From 730d25ae7218d731590b322d4f419a7df6d4e4fb Mon Sep 17 00:00:00 2001 From: Matthew Somerville Date: Thu, 30 Apr 2020 13:56:31 +0100 Subject: Add ability to disallow updates in a category. Add a tickbox to the category admin, and do not allow updates on reports made in those selected categories. --- t/app/controller/admin/bodies.t | 11 +++++++++++ 1 file changed, 11 insertions(+) (limited to 't/app/controller/admin') diff --git a/t/app/controller/admin/bodies.t b/t/app/controller/admin/bodies.t index c73a90da1..7ec7aed75 100644 --- a/t/app/controller/admin/bodies.t +++ b/t/app/controller/admin/bodies.t @@ -261,6 +261,17 @@ subtest 'open311 protection editing' => sub { is $contact->get_extra_metadata('open311_protect'), 1, 'Open311 protect flag set'; }; +subtest 'updates disabling' => sub { + $mech->get_ok('/admin/body/' . $body->id . '/test%20category'); + $mech->submit_form_ok( { with_fields => { + updates_disallowed => 1, + note => 'Disabling updates', + } } ); + $mech->content_contains('Values updated'); + my $contact = $body->contacts->find({ category => 'test category' }); + is $contact->get_extra_metadata('updates_disallowed'), 1, 'Updates disallowed flag set'; +}; + }; # END of override wrap -- cgit v1.2.3 From f6d807fd5217a19ac488f652d1f0853a7891231f Mon Sep 17 00:00:00 2001 From: Matthew Somerville Date: Fri, 1 May 2020 15:42:01 +0100 Subject: Add way to disallow report reopening in a category Add a tickbox to the category admin, and do not allow reopening on reports made in the selected categories. --- t/app/controller/admin/bodies.t | 11 +++++++++++ 1 file changed, 11 insertions(+) (limited to 't/app/controller/admin') diff --git a/t/app/controller/admin/bodies.t b/t/app/controller/admin/bodies.t index 7ec7aed75..d3e4074f9 100644 --- a/t/app/controller/admin/bodies.t +++ b/t/app/controller/admin/bodies.t @@ -272,6 +272,17 @@ subtest 'updates disabling' => sub { is $contact->get_extra_metadata('updates_disallowed'), 1, 'Updates disallowed flag set'; }; +subtest 'reopen disabling' => sub { + $mech->get_ok('/admin/body/' . $body->id . '/test%20category'); + $mech->submit_form_ok( { with_fields => { + reopening_disallowed => 1, + note => 'Disabling reopening', + } } ); + $mech->content_contains('Values updated'); + my $contact = $body->contacts->find({ category => 'test category' }); + is $contact->get_extra_metadata('reopening_disallowed'), 1, 'Reopening disallowed flag set'; +}; + }; # END of override wrap -- cgit v1.2.3 From ecc5a7b9ca20418f1bdb45cdc3ce5b41a11f3593 Mon Sep 17 00:00:00 2001 From: Matthew Somerville Date: Wed, 15 Apr 2020 19:12:31 +0100 Subject: Add assigned_(users|categories)_only functionality Users with assigned_categories_only will only see staff features on a report page in their assigned categories. Users will only see staff features on a report page in a category with assigned_users_only if it is in their assigned categories. --- t/app/controller/admin/bodies.t | 10 ++++++++++ t/app/controller/admin/users.t | 10 +++++++++- 2 files changed, 19 insertions(+), 1 deletion(-) (limited to 't/app/controller/admin') diff --git a/t/app/controller/admin/bodies.t b/t/app/controller/admin/bodies.t index d3e4074f9..883386380 100644 --- a/t/app/controller/admin/bodies.t +++ b/t/app/controller/admin/bodies.t @@ -261,6 +261,16 @@ subtest 'open311 protection editing' => sub { is $contact->get_extra_metadata('open311_protect'), 1, 'Open311 protect flag set'; }; +subtest 'test assigned_users_only setting' => sub { + $mech->get_ok('/admin/body/' . $body->id . '/test%20category'); + $mech->submit_form_ok( { with_fields => { + assigned_users_only => 1, + } } ); + $mech->content_contains('Values updated'); + my $contact = $body->contacts->find({ category => 'test category' }); + is $contact->get_extra_metadata('assigned_users_only'), 1; +}; + subtest 'updates disabling' => sub { $mech->get_ok('/admin/body/' . $body->id . '/test%20category'); $mech->submit_form_ok( { with_fields => { diff --git a/t/app/controller/admin/users.t b/t/app/controller/admin/users.t index 4f0298103..bc8d28e2d 100644 --- a/t/app/controller/admin/users.t +++ b/t/app/controller/admin/users.t @@ -299,6 +299,7 @@ FixMyStreet::override_config { flagged => undef, is_superuser => undef, area_ids => undef, + assigned_categories_only => undef, %default_perms, roles => $role->id, }, @@ -320,6 +321,7 @@ FixMyStreet::override_config { flagged => undef, is_superuser => undef, area_ids => undef, + assigned_categories_only => undef, %default_perms, roles => $role->id, }, @@ -341,6 +343,7 @@ FixMyStreet::override_config { flagged => undef, is_superuser => undef, area_ids => undef, + assigned_categories_only => undef, %default_perms, roles => $role->id, }, @@ -365,6 +368,7 @@ FixMyStreet::override_config { flagged => undef, is_superuser => undef, area_ids => undef, + assigned_categories_only => undef, %default_perms, }, changes => { @@ -385,6 +389,7 @@ FixMyStreet::override_config { flagged => 'on', is_superuser => undef, area_ids => undef, + assigned_categories_only => undef, %default_perms, }, changes => { @@ -394,7 +399,7 @@ FixMyStreet::override_config { log_entries => [qw/edit edit edit edit/], }, { - desc => 'edit user add is_superuser', + desc => 'edit user add is_superuser and assigned_categories_only', fields => { name => 'Changed User', email => 'changed@example.com', @@ -405,10 +410,12 @@ FixMyStreet::override_config { flagged => undef, is_superuser => undef, area_ids => undef, + assigned_categories_only => undef, %default_perms, }, changes => { is_superuser => 'on', + assigned_categories_only => 'on', }, removed => [ keys %default_perms, @@ -428,6 +435,7 @@ FixMyStreet::override_config { flagged => undef, is_superuser => 'on', area_ids => undef, + assigned_categories_only => 'on', }, changes => { is_superuser => undef, -- cgit v1.2.3 From 37306b9f6f4cb9b58c5e4a7bdc12e90dff879481 Mon Sep 17 00:00:00 2001 From: Matthew Somerville Date: Fri, 24 Apr 2020 17:35:50 +0100 Subject: Disable rename on unprotected Open311 categories. If you rename an Open311 category when it is not protected, it will only get reinstated/deleted by the Open311 populate script shortly after, and can cause issues due to the problem category renaming that occurs. --- t/app/controller/admin/bodies.t | 2 ++ 1 file changed, 2 insertions(+) (limited to 't/app/controller/admin') diff --git a/t/app/controller/admin/bodies.t b/t/app/controller/admin/bodies.t index d3e4074f9..74084afbf 100644 --- a/t/app/controller/admin/bodies.t +++ b/t/app/controller/admin/bodies.t @@ -210,6 +210,7 @@ subtest 'check open311 configuring' => sub { subtest 'check open311 devolved editing' => sub { $mech->get_ok('/admin/body/' . $body->id . '/test%20category'); + $mech->content_contains("name=\"category\"\n size=\"30\" value=\"test category\"\n readonly>", 'Cannot edit Open311 category name'); $mech->submit_form_ok( { with_fields => { send_method => 'Email', email => 'testing@example.org', @@ -217,6 +218,7 @@ subtest 'check open311 devolved editing' => sub { } } ); $mech->content_contains('Values updated'); $mech->get_ok('/admin/body/' . $body->id . '/test%20category'); + $mech->content_contains("name=\"category\"\n size=\"30\" value=\"test category\"\n required>", 'Can edit as now devolved'); $mech->submit_form_ok( { with_fields => { send_method => '', email => 'open311-code', -- cgit v1.2.3 From 538a26498c3516b5bc24636414911b955333f934 Mon Sep 17 00:00:00 2001 From: Struan Donald Date: Wed, 6 May 2020 17:14:10 +0100 Subject: display user detail for contributed_by in report_edit Include name, email and body rather than just user id. --- t/app/controller/admin/report_edit.t | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) (limited to 't/app/controller/admin') diff --git