.rb

@@ -1,11 +1,10 @@
 # frozen_string_literal: true
 
 class Users::TeamsController < ApplicationController
-  skip_before_action :set_selected_team
+  skip_before_action :store_user_location!
+  skip_before_action :ensure_team_is_selected
   skip_after_action :verify_policy_scoped
 
-  before_action :redirect_to_dashboard_if_cis2_is_enabled
-
   layout "two_thirds"
 
   def new
@@ -21,15 +20,9 @@ def create
       )
 
     if @form.save
-      redirect_to dashboard_path
+      redirect_to session[:user_return_to] || dashboard_path
     else
       render :new, status: :unprocessable_content
     end
   end
-
-  private
-
-  def redirect_to_dashboard_if_cis2_is_enabled
-    redirect_to dashboard_path if Settings.cis2.enabled
-  end
 end

app/forms/select_team_form.rb

@@ -13,21 +13,34 @@ class SelectTeamForm
   def save
     return false if invalid?
 
-    cis2_info.update!(
-      organisation_name: team.name,
-      organisation_code: organisation.ods_code,
-      role_code: CIS2Info::NURSE_ROLE,
-      workgroups: [CIS2Info::WORKGROUP]
-    )
+    team = teams.find(team_id)
+
+    cis2_info.update!(team_workgroup: team.workgroup)
+
+    unless Settings.cis2.enabled
+      cis2_info.update!(
+        organisation_code: team.organisation.ods_code,
+        role_code: CIS2Info::NURSE_ROLE,
+        workgroups: [CIS2Info::WORKGROUP] + [team.workgroup]
+      )
+    end
 
     true
   end
 
-  private
-
-  def team = current_user.teams.includes(:organisation).find(team_id)
+  def teams
+    if Settings.cis2.enabled
+      cis2_info
+        .organisation
+        .teams
+        .where(workgroup: cis2_info.workgroups)
+        .includes(:organisation)
+    else
+      current_user.teams.includes(:organisation)
+    end
+  end
 
-  delegate :organisation, to: :team
+  private
 
-  def team_id_values = current_user.teams.pluck(:id)
+  def team_id_values = teams.pluck(:id)
 end

app/models/cis2_info.rb

@@ -14,6 +14,7 @@ class CIS2Info
   attribute :role_name
   attribute :role_code
   attribute :workgroups, array: true
+  attribute :team_workgroup
   attribute :has_other_roles, :boolean
 
   def present? = attributes.compact_blank.present?
@@ -25,6 +26,14 @@ def organisation
       end
   end
 
+  def team
+    @team ||=
+      if (workgroup = team_workgroup).present? &&
+           workgroups&.include?(workgroup)
+        Team.find_by(organisation:, workgroup:)
+      end
+  end
+
   def has_workgroup? = workgroups&.include?(WORKGROUP) || false
 
   def is_admin? = role_code == ADMIN_ROLE

app/models/user.rb

@@ -39,6 +39,7 @@ class User < ApplicationRecord
   end
 
   has_and_belongs_to_many :teams
+  has_many :organisations, -> { distinct }, through: :teams
 
   has_many :programmes, through: :teams
 
@@ -96,13 +97,7 @@ def self.find_or_create_from_cis2_oidc(userinfo, teams)
 
   def selected_organisation = cis2_info.organisation
 
-  def selected_team
-    # TODO: Select the right team based on the user's workgroup.
-    @selected_team ||=
-      Team.includes(:location_programme_year_groups, :programmes).find_by(
-        organisation: selected_organisation
-      )
-  end
+  def selected_team = cis2_info.team
 
   def requires_email_and_password?
     provider.blank? || uid.blank?

app/views/users/teams/new.html.erb

@@ -6,10 +6,10 @@
   <%= f.govuk_error_summary %>
 
   <%= f.govuk_collection_radio_buttons :team_id,
-                                       current_user.teams.includes(:organisation),
+                                       @form.teams,
                                        :id,
                                        :name,
-                                       -> { _1.organisation.ods_code },
+                                       -> { "#{_1.workgroup} (#{_1.organisation.ods_code})" },
                                        legend: { text: legend, size: "xl", tag: "h1" } %>
 
   <%= f.govuk_submit %>

spec/factories/users.rb

@@ -38,17 +38,18 @@
             uploaded_by
           ] do
     transient do
-      team { Team.first || create(:team) }
+      team { Team.includes(:organisation).first || create(:team) }
 
       role_code { CIS2Info::NURSE_ROLE }
       role_workgroups { [CIS2Info::WORKGROUP] }
 
       cis2_info_hash do
         {
-          "organisation_name" => team.name,
           "organisation_code" => team.organisation.ods_code,
+          "organisation_name" => team.name,
           "role_code" => role_code,
-          "workgroups" => role_workgroups
+          "team_workgroup" => team.workgroup,
+          "workgroups" => (role_workgroups || []) + [team.workgroup]
         }
       end
     end