Merge pull request #4261 from nhsuk/require-team-workgroup-to-sign-in

Require team workgroup to sign in

Author: thomasleese

app/controllers/concerns/authentication_concern.rb

@@ -17,12 +17,12 @@ def authenticate_user!
           redirect_to start_path
         end
       elsif cis2_enabled?
-        if !selected_cis2_workgroup_is_valid?
-          redirect_to users_workgroup_not_found_path
-        elsif !selected_cis2_role_is_valid?
+        if !selected_cis2_role_is_valid?
           redirect_to users_role_not_found_path
         elsif !selected_cis2_org_is_registered?
           redirect_to users_organisation_not_found_path
+        elsif !selected_cis2_workgroup_is_valid?
+          redirect_to users_workgroup_not_found_path
         end
       end
     end
@@ -36,7 +36,7 @@ def selected_cis2_org_is_registered?
     end
 
     def selected_cis2_workgroup_is_valid?
-      cis2_info.has_workgroup?
+      cis2_info.has_valid_workgroup?
     end
 
     def selected_cis2_role_is_valid?

app/controllers/users/omniauth_callbacks_controller.rb

@@ -15,12 +15,12 @@ class Users::OmniauthCallbacksController < Devise::OmniauthCallbacksController
   def cis2
     set_cis2_session_info
 
-    if !selected_cis2_workgroup_is_valid?
-      redirect_to users_workgroup_not_found_path
-    elsif !selected_cis2_role_is_valid?
+    if !selected_cis2_role_is_valid?
       redirect_to users_role_not_found_path
     elsif !selected_cis2_org_is_registered?
       redirect_to users_organisation_not_found_path
+    elsif !selected_cis2_workgroup_is_valid?
+      redirect_to users_workgroup_not_found_path
     else
       @user = User.find_or_create_from_cis2_oidc(user_cis2_info, valid_teams)
 
@@ -109,8 +109,7 @@ def set_cis2_session_info
       role_name: selected_cis2_nrbac_role["role_name"],
       role_code: selected_cis2_nrbac_role["role_code"],
       workgroups: selected_cis2_nrbac_role["workgroups"],
-      has_other_roles: raw_cis2_info["nhsid_nrbac_roles"].length > 1,
-      team_workgroup: nil
+      has_other_roles: raw_cis2_info["nhsid_nrbac_roles"].length > 1
     )
   end
 

app/forms/select_team_form.rb

@@ -21,7 +21,7 @@ def save
       cis2_info.update!(
         organisation_code: team.organisation.ods_code,
         role_code: CIS2Info::NURSE_ROLE,
-        workgroups: [CIS2Info::WORKGROUP] + [team.workgroup]
+        workgroups: [team.workgroup]
       )
     end
 
@@ -31,7 +31,7 @@ def save
   def teams
     @teams ||=
       if Settings.cis2.enabled
-        cis2_info.organisation.teams
+        cis2_info.organisation.teams.where(workgroup: cis2_info.workgroups)
       else
         current_user.teams.includes(:organisation)
       end

app/models/cis2_info.rb

@@ -6,7 +6,6 @@ class CIS2Info
   NURSE_ROLE = "S8000:G8000:R8001"
   ADMIN_ROLE = "S8000:G8001:R8006"
 
-  WORKGROUP = "schoolagedimmunisations"
   SUPERUSER_WORKGROUP = "mavissuperusers"
 
   attribute :organisation_name
@@ -28,12 +27,14 @@ def organisation
 
   def team
     @team ||=
-      if (workgroup = team_workgroup).present?
+      if (workgroup = team_workgroup).present? &&
+           workgroups&.include?(workgroup)
         Team.find_by(organisation:, workgroup:)
       end
   end
 
-  def has_workgroup? = workgroups&.include?(WORKGROUP) || false
+  def has_valid_workgroup? =
+    organisation&.teams&.exists?(workgroup: workgroups) || false
 
   def is_admin? = role_code == ADMIN_ROLE
 

app/views/users/errors/workgroup_not_found.html.erb

@@ -3,7 +3,7 @@
 <h2 class="nhsuk-heading-m">Contact your registration authority</h2>
 
