#1791 - Enable Assessments tab view and NOA view for Public Institution Users - Part 5

sources/packages/backend/apps/api/src/auth/decorators/institution/institution-student-data-access.decorator.ts

@@ -8,7 +8,19 @@ export const INSTITUTION_HAS_STUDENT_DATA_ACCESS_KEY =
 
 /**
  * Provide context that it's consumer must be
- * validated to have access to data of given student.
+ * validated to have access to the student
+ * and their application if present.
  */
-export const HasStudentDataAccess = (studentIdParamName: string) =>
-  SetMetadata(INSTITUTION_HAS_STUDENT_DATA_ACCESS_KEY, studentIdParamName);
+export const HasStudentDataAccess = (
+  studentIdParamName: string,
+  applicationIdParamName?: string,
+) =>
+  SetMetadata(INSTITUTION_HAS_STUDENT_DATA_ACCESS_KEY, {
+    studentIdParamName,
+    applicationIdParamName,
+  });
+
+export interface HasStudentDataAccessParam {
+  studentIdParamName: string;
+  applicationIdParamName: string;
+}

sources/packages/backend/apps/api/src/auth/guards/institution/institution-student-data-access.guard.ts

@@ -3,10 +3,14 @@ import {
   CanActivate,
   ExecutionContext,
   ForbiddenException,
+  BadRequestException,
 } from "@nestjs/common";
 import { Reflector } from "@nestjs/core";
 import { IInstitutionUserToken } from "../..";
-import { INSTITUTION_HAS_STUDENT_DATA_ACCESS_KEY } from "../../decorators";
+import {
+  HasStudentDataAccessParam,
+  INSTITUTION_HAS_STUDENT_DATA_ACCESS_KEY,
+} from "../../decorators";
 import { InstitutionService } from "../../../services";
 
 @Injectable()
@@ -18,11 +22,10 @@ export class InstitutionStudentDataAccessGuard implements CanActivate {
 
   async canActivate(context: ExecutionContext): Promise<boolean> {
     const institutionStudentDataAccessParam =
-      this.reflector.getAllAndOverride<string>(
+      this.reflector.getAllAndOverride<HasStudentDataAccessParam>(
         INSTITUTION_HAS_STUDENT_DATA_ACCESS_KEY,
         [context.getHandler(), context.getClass()],
       );
-
     if (!institutionStudentDataAccessParam) {
       return true;
     }
@@ -34,14 +37,30 @@ export class InstitutionStudentDataAccessGuard implements CanActivate {
       user: IInstitutionUserToken;
       params: Record<string, string>;
     } = context.switchToHttp().getRequest();
-
     if (user?.isActive) {
-      const studentId = +params[institutionStudentDataAccessParam];
+      let applicationId = undefined;
+      const studentId =
+        +params[institutionStudentDataAccessParam.studentIdParamName];
+      if (!studentId) {
+        // Student id not found in the url.
+        throw new BadRequestException("Student id not found in the url.");
+      }
+      if (institutionStudentDataAccessParam.applicationIdParamName) {
+        applicationId =
+          +params[institutionStudentDataAccessParam.applicationIdParamName];
+        if (!applicationId) {
+          // Application id not found in the url.
+          throw new BadRequestException("Application id not found in the url.");
+        }
+      }
+
       const hasStudentDataAccess =
         await this.institutionService.hasStudentDataAccess(
           user.authorizations.institutionId,
           studentId,
+          { applicationId },
         );
+
       if (hasStudentDataAccess) {
         return true;
       }

sources/packages/backend/apps/api/src/route-controllers/application-exception/_tests_/e2e/application-exception.institution.controller.getException.e2e-spec.ts

@@ -54,7 +54,7 @@ describe("ApplicationExceptionInstitutionsController(e2e)-getException", () => {
       );
       const applicationException = application.applicationException;
 
-      const endpoint = `/institutions/application-exception/student/${application.student.id}/exception/${applicationException.id}`;
+      const endpoint = `/institutions/application-exception/student/${application.student.id}/application/${application.id}/exception/${applicationException.id}`;
       const institutionUserToken = await getInstitutionToken(
         InstitutionTokenTypes.CollegeFUser,
       );
@@ -96,7 +96,7 @@ describe("ApplicationExceptionInstitutionsController(e2e)-getException", () => {
         { applicationExceptionStatus: ApplicationExceptionStatus.Approved },
       );
 