a/t/app/controller/admin/report_edit.t b/t/app/controller/admin/report_edit.t index 438bcc241..01f091412 100644 --- a/t/app/controller/admin/report_edit.t +++ b/t/app/controller/admin/report_edit.t @@ -9,6 +9,7 @@ my $user2 = $mech->create_user_ok('test2@example.com', name => 'Test User 2'); my $superuser = $mech->create_user_ok('superuser@example.com', name => 'Super User', is_superuser => 1); my $oxfordshire = $mech->create_body_ok(2237, 'Oxfordshire County Council'); +my $user3 = $mech->create_user_ok('body_user@example.com', name => 'Body User', from_body => $oxfordshire); my $oxfordshirecontact = $mech->create_contact_ok( body_id => $oxfordshire->id, category => 'Potholes', email => 'potholes@example.com' ); $mech->create_contact_ok( body_id => $oxfordshire->id, category => 'Traffic lights', email => 'lights@example.com' ); @@ -707,4 +708,20 @@ subtest "Test display of fields extra data" => sub { $mech->content_contains('Report URL (report_url): http://example.com'); }; +subtest "Test display of contributed_as data" => sub { + $report->update( { extra => undef } ); + $mech->get_ok("/admin/report_edit/$report_id"); + $mech->content_contains('Extra data: No'); + + $report->set_extra_metadata( contributed_as => 'another_user' ); + $report->set_extra_metadata( contributed_by => $user3->id ); + $report->update; + + $report->discard_changes; + + $mech->get_ok("/admin/report_edit/$report_id"); + $mech->content_like(qr!Created By: ]*>Body User \(@{[ $user3->email ]}!); + $mech->content_contains('Created Body: Oxfordshire County Council'); +}; + done_testing(); -- cgit v1.2.3 From c80f13eeac448e99873b690411d7f6e83b07dd06 Mon Sep 17 00:00:00 2001 From: Struan Donald Date: Thu, 7 May 2020 15:10:46 +0100 Subject: admin interface for per category anonymous reporting Add an interface to enable a category to accept anonymous reports, plus the code to handle permitting this. It's only available on single body cobrand sites in the default configuration. --- t/app/controller/admin/bodies.t | 34 ++++++++++++++++++++++++++++++++++ 1 file changed, 34 insertions(+) (limited to 't/app/controller/admin') diff --git a/t/app/controller/admin/bodies.t b/t/app/controller/admin/bodies.t index 9f7b18cde..80ee22630 100644 --- a/t/app/controller/admin/bodies.t +++ b/t/app/controller/admin/bodies.t @@ -1,3 +1,13 @@ +package FixMyStreet::Cobrand::AnonAllowedByCategory; +use parent 'FixMyStreet::Cobrand::UKCouncils'; +sub council_url { 'anonbycategory' } +sub council_name { 'Aberdeen City Council' } +sub council_area { 'Aberdeen' } +sub council_area_id { 2650 } +sub anonymous_account { { email => 'anoncategory@example.org', name => 'Anonymous Category' } } + +package main; + use FixMyStreet::TestMech; my $mech = FixMyStreet::TestMech->new; @@ -295,8 +305,32 @@ subtest 'reopen disabling' => sub { is $contact->get_extra_metadata('reopening_disallowed'), 1, 'Reopening disallowed flag set'; }; +subtest 'allow anonymous reporting' => sub { + $mech->get_ok('/admin/body/' . $body->id . '/test%20category'); + $mech->content_lacks('Allow anonymous reports'); +}; }; # END of override wrap +FixMyStreet::override_config { + MAPIT_URL => 'http://mapit.uk/', + MAPIT_TYPES => [ 'UTA' ], + BASE_URL => 'http://www.example.org', + ALLOWED_COBRANDS => [ "fixmystreet", "anonallowedbycategory" ], +}, sub { + +subtest 'allow anonymous reporting' => sub { + $mech->get_ok('/admin/body/' . $body->id . '/test%20category'); + $mech->submit_form_ok( { with_fields => { + anonymous_allowed => 1, + note => 'Anonymous Allowed', + } } ); + $mech->content_contains('Values updated'); + my $contact = $body->contacts->find({ category => 'test category' }); + is $contact->get_extra_metadata('anonymous_allowed'), 1, 'Anonymous reports allowed flag set'; +}; + +}; + FixMyStreet::override_config { MAPIT_URL => 'http://mapit.uk/', -- cgit v1.2.3 From 832dd8e367b9c83619981bf9828dea405d15ce02 