Withdraw link permissions logic and tests added (#61)

chrissmKainos · web-flow · commit 440966f739ae · 2023-02-07T11:31:15.000Z
diff --git a/app/routes/view-application.js b/app/routes/view-application.js
@@ -5,6 +5,7 @@ const { administrator, processor, user } = require('../auth/permissions')
 const getStyleClassByStatus = require('../constants/status')
 const ViewModel = require('./models/view-application')
 const { upperFirstLetter } = require('../lib/display-helper')
+const mapAuth = require('../auth/map-auth')
 
 module.exports = {
   method: 'GET',
@@ -28,8 +29,10 @@ module.exports = {
 
       const status = upperFirstLetter(application.status.status.toLowerCase())
       const statusClass = getStyleClassByStatus(application.status.status)
+      const mappedAuth = mapAuth(request)
       const withdrawLinkStatus = ['IN CHECK', 'AGREED']
-      const withdrawConfirmationForm = application.status.status !== 'WITHDRAWN' && withdrawLinkStatus.includes(application.status.status) && request.query.withdraw
+      const withdrawLink = withdrawLinkStatus.includes(application.status.status) && mappedAuth.isAdministrator
+      const withdrawConfirmationForm = application.status.status !== 'WITHDRAWN' && withdrawLink && request.query.withdraw
 
       return h.view('view-application', {
         applicationId: application.reference,
@@ -38,7 +41,7 @@ module.exports = {
         organisationName: application?.data?.organisation?.name,
         vetVisit: application?.vetVisit,
         claimed: application?.claimed,
-        withdrawLink: withdrawLinkStatus.includes(application.status.status),
+        withdrawLink,
         withdrawConfirmationForm,
         payment: application?.payment,
         ...new ViewModel(application),
diff --git a/app/routes/withdraw-application.js b/app/routes/withdraw-application.js
@@ -1,10 +1,12 @@
 const Joi = require('joi')
 const { withdrawApplication } = require('../api/applications')
+const { administrator } = require('../auth/permissions')
 
 module.exports = {
   method: 'POST',
   path: '/withdraw-application',
   options: {
+    auth: { scope: [administrator] },
     validate: {
       payload: Joi.object({
         withdrawConfirmation: Joi.string().valid('yes', 'no'),
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "ffc-ahwr-backoffice",
-  "version": "1.15.0",
+  "version": "1.15.1",
   "description": "Back office of the health and welfare of your livestock",
   "homepage": "https://github.com/DEFRA/ffc-ahwr-backoffice",
   "main": "app/index.js",
@@ -12,6 +12,7 @@
     "test:watch": "jest --coverage=false --onlyChanged --watch --runInBand",
     "test:watch:all": "npm-run-all --parallel test:watch build:watch",
     "test:lint": "standard",
+    "test:lint-fix": "standard --fix",
     "test:debug": "node --inspect-brk=0.0.0.0 ./node_modules/jest/bin/jest.js --coverage=false --onlyChanged --watch --runInBand --no-cache",
     "start:watch": "npm-run-all --parallel build:watch start:nodemon",
     "start:debug": "nodemon --inspect-brk=0.0.0.0 --ext css,js,njk --legacy-watch app/index.js",
@@ -57,6 +58,7 @@
     "cheerio": "^1.0.0-rc.10",
     "clean-webpack-plugin": "^4.0.0",
     "css-loader": "^6.6.0",
+    "dotenv": "^16.0.3",
     "file-loader": "^6.2.0",
     "html-webpack-plugin": "^5.5.0",
     "jest": "^28.1.3",
diff --git a/test/data/view-applications.json b/test/data/view-applications.json
@@ -137,5 +137,30 @@
     "createdAt": "2022-06-06T14:27:51.251Z",
     "updatedAt": "2022-06-06T14:27:51.775Z",
     "createdBy": "admin"
+  },
+  "incheck": {
+    "id": "75216bb8-b4e6-40aa-b51f-24e8a90f7195",
+    "reference": "AHWR-555A-FD4C",
+    "status": { "status": "IN CHECK" },
+    "data": {
+      "declaration": true,
+      "whichReview": "sheep",
+      "offerStatus": "accepted",
+      "organisation": {
+        "cph": "33/333/3333",
+        "sbi": "333333333",
+        "name": "My Farm",
+        "email": "test@test.com",
+        "isTest": true,
+        "farmerName": "Farmer name",
+        "address": "Long dusty road, Middle-of-knowhere, In the countryside, CC33 3CC"
+      },
+      "eligibleSpecies": "yes",
+      "confirmCheckDetails": "yes"
+    },
+    "claimed": false,
+    "createdAt": "2022-06-06T14:27:51.251Z",
+    "updatedAt": "2022-06-06T14:27:51.775Z",
+    "createdBy": "admin"
   }
 }
diff --git a/test/integration/narrow/routes/view-application.test.js b/test/integration/narrow/routes/view-application.test.js
@@ -5,12 +5,23 @@ const { administrator } = require('../../../../app/auth/permissions')
 const viewApplicationData = require('.././../../data/view-applications.json')
 const reference = 'AHWR-555A-FD4C'
 