-    const endpoint = `/institutions/application-exception/student/${application.student.id}/exception/${collegeCApplication.applicationException.id}`;
+    const endpoint = `/institutions/application-exception/student/${application.student.id}/application/${application.id}/exception/${collegeCApplication.applicationException.id}`;
     const institutionUserToken = await getInstitutionToken(
       InstitutionTokenTypes.CollegeFUser,
     );
@@ -129,7 +129,7 @@ describe("ApplicationExceptionInstitutionsController(e2e)-getException", () => {
     const collegeCInstitutionUserToken = await getInstitutionToken(
       InstitutionTokenTypes.CollegeCUser,
     );
-    const endpoint = `/institutions/application-exception/student/${student.id}/exception/9999999`;
+    const endpoint = `/institutions/application-exception/student/${student.id}/application/${collegeCApplication.id}/exception/9999999`;
 
     // Act/Assert
     await request(app.getHttpServer())
@@ -152,7 +152,7 @@ describe("ApplicationExceptionInstitutionsController(e2e)-getException", () => {
       InstitutionTokenTypes.CollegeFUser,
     );
 
-    const endpoint = `/institutions/application-exception/student/${student.id}/exception/9999999`;
+    const endpoint = `/institutions/application-exception/student/${student.id}/application/9999999/exception/9999999`;
 
     // Act/Assert
     await request(app.getHttpServer())

sources/packages/backend/apps/api/src/route-controllers/application-exception/application-exception.controller.service.ts

@@ -18,6 +18,7 @@ export class ApplicationExceptionControllerService {
    * @param exceptionId exception to be retrieved.
    * @param options options
    * - `studentId` student id.
+   * - `applicationId` application id.
    * - `assessDetails`, if true, will return access details.
    * @returns student application exception information.
    */
@@ -29,14 +30,15 @@ export class ApplicationExceptionControllerService {
     exceptionId: number,
     options?: {
       studentId?: number;
+      applicationId?: number;
       assessDetails?: boolean;
     },
   ): Promise<T> {
     const applicationException =
-      await this.applicationExceptionService.getExceptionDetails(
-        exceptionId,
-        options?.studentId,
-      );
+      await this.applicationExceptionService.getExceptionDetails(exceptionId, {
+        studentId: options?.studentId,
+        applicationId: options?.applicationId,
+      });
     if (!applicationException) {
       throw new NotFoundException("Student application exception not found.");
     }

sources/packages/backend/apps/api/src/route-controllers/application-exception/application-exception.institutions.controller.ts

@@ -17,7 +17,7 @@ import { ApplicationExceptionControllerService } from "./application-exception.c
 @AllowAuthorizedParty(AuthorizedParties.institution)
 @Controller("application-exception")
 @IsBCPublicInstitution()
-@HasStudentDataAccess("studentId")
+@HasStudentDataAccess("studentId", "applicationId")
 @ApiTags(`${ClientTypeBaseRoute.Institution}-application-exception`)
 export class ApplicationExceptionInstitutionsController extends BaseController {
   constructor(
@@ -29,20 +29,22 @@ export class ApplicationExceptionInstitutionsController extends BaseController {
   /**
    * Get a student application exception of a student.
    * @param studentId student id.
+   * @param applicationId application id.
    * @param exceptionId exception to be retrieved.
    * @returns student application exception information.
    */
-  @Get("student/:studentId/exception/:exceptionId")
+  @Get("student/:studentId/application/:applicationId/exception/:exceptionId")
   @ApiNotFoundResponse({
     description: "Student application exception not found.",
   })
   async getException(
     @Param("studentId", ParseIntPipe) studentId: number,
+    @Param("applicationId", ParseIntPipe) applicationId: number,
     @Param("exceptionId", ParseIntPipe) exceptionId: number,
   ): Promise<ApplicationExceptionAPIOutDTO> {
     return this.applicationExceptionControllerService.getExceptionDetails<ApplicationExceptionAPIOutDTO>(
       exceptionId,
-      { studentId },
+      { studentId, applicationId },
     );
   }
 }

sources/packages/backend/apps/api/src/route-controllers/assessment/_tests_/e2e/assessment.institutions.controller.getAssessmentAwardDetails.e2e-spec.ts