Mon Sep 17 00:00:00 2001 From: Dave Arter Date: Tue, 16 Jun 2020 16:23:03 +0100 Subject: Display contents of lists in report extra data in admin --- t/app/controller/admin/report_edit.t | 20 ++++++++++++++++---- 1 file changed, 16 insertions(+), 4 deletions(-) (limited to 't/app/controller/admin') diff --git a/t/app/controller/admin/report_edit.t b/t/app/controller/admin/report_edit.t index 01f091412..f8101ab76 100644 --- a/t/app/controller/admin/report_edit.t +++ b/t/app/controller/admin/report_edit.t @@ -686,16 +686,28 @@ subtest "Test display of fields extra data" => sub { $mech->get_ok("/admin/report_edit/$report_id"); $mech->content_contains('Extra data: No'); - $report->push_extra_fields( { - name => 'report_url', - value => 'http://example.com', - }); + $report->push_extra_fields( + { + name => 'report_url', + value => 'http://example.com', + }, + { + name => 'sent_to', + value => [ 'onerecipient@example.org' ], + }, + { + name => 'sent_too', + value => [ 'onemorerecipient@example.org', 'another@example.org' ], + }, + ); $report->update; $report->discard_changes; $mech->get_ok("/admin/report_edit/$report_id"); $mech->content_contains('report_url: http://example.com'); + $mech->content_contains('sent_to: onerecipient@example.org'); + $mech->content_contains('sent_too: onemorerecipient@example.org, another@example.org'); $report->set_extra_fields( { description => 'Report URL', -- cgit v1.2.3 From 9b7df4542b75f4463d0f3de0a8b68db32c2353a6 Mon Sep 17 00:00:00 2001 From: Matthew Somerville Date: Tue, 14 Jul 2020 14:51:43 +0100 Subject: [UK] Show message if site-wide update disallowed. --- t/app/controller/admin/bodies.t | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) (limited to 't/app/controller/admin') diff --git a/t/app/controller/admin/bodies.t b/t/app/controller/admin/bodies.t index 80ee22630..75db6f87c 100644 --- a/t/app/controller/admin/bodies.t +++ b/t/app/controller/admin/bodies.t @@ -413,4 +413,31 @@ subtest 'check log of the above' => sub { $mech->content_contains('Edited body Aberdeen City Council'); }; +subtest 'check update disallowed message' => sub { + FixMyStreet::override_config { + MAPIT_URL => 'http://mapit.uk/', + ALLOWED_COBRANDS => 'bathnes', + COBRAND_FEATURES => { updates_allowed => { bathnes => 'open' } } + }, sub { + $mech->get_ok('/admin/body/' . $body->id .'/test%20category'); + $mech->content_contains('even if this is unticked, only open reports can have updates left on them.'); + }; + FixMyStreet::override_config { + MAPIT_URL => 'http://mapit.uk/', + ALLOWED_COBRANDS => 'bathnes', + COBRAND_FEATURES => { updates_allowed => { bathnes => 'staff' } } + }, sub { + $mech->get_ok('/admin/body/' . $body->id .'/test%20category'); + $mech->content_contains('even if this is unticked, only staff will be able to leave updates.'); + }; + FixMyStreet::override_config { + MAPIT_URL => 'http://mapit.uk/', + ALLOWED_COBRANDS => 'bathnes', + COBRAND_FEATURES => { updates_allowed => { bathnes => 'reporter' } } + }, sub { + $mech->get_ok('/admin/body/' . $body->id .'/test%20category'); + $mech->content_contains('even if this is unticked, only the problem reporter will be able to leave updates'); + }; +}; + done_testing(); -- cgit v1.2.3 From 67823bc788ce744e1228a8602b9a5aa805771ced Mon Sep 17 00:00:00 2001 From: Matthew Somerville Date: Fri, 10 Jul 2020 14:38:17 +0100 Subject: Centralise update creation to include fields. Given the user, we can infer the name if not provided, and the extra data if a staff user. We can also provide defaults for various other fields. Always have superuser take precedence over from_body. --- t/app/controller/admin/report_edit.t | 22 +++------------------- t/app/controller/admin/update_edit.t | 4 ++-- 2 files changed, 5 insertions(+), 21 deletions(-) (limited to 't/app/controller/admin') diff --git a/t/app/controller/admin/report_edit.t b/t/app/controller/admin/report_edit.t