+function expectWithdrawLink ($, reference, isWithdrawLinkVisible) {
+  if (isWithdrawLinkVisible) {
+    expect($('.govuk-link').hasClass)
+    const withdrawLink = $('.govuk-link')
+    expect(withdrawLink.text()).toMatch('Withdraw')
+    expect(withdrawLink.attr('href')).toMatch(`/view-application/${reference}?page=1&withdraw=true`)
+  } else {
+    expect($('.govuk-link').not.hasClass)
+  }
+}
+
 jest.mock('../../../../app/api/applications')
 
 describe('View Application test', () => {
   const url = `/view-application/${reference}`
   jest.mock('../../../../app/auth')
-  const auth = { strategy: 'session-auth', credentials: { scope: [administrator] } }
+  let auth = { strategy: 'session-auth', credentials: { scope: [administrator] } }
 
   beforeEach(() => {
     jest.clearAllMocks()
@@ -38,7 +49,12 @@ describe('View Application test', () => {
       expect($('h1.govuk-heading-l').text()).toEqual('400 - Bad Request')
       expectPhaseBanner.ok($)
     })
-    test('returns 200 application agreed', async () => {
+    test.each([
+      ['administrator', true],
+      ['processor', false],
+      ['user', false]
+    ])('returns 200 application agreed - %s role', async (authScope, isWithdrawLinkVisible) => {
+      auth = { strategy: 'session-auth', credentials: { scope: [authScope] } }
       applications.getApplication.mockReturnValueOnce(viewApplicationData.agreed)
       const options = {
         method: 'GET',
@@ -75,6 +91,9 @@ describe('View Application test', () => {
       expect($('tbody tr:nth-child(5)').text()).toContain('Agreement accepted')
       expect($('tbody tr:nth-child(5)').text()).toContain('Yes')
       expect($('#claim').text()).toContain('Not claimed yet')
+
+      expectWithdrawLink($, reference, isWithdrawLinkVisible)
+
       expectPhaseBanner.ok($)
     })
     test('returns 200 application applied', async () => {
@@ -114,6 +133,9 @@ describe('View Application test', () => {
       expect($('tbody tr:nth-child(5)').text()).toContain('Agreement accepted')
       expect($('tbody tr:nth-child(5)').text()).toContain('No')
       expect($('#claim').text()).toContain('Not eligible to claim')
+
+      expectWithdrawLink($, reference, false)
+
       expectPhaseBanner.ok($)
     })
     test('returns 200 application data inputted', async () => {
@@ -143,6 +165,9 @@ describe('View Application test', () => {
       expect($('.govuk-summary-list__value').eq(3).text()).toMatch('test@test.com')
 
       expect($('#claim').text()).toContain('Not eligible to claim')
+
+      expectWithdrawLink($, reference, false)
+
       expectPhaseBanner.ok($)
     })
     test('returns 200 application claim', async () => {
@@ -185,6 +210,9 @@ describe('View Application test', () => {
       expect($('tbody:nth-child(1) tr:nth-child(5)').text()).toContain('1234234')
       expect($('tbody:nth-child(1) tr:nth-child(6)').text()).toContain('Test results unique reference number (URN)')
       expect($('tbody:nth-child(1) tr:nth-child(6)').text()).toContain('134242')
+
+      expectWithdrawLink($, reference, false)
+
       expectPhaseBanner.ok($)
     })
     test('returns 200 application paid', async () => {
@@ -214,6 +242,56 @@ describe('View Application test', () => {
       expect($('.govuk-summary-list__value').eq(3).text()).toMatch('test@test.com')
 