@@ -115,7 +115,7 @@ describe("AssessmentInstitutionsController(e2e)-getAssessmentAwardDetails", () =
       ] = disbursementReceiptsValue.grantAmount;
     });
 
-    const endpoint = `/institutions/assessment/student/${student.id}/assessment/${assessment.id}/award`;
+    const endpoint = `/institutions/assessment/student/${student.id}/application/${application.id}/assessment/${assessment.id}/award`;
     const institutionUserToken = await getInstitutionToken(
       InstitutionTokenTypes.CollegeFUser,
     );
@@ -172,7 +172,7 @@ describe("AssessmentInstitutionsController(e2e)-getAssessmentAwardDetails", () =
       },
     );
     await db.msfaaNumber.save(currentMSFAA);
-    await saveFakeApplicationDisbursements(db.dataSource, {
+    const application = await saveFakeApplicationDisbursements(db.dataSource, {
       institution: collegeF,
       institutionLocation: collegeFLocation,
       student,
@@ -183,7 +183,7 @@ describe("AssessmentInstitutionsController(e2e)-getAssessmentAwardDetails", () =
       InstitutionTokenTypes.CollegeFUser,
     );
 
-    const endpoint = `/institutions/assessment/student/${student.id}/assessment/9999999/award`;
+    const endpoint = `/institutions/assessment/student/${student.id}/application/${application.id}/assessment/9999999/award`;
 
     // Act/Assert
     await request(app.getHttpServer())
@@ -213,7 +213,7 @@ describe("AssessmentInstitutionsController(e2e)-getAssessmentAwardDetails", () =
     const collegeCInstitutionUserToken = await getInstitutionToken(
       InstitutionTokenTypes.CollegeCUser,
     );
-    const endpoint = `/institutions/assessment/student/${student.id}/assessment/9999999/award`;
+    const endpoint = `/institutions/assessment/student/${student.id}/application/${collegeCApplication.id}/assessment/9999999/award`;
 
     // Act/Assert
     await request(app.getHttpServer())
@@ -236,7 +236,7 @@ describe("AssessmentInstitutionsController(e2e)-getAssessmentAwardDetails", () =
       InstitutionTokenTypes.CollegeFUser,
     );
 
-    const endpoint = `/institutions/assessment/student/${student.id}/assessment/9999999/award`;
+    const endpoint = `/institutions/assessment/student/${student.id}/application/9999999/assessment/9999999/award`;
 
     // Act/Assert
     await request(app.getHttpServer())

sources/packages/backend/apps/api/src/route-controllers/assessment/_tests_/e2e/assessment.institutions.controller.getAssessmentNOA.e2e-spec.ts

@@ -81,7 +81,7 @@ describe("AssessmentInstitutionsController(e2e)-getAssessmentNOA", () => {
         disbursement.valueAmount;
     });
 
-    const endpoint = `/institutions/assessment/student/${student.id}/assessment/${assessment.id}/noa`;
+    const endpoint = `/institutions/assessment/student/${student.id}/application/${application.id}/assessment/${assessment.id}/noa`;
     const institutionUserToken = await getInstitutionToken(
       InstitutionTokenTypes.CollegeFUser,
     );
@@ -149,7 +149,7 @@ describe("AssessmentInstitutionsController(e2e)-getAssessmentNOA", () => {
     application.currentAssessment.noaApprovalStatus = AssessmentStatus.required;
     application.currentAssessment.assessmentData = null;
     await db.application.save(application);
-    const endpoint = `/institutions/assessment/student/${student.id}/assessment/${application.currentAssessment.id}/noa`;
+    const endpoint = `/institutions/assessment/student/${student.id}/application/${application.id}/assessment/${application.currentAssessment.id}/noa`;
     const institutionUserToken = await getInstitutionToken(
       InstitutionTokenTypes.CollegeFUser,
     );
@@ -177,14 +177,14 @@ describe("AssessmentInstitutionsController(e2e)-getAssessmentNOA", () => {
       },
     );
     await db.msfaaNumber.save(currentMSFAA);
-    await saveFakeApplicationDisbursements(db.dataSource, {
+    const application = await saveFakeApplicationDisbursements(db.dataSource, {
       institution: collegeF,
       institutionLocation: collegeFLocation,
       student,
       msfaaNumber: currentMSFAA,
     });
 
