Allow user permissions to be granted/revoked in admin

1 files changed, 201 insertions, 0 deletions

diff --git a/t/app/controller/admin_permissions.t b/t/app/controller/admin_permissions.t
new file mode 100644
index 000000000..63b753ff3
--- /dev/null
+++ b/t/app/controller/admin_permissions.t
@@ -0,0 +1,201 @@
+use strict;
+use warnings;
+use Test::More;
+use LWP::Protocol::PSGI;
+
+use t::Mock::MapIt;
+use FixMyStreet::TestMech;
+
+my $mech = FixMyStreet::TestMech->new;
+
+my $user = $mech->create_user_ok('test@example.com', name => 'Test User');
+my $user2 = $mech->create_user_ok('test2@example.com', name => 'Test User 2');
+my $superuser = $mech->create_user_ok('superuser@example.com', name => 'Super User', is_superuser => 1);
+
+my $oxfordshire = $mech->create_body_ok(2237, 'Oxfordshire County Council', id => 2237);
+my $oxfordshireuser = $mech->create_user_ok('counciluser@example.com', name => 'Council User', from_body => $oxfordshire);
+
+my $bromley = $mech->create_body_ok(2482, 'Bromley Council', id => 2482);
+
+END {
+    $mech->delete_user( $user );
+    $mech->delete_user( $user2 );
+    $mech->delete_user( $superuser );
+    $mech->delete_user( $oxfordshireuser );
+}
+
+my $dt = DateTime->new(
+    year   => 2011,
+    month  => 04,
+    day    => 16,
+    hour   => 15,
+    minute => 47,
+    second => 23
+);
+
+my ($report) = $mech->create_problems_for_body(1, $oxfordshire->id, 'Test');
+my $report_id = $report->id;
+ok $report, "created test report - $report_id";
+
+$mech->log_in_ok( $oxfordshireuser->email );
+
+subtest "Users can't edit report without report_edit permission" => sub {
+    FixMyStreet::override_config {
+        ALLOWED_COBRANDS => [ 'oxfordshire' ],
+    }, sub {
+        $mech->get("/admin/report_edit/$report_id");
+        ok !$mech->res->is_success(), "want a bad response";
+        is $mech->res->code, 403, "got 403, can't edit report without report_edit permission";
+    };
+};
+
+subtest "Users can edit report with report_edit permission" => sub {
+    FixMyStreet::override_config {
+        ALLOWED_COBRANDS => [ 'oxfordshire' ],
+    }, sub {
+        $oxfordshireuser->user_body_permissions->create({
+            body => $oxfordshire,
+            permission_type => 'report_edit',
+        });
+
+        $mech->get_ok("/admin/report_edit/$report_id");
+        $mech->content_contains( $report->title );
+    };
+};
+
+subtest "Users can't edit another council's reports with their own council's report_edit permission" => sub {
+    FixMyStreet::override_config {
+        ALLOWED_COBRANDS => [ 'oxfordshire' ],
+    }, sub {
+        $report->bodies_str($bromley->id);
+        $report->cobrand('bromley');
+        $report->update;
+
+        $mech->get("/admin/report_edit/$report_id");
+        ok !$mech->res->is_success(), "want a bad response";
+        is $mech->res->code, 404, "got 404, can't edit report with incorrect body in report_edit permission";
+    };
+};
+
+
+FixMyStreet::override_config {
+    MAPIT_URL => 'http://mapit.uk/',
+    ALLOWED_COBRANDS => [ 'oxfordshire' ],
+}, sub {
+    LWP::Protocol::PSGI->register(t::Mock::MapIt->run_if_script, host => 'mapit.uk');
+
+    my $user2_id = $user2->id;
+    $report->update({ bodies_str => $oxfordshire->id });
+
+    foreach my $perm (0, 1) {
+        if ($perm) {
+            $oxfordshireuser->user_body_permissions->find_or_create({
+                body => $oxfordshire,
+                permission_type => 'user_edit',
+            });
+        }
+        foreach my $report_user ($user, $user2) {
+            $report->update({ user => $report_user });
+            foreach my $from_body (undef, $bromley, $oxfordshire) {
+                $user2->update({ from_body => $from_body });
+                my $result = ($from_body || '') eq $oxfordshire || $report->user eq $user2 ? ($perm ? 200 : 403 ) : 404;
+                my $u = $result == 200 ? 'can' : 'cannot';