index f8101ab76..e041154db 100644 --- a/t/app/controller/admin/report_edit.t +++ b/t/app/controller/admin/report_edit.t @@ -329,7 +329,6 @@ foreach my $test ( closed_updates => undef, }, expect_comment => 1, - user_body => $oxfordshire, changes => { state => 'investigating' }, log_entries => [ qw/edit state_change edit edit resend edit state_change edit state_change edit state_change edit state_change edit state_change edit edit edit edit edit/ @@ -351,7 +350,6 @@ foreach my $test ( }, expect_comment => 1, expected_text => '*Category changed from ‘Other’ to ‘Potholes’*', - user_body => $oxfordshire, changes => { state => 'in progress', category => 'Potholes' }, log_entries => [ qw/edit state_change category_change edit state_change edit edit resend edit state_change edit state_change edit state_change edit state_change edit state_change edit edit edit edit edit/ @@ -364,11 +362,6 @@ foreach my $test ( $report->comments->delete; $log_entries->reset; - if ( $test->{user_body} ) { - $superuser->from_body( $test->{user_body}->id ); - $superuser->update; - } - $mech->get_ok("/admin/report_edit/$report_id"); @{$test->{fields}}{'external_id', 'external_body', 'external_team', 'category'} = (13, "", "", "Other"); @@ -440,21 +433,12 @@ foreach my $test ( } else { is $comment->text, '', 'comment has no text'; } - if ( $test->{user_body} ) { - ok $comment->get_extra_metadata('is_body_user'), 'body user metadata set'; - ok !$comment->get_extra_metadata('is_superuser'), 'superuser metadata not set'; - is $comment->name, $test->{user_body}->name, 'comment name is body name'; - } else { - ok !$comment->get_extra_metadata('is_body_user'), 'body user metadata not set'; - ok $comment->get_extra_metadata('is_superuser'), 'superuser metadata set'; - is $comment->name, _('an administrator'), 'comment name is admin'; - } + ok !$comment->get_extra_metadata('is_body_user'), 'body user metadata not set'; + ok $comment->get_extra_metadata('is_superuser'), 'superuser metadata set'; + is $comment->name, _('an administrator'), 'comment name is admin'; } else { is $report->comments->count, 0, 'report has no comments'; } - - $superuser->from_body(undef); - $superuser->update; }; } diff --git a/t/app/controller/admin/update_edit.t b/t/app/controller/admin/update_edit.t index 57c8973d4..8650e7771 100644 --- a/t/app/controller/admin/update_edit.t +++ b/t/app/controller/admin/update_edit.t @@ -81,7 +81,7 @@ for my $test ( fields => { text => 'this is an update', state => 'confirmed', - name => '', + name => 'Test User', anonymous => 1, username => $update->user->email, }, @@ -96,7 +96,7 @@ for my $test ( fields => { text => 'this is a changed update', state => 'confirmed', - name => '', + name => 'Test User', anonymous => 1, username => $update->user->email, }, -- cgit v1.2.3 From 7af4f2cc87cd6ff55501bb2856193a03fe72158c Mon Sep 17 00:00:00 2001 From: M Somerville Date: Wed, 5 Aug 2020 15:56:10 +0100 Subject: Add database index for user full text search. --- t/app/controller/admin/users.t | 2 -- 1 file changed, 2 deletions(-) (limited to 't/app/controller/admin') diff --git a/t/app/controller/admin/users.t b/t/app/controller/admin/users.t index bc8d28e2d..a3bd4a784 100644 --- a/t/app/controller/admin/users.t +++ b/t/app/controller/admin/users.t @@ -84,8 +84,6 @@ subtest 'user search' => sub { permissions => ['moderate', 'user_edit'], }); $user->add_to_roles($role); - $mech->get_ok('/admin/users?search=' . $haringey->id ); - $mech->content_contains('test@example.com'); $mech->get_ok('/admin/users?role=' . $role->id); $mech->content_contains('selected>Role A'); $mech->content_contains('test@example.com'); -- cgit v1.2.3 From bf90bf71fbac2c8e1be96646715182f876eccd57 Mon Sep 17 00:00:00 2001 From: M Somerville Date: Fri, 2 Oct 2020 14:14:17 +0100 Subject: =?UTF-8?q?Don=E2=80=99t=20strip=20all=20spaces=20from=20Open311?= =?UTF-8?q?