-    const endpoint = `/institutions/assessment/student/${student.id}/assessment/9999999/noa`;
+    const endpoint = `/institutions/assessment/student/${student.id}/application/${application.id}/assessment/9999999/noa`;
     const institutionUserToken = await getInstitutionToken(
       InstitutionTokenTypes.CollegeFUser,
     );
@@ -217,7 +217,7 @@ describe("AssessmentInstitutionsController(e2e)-getAssessmentNOA", () => {
     const collegeCInstitutionUserToken = await getInstitutionToken(
       InstitutionTokenTypes.CollegeCUser,
     );
-    const endpoint = `/institutions/assessment/student/${student.id}/assessment/9999999/noa`;
+    const endpoint = `/institutions/assessment/student/${student.id}/application/${collegeCApplication.id}/assessment/9999999/noa`;
 
     // Act/Assert
     await request(app.getHttpServer())
@@ -240,7 +240,7 @@ describe("AssessmentInstitutionsController(e2e)-getAssessmentNOA", () => {
       InstitutionTokenTypes.CollegeFUser,
     );
 
-    const endpoint = `/institutions/assessment/student/${student.id}/assessment/9999999/noa`;
+    const endpoint = `/institutions/assessment/student/${student.id}/application/9999999/assessment/9999999/noa`;
 
     // Act/Assert
     await request(app.getHttpServer())

sources/packages/backend/apps/api/src/route-controllers/assessment/assessment.controller.service.ts

@@ -46,19 +46,21 @@ export class AssessmentControllerService {
    * @param assessmentId assessment id to be retrieved.
    * @param options for NOA.
    * - `studentId` optional student for authorization when needed.
+   * - `applicationId` application id,
    * - `maskMSFAA` mask MSFAA or not.
    * @returns notice of assessment data.
    */
   async getAssessmentNOA(
     assessmentId: number,
     options?: {
       studentId?: number;
+      applicationId?: number;
       maskMSFAA?: boolean;
     },
   ): Promise<AssessmentNOAAPIOutDTO> {
     const assessment = await this.assessmentService.getAssessmentForNOA(
       assessmentId,
-      options?.studentId,
+      { studentId: options?.studentId, applicationId: options?.applicationId },
     );
 
     if (!assessment) {
@@ -152,17 +154,23 @@ export class AssessmentControllerService {
    * @param assessmentId assessment to which awards details belong to.
    * @param includeDocumentNumber when true document number is mapped
    * to disbursement dynamic data.
-   * @param studentId studentId student to whom the award details belong to.
+   * @param options options,
+   * - `studentId` studentId student to whom the award details belong to.
+   * - `applicationId` application is used for authorization purposes to
+   * ensure that a user has access to the specific application data.
    * @returns estimated and actual award details.
    */
   async getAssessmentAwardDetails(
     assessmentId: number,
     includeDocumentNumber = false,
-    studentId?: number,
+    options?: {
+      studentId?: number;
+      applicationId?: number;
+    },
   ): Promise<AwardDetailsAPIOutDTO> {
     const assessment = await this.assessmentService.getAssessmentForNOA(
       assessmentId,
-      studentId,
+      options,
     );
 
     if (!assessment) {
@@ -180,7 +188,7 @@ export class AssessmentControllerService {
       const disbursementReceipts =
         await this.disbursementReceiptService.getDisbursementReceiptByAssessment(
           assessmentId,
-          studentId,
+          options,
         );
       if (disbursementReceipts.length) {
         finalAward = this.populateDisbursementReceiptAwardValues(