 <p>
-  You need to belong to ‘<em><%= CIS2Info::WORKGROUP %></em>’ to use Mavis. If you think you should be in this workgroup, ask your registration authority to add you.
+  You need to belong to a workgroup to use Mavis. If you think you should be in the workgroup, ask your registration authority to add you.
 </p>
 
 <% if @cis2_info.has_other_roles %>

spec/factories/users.rb

@@ -43,7 +43,7 @@
       team { Team.includes(:organisation).first || create(:team) }
 
       role_code { CIS2Info::NURSE_ROLE }
-      role_workgroups { [CIS2Info::WORKGROUP] }
+      role_workgroups { [] }
 
       cis2_info_hash do
         {
@@ -83,7 +83,7 @@
     end
 
     trait :superuser do
-      role_workgroups { [CIS2Info::WORKGROUP, CIS2Info::SUPERUSER_WORKGROUP] }
+      role_workgroups { [CIS2Info::SUPERUSER_WORKGROUP] }
       fallback_role { :superuser }
     end
 

spec/features/user_cis2_authentication_from_redirect_spec.rb

@@ -21,7 +21,7 @@ def given_a_test_team_is_setup_in_mavis_and_cis2
       family_name: "Test",
       org_code: @team.organisation.ods_code,
       org_name: @team.name,
-      workgroups: [CIS2Info::WORKGROUP, @team.workgroup]
+      workgroups: [@team.workgroup]
     )
   end
 

spec/features/user_cis2_authentication_from_start_page_spec.rb

@@ -28,7 +28,7 @@ def given_a_test_team_is_setup_in_mavis_and_cis2
       family_name: "Test",
       org_code: @team.organisation.ods_code,
       org_name: @team.name,
-      workgroups: [CIS2Info::WORKGROUP, @team.workgroup]
+      workgroups: [@team.workgroup]
     )
   end
 

spec/features/user_cis2_authentication_with_empty_role_spec.rb

@@ -6,11 +6,11 @@
     when_i_go_to_the_sessions_page
     then_i_am_on_the_start_page
     when_i_click_the_cis2_login_button
-    then_i_see_the_wrong_workgroup_error
+    then_i_see_the_wrong_role_error
   end
 
   def given_i_am_setup_in_mavis_and_cis2_but_with_an_empty_role
-    @team = create :team, ods_code: "AB12"
+    @team = create(:team, ods_code: "AB12")
 
     mock_cis2_auth(selected_roleid: "")
   end
@@ -20,20 +20,20 @@ def when_i_click_the_cis2_login_button
   end
 
   def then_i_am_on_the_start_page
-    expect(page).to have_current_path start_path
+    expect(page).to have_current_path(start_path)
   end
 
   def when_i_go_to_the_sessions_page
     visit sessions_path
   end
 
   def then_i_see_the_sessions_page
-    expect(page).to have_current_path sessions_path
+    expect(page).to have_current_path(sessions_path)
   end
 
-  def then_i_see_the_wrong_workgroup_error
-    expect(
-      page
-    ).to have_heading "You’re not in the right workgroup to use this service"
+  def then_i_see_the_wrong_role_error
+    expect(page).to have_heading(
+      "You do not have permission to use this service"
+    )
   end
 end

spec/features/user_cis2_authentication_with_wrong_organisation_spec.rb

@@ -31,11 +31,15 @@ def setup_cis2_auth_mock
   end
 
   def given_i_am_setup_in_cis2_but_not_mavis
-    mock_cis2_auth(org_code: "A9A5A", org_name: "SAIS Team")
+    mock_cis2_auth(
+      org_code: "A9A5A",
+      org_name: "SAIS Team",
+      workgroups: %w[a9a5a]
+    )
   end
 
   def given_my_team_has_been_setup_in_mavis
-    @team = create(:team, ods_code: "A9A5A")
+    @team = create(:team, ods_code: "A9A5A", workgroup: "a9a5a")
   end
 
   def when_i_go_to_the_start_page