       expect($('#claim').text()).toContain('Claimed')
+
+      expectWithdrawLink($, reference, false)
+
+      expectPhaseBanner.ok($)
+    })
+    test.each([
+      ['administrator', true],
+      ['processor', false],
+      ['user', false]
+    ])('returns 200 application in check - %s role', async (authScope, isWithdrawLinkVisible) => {
+      auth = { strategy: 'session-auth', credentials: { scope: [authScope] } }
+      applications.getApplication.mockReturnValueOnce(viewApplicationData.incheck)
+      const options = {
+        method: 'GET',
+        url,
+        auth
+      }
+      const res = await global.__SERVER__.inject(options)
+      expect(res.statusCode).toBe(200)
+      const $ = cheerio.load(res.payload)
+      expect($('h1.govuk-caption-l').text()).toContain(`Agreement number: ${reference}`)
+      expect($('h2.govuk-heading-l').text()).toContain('In check')
+      expect($('title').text()).toContain('Administration: User Application')
+      expect($('.govuk-summary-list__row').length).toEqual(4)
+      expect($('.govuk-summary-list__key').eq(0).text()).toMatch('Name:')
+      expect($('.govuk-summary-list__value').eq(0).text()).toMatch('Farmer name')
+
+      expect($('.govuk-summary-list__key').eq(1).text()).toMatch('SBI number:')
+      expect($('.govuk-summary-list__value').eq(1).text()).toMatch('333333333')
+
+      expect($('.govuk-summary-list__key').eq(2).text()).toMatch('Address:')
+      expect($('.govuk-summary-list__value').eq(2).text()).toMatch('Long dusty road, Middle-of-knowhere, In the countryside, CC33 3CC')
+
+      expect($('.govuk-summary-list__key').eq(3).text()).toMatch('Email address:')
+      expect($('.govuk-summary-list__value').eq(3).text()).toMatch('test@test.com')
+
+      expect($('tbody tr:nth-child(1)').text()).toContain('Date of agreement')
+      expect($('tbody tr:nth-child(1)').text()).toContain('06/06/2022')
+      expect($('tbody tr:nth-child(2)').text()).toContain('Business details correct')
+      expect($('tbody tr:nth-child(2)').text()).toContain('Yes')
+      expect($('tbody tr:nth-child(3)').text()).toContain('Type of review')
+      expect($('tbody tr:nth-child(3)').text()).toContain('Sheep')
+      expect($('tbody tr:nth-child(4)').text()).toContain('Number of livestock')
+      expect($('tbody tr:nth-child(4)').text()).toContain('Minimum 21')
+      expect($('tbody tr:nth-child(5)').text()).toContain('Agreement accepted')
+      expect($('tbody tr:nth-child(5)').text()).toContain('Yes')
+      expect($('#claim').text()).toContain('Not claimed yet')
+
+      expectWithdrawLink($, reference, isWithdrawLinkVisible)
+
       expectPhaseBanner.ok($)
     })
   })
diff --git a/test/integration/narrow/routes/withdraw-application.test.js b/test/integration/narrow/routes/withdraw-application.test.js
@@ -1,6 +1,6 @@
 const cheerio = require('cheerio')
 const expectPhaseBanner = require('../../../utils/phase-banner-expect')
-const { administrator } = require('../../../../app/auth/permissions')
+const { administrator, processor, user } = require('../../../../app/auth/permissions')
 const getCrumbs = require('../../../utils/get-crumbs')
 
 const applications = require('../../../../app/api/applications')
@@ -14,7 +14,6 @@ describe('View Application test', () => {
   let crumb
   const url = '/withdraw-application/'
   jest.mock('../../../../app/auth')
-  const auth = { strategy: 'session-auth', credentials: { scope: [administrator] } }
 
   beforeEach(async () => {
     crumb = await getCrumbs(global.__SERVER__)
@@ -31,7 +30,29 @@ describe('View Application test', () => {
       expect(res.statusCode).toBe(302)
     })
 
+    test('returns 403 when scope is not administrator', async () => {
+      const auth = { strategy: 'session-auth', credentials: { scope: [processor, user] } }
+      const options = {
+        method: 'POST',
+        url,
+        auth,
+        headers: { cookie: `crumb=${crumb}` },
+        payload: {
+          reference,
+          withdrawConfirmation: 'yes',
+          page: 1,
+          crumb
+        }
+      }
+      const res = await global.__SERVER__.inject(options)
+      expect(res.statusCode).toBe(403)
+      const $ = cheerio.load(res.payload)
+      expect($('h1.govuk-heading-l').text()).toEqual('403 - Forbidden')
+      expectPhaseBanner.ok($)
+    })
+
     test('returns 403', async () => {
+      const auth = { strategy: 'session-auth', credentials: { scope: [processor, user] } }
       const options = {
         method: 'POST',
         url,
@@ -48,6 +69,7 @@ describe('View Application test', () => {
     })
 
     test('Approve withdraw application', async () => {
+      const auth = { strategy: 'session-auth', credentials: { scope: [administrator] } }
       const options = {
         method: 'POST',
         url,
@@ -67,6 +89,7 @@ describe('View Application test', () => {
     })
 
     test('Cancel withdraw application', async () => {
+      const auth = { strategy: 'session-auth', credentials: { scope: [administrator] } }
       const options = {
         method: 'POST',
         url,
diff --git a/test/setup.js b/test/setup.js
@@ -1,3 +1,5 @@
+require('dotenv').config()
+
 beforeEach(async () => {
   // Set reference to server in order to close the server during teardown.
   jest.setTimeout(10000)

Original file line number	Diff line number	Diff line change
`@@ -1,3 +1,5 @@`
	`1`	`+require('dotenv').config()`
	`2`	`+`
`1`	`3`	`beforeEach(async () => {`
`2`	`4`	`// Set reference to server in order to close the server during teardown.`
`3`	`5`	`jest.setTimeout(10000)`