Make superuser permissions based on activities

This updates how a user is allowed to perform certain superuser tasks by
checking their activity codes rather than the `mavissuperusers`
workgroup. This is being done to allow for a more granular permissions
system where different users have permission to perform different tasks.

Jira-Issue: MAV-1681

Author: thomasleese

app/models/cis2_info.rb

@@ -6,9 +6,9 @@ class CIS2Info
   NURSE_ROLE = "S8000:G8000:R8001"
   MEDICAL_SECRETARY_ROLE = "S8000:G8001:R8006"
 
-  SUPERUSER_WORKGROUP = "mavissuperusers"
-
+  ACCESS_SENSITIVE_FLAGGED_RECORDS_ACTIVITY_CODE = "B1611"
   INDEPENDENT_PRESCRIBING_ACTIVITY_CODE = "B0420"
+  LOCAL_SYSTEM_ADMINISTRATION_ACTIVITY_CODE = "B0062"
   PERSONAL_MEDICATION_ADMINISTRATION_ACTIVITY_CODE = "B0428"
 
   attribute :organisation_name
@@ -57,7 +57,8 @@ def is_prescriber?
   end
 
   def is_superuser?
-    workgroups.include?(SUPERUSER_WORKGROUP)
+    activity_codes.include?(ACCESS_SENSITIVE_FLAGGED_RECORDS_ACTIVITY_CODE) &&
+      activity_codes.include?(LOCAL_SYSTEM_ADMINISTRATION_ACTIVITY_CODE)
   end
 
   private

spec/factories/users.rb

@@ -44,7 +44,6 @@
       team { Team.includes(:organisation).first || create(:team) }
 
       role_code { CIS2Info::NURSE_ROLE }
-      role_workgroups { [] }
       activity_codes { [] }
 
       cis2_info_hash do
@@ -54,7 +53,7 @@
           "role_code" => role_code,
           "activity_codes" => activity_codes,
           "team_workgroup" => team.workgroup,
-          "workgroups" => role_workgroups + [team.workgroup]
+          "workgroups" => [team.workgroup]
         }
       end
     end
@@ -89,7 +88,12 @@
 
     trait :superuser do
       sequence(:email) { |n| "superuser-#{n}@example.com" }
-      role_workgroups { [CIS2Info::SUPERUSER_WORKGROUP] }
+      activity_codes do
+        [
+          CIS2Info::ACCESS_SENSITIVE_FLAGGED_RECORDS_ACTIVITY_CODE,
+          CIS2Info::LOCAL_SYSTEM_ADMINISTRATION_ACTIVITY_CODE
+        ]
+      end
       fallback_role { :superuser }
       show_in_suppliers { false }
     end

spec/models/user_spec.rb

@@ -254,12 +254,6 @@
 
           it { should be(true) }
         end
-
-        context "without workgroups" do
-          let(:user) { build(:medical_secretary, role_workgroups: []) }
-
-          it { should be(false) }
-        end
       end
 
       context "when the user is a nurse" do
@@ -272,12 +266,6 @@
 
           it { should be(true) }
         end
-
-        context "without workgroups" do
-          let(:user) { build(:nurse, role_workgroups: []) }
-
-          it { should be(false) }
-        end
       end
     end
 

spec/support/cis2_auth_helper.rb

@@ -135,8 +135,12 @@ def sign_in(user, organisation: nil, role: :nurse, superuser: false)
       prescriber: [CIS2Info::INDEPENDENT_PRESCRIBING_ACTIVITY_CODE]
     }.fetch(role)
 
+    if superuser
+      activity_codes << CIS2Info::ACCESS_SENSITIVE_FLAGGED_RECORDS_ACTIVITY_CODE
+      activity_codes << CIS2Info::LOCAL_SYSTEM_ADMINISTRATION_ACTIVITY_CODE
+    end
+
     workgroups = user.teams.where(organisation:).pluck(:workgroup)
-    workgroups << CIS2Info::SUPERUSER_WORKGROUP if superuser
 
     cis2_sign_in(user, ods_code:, role_code:, activity_codes:, workgroups:)
   end