+                my $b = $from_body ? $from_body->name : 'no body';
+                my $p = $perm ? 'with' : 'without';
+                my $r = $report->user eq $user2 ? 'with' : 'without';
+                subtest "User $u edit user for $b $p permission, $r cobrand relation" => sub {
+                    $mech->get("/admin/user_edit/$user2_id");
+                    my $success = $mech->res->is_success();
+                    ok $result == 200 ? $success : !$success, "got correct response";
+                    is $mech->res->code, $result, "got $result";
+                };
+            }
+        }
+    }
+
+    $oxfordshireuser->user_body_permissions->create({
+        body => $oxfordshire,
+        permission_type => 'user_assign_body',
+    });
+
+    subtest "Users can edit users of their own council" => sub {
+        $mech->get_ok("/admin/user_edit/$user2_id");
+        $mech->content_contains( $user2->name );
+
+        # We shouldn't be able to see the permissions tick boxes
+        $mech->content_lacks('Moderate report details');
+
+        $mech->submit_form_ok( { with_fields => {
+            name => 'Test Updated User 2',
+            email => $user2->email,
+            body => $user2->from_body->id,
+            phone => '',
+            flagged => undef,
+        } } );
+        $user2->discard_changes;
+        is $user2->name, 'Test Updated User 2', 'name changed';
+    };
+
+    $oxfordshireuser->user_body_permissions->create({
+        body => $oxfordshire,
+        permission_type => 'user_manage_permissions',
+    });
+
+    subtest "Users can edit permissions" => sub {
+        is $user2->user_body_permissions->count, 0, 'user2 has no permissions';
+
+        $mech->get_ok("/admin/user_edit/$user2_id");
+        $mech->content_contains('Moderate report details');
+
+        $mech->submit_form_ok( { with_fields => {
+            name => $user2->name,
+            email => $user2->email,
+            body => $user2->from_body->id,
+            phone => '',
+            flagged => undef,
+            "permissions[moderate]" => 'on',
+            "permissions[report_edit_category]" => undef,
+            "permissions[report_edit_priority]" => undef,
+            "permissions[report_inspect]" => undef,
+            "permissions[report_instruct]" => undef,
+            "permissions[contribute_as_another_user]" => undef,
+            "permissions[contribute_as_body]" => undef,
+            "permissions[user_edit]" => undef,
+            "permissions[user_manage_permissions]" => undef,
+            "permissions[user_assign_areas]" => undef,
+        } } );
+
+        ok $user2->has_permission_to("moderate", $user2->from_body->id), "user2 has been granted moderate permission";
+    };
+
+    subtest "Unsetting user from_body removes all permissions " => sub {
+        is $user2->user_body_permissions->count, 1, 'user2 has 1 permission';
+
+        $mech->get_ok("/admin/user_edit/$user2_id");
+        $mech->content_contains('Moderate report details');
+
+        $mech->submit_form_ok( { with_fields => {
+            name => $user2->name,
+            email => $user2->email,
+            body => undef,
+            phone => '',
+            flagged => undef,
+            "permissions[moderate]" => 'on', # NB tick box is left on deliberately
+            "permissions[report_edit_category]" => undef,
+            "permissions[report_edit_priority]" => undef,
+            "permissions[report_inspect]" => undef,
+            "permissions[report_instruct]" => undef,
+            "permissions[contribute_as_another_user]" => undef,
+            "permissions[contribute_as_body]" => undef,
+            "permissions[user_edit]" => undef,
+            "permissions[user_manage_permissions]" => undef,
+            "permissions[user_assign_areas]" => undef,
+        } } );
+
+        is $user2->user_body_permissions->count, 0, 'user2 has had permissions removed';
+    };
+};
+
+$mech->log_out_ok;
+
+done_testing();