=20categories.?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit If a category’s send method is Open311, only strip spaces from the ends of the code. We are aware of active Open311 servers that have codes with spaces in the middle. --- t/app/controller/admin/bodies.t | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 't/app/controller/admin') diff --git a/t/app/controller/admin/bodies.t b/t/app/controller/admin/bodies.t index 75db6f87c..b63cacd9d 100644 --- a/t/app/controller/admin/bodies.t +++ b/t/app/controller/admin/bodies.t @@ -231,9 +231,10 @@ subtest 'check open311 devolved editing' => sub { $mech->content_contains("name=\"category\"\n size=\"30\" value=\"test category\"\n required>", 'Can edit as now devolved'); $mech->submit_form_ok( { with_fields => { send_method => '', - email => 'open311-code', + email => 'open311 code', note => 'Removing email send method', } } ); + $mech->content_contains('open311 code'); $mech->content_contains('Values updated'); }; -- cgit v1.2.3 From 043bce556a17545c2c26386d8368f47ba8f541e6 Mon Sep 17 00:00:00 2001 From: M Somerville Date: Wed, 7 Oct 2020 12:06:54 +0100 Subject: Show all category history even if category renamed --- t/app/controller/admin/bodies.t | 1 + 1 file changed, 1 insertion(+) (limited to 't/app/controller/admin') diff --git a/t/app/controller/admin/bodies.t b/t/app/controller/admin/bodies.t index b63cacd9d..542c3f4c0 100644 --- a/t/app/controller/admin/bodies.t +++ b/t/app/controller/admin/bodies.t @@ -111,6 +111,7 @@ subtest 'check contact renaming' => sub { $mech->get('/admin/body/' . $body->id . '/test%20category'); is $mech->res->code, 404; $mech->get_ok('/admin/body/' . $body->id . '/testing%20category'); + $mech->content_contains('test2@example.com'); $report->discard_changes; is $report->category, 'testing category'; $mech->submit_form_ok( { with_fields => { category => 'test category' } } ); -- cgit v1.2.3 From 9150a5f72725d58055f9b5e60d339a781f9440f1 Mon Sep 17 00:00:00 2001 From: Struan Donald Date: Fri, 16 Oct 2020 15:11:50 +0100 Subject: allow bulk removal of staff status from users Bulk option to remove body, roles and permisions, and disable login in admin for users. Fixes mysociety/fixmystreet-commercial#2025 --- t/app/controller/admin/users.t | 49 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 49 insertions(+) (limited to 't/app/controller/admin') diff --git a/t/app/controller/admin/users.t b/t/app/controller/admin/users.t index a3bd4a784..6f3971149 100644 --- a/t/app/controller/admin/users.t +++ b/t/app/controller/admin/users.t @@ -6,6 +6,8 @@ my $user = $mech->create_user_ok('test@example.com', name => 'Test User'); my $original_user_id = $user->id; # For log later my $user2 = $mech->create_user_ok('test2@example.com', name => 'Test User 2'); my $user3 = $mech->create_user_ok('test3@example.com', name => 'Test User 3'); +my $user4 = $mech->create_user_ok('test4@example.com', name => 'Test User 4'); +my $user5 = $mech->create_user_ok('test5@example.com', name => 'Test User 5'); my $superuser = $mech->create_user_ok('superuser@example.com', name => 'Super User', is_superuser => 1); @@ -13,6 +15,21 @@ my $oxfordshire = $mech->create_body_ok(2237, 'Oxfordshire County Council'); my $haringey = $mech->create_body_ok(2509, 'Haringey Borough Council'); my $southend = $mech->create_body_ok(2607, 'Southend-on-Sea Borough Council'); +$user4->from_body( $oxfordshire->id ); +$user4->update; +$user4->user_body_permissions->create( { + body => $oxfordshire, + permission_type => 'user_edit', +} ); +$user5->from_body( $oxfordshire->id ); +$user5->update; +my $occ_role = $user5->roles->create({ + body => $oxfordshire, + name => 'Role A', + permissions => ['moderate', 'user_edit'], +}); +$user5->add_to_roles($occ_role); + $mech->log_in_ok( $superuser->email ); subtest 'search abuse' => sub { @@ -97,6 +114,38 @@ subtest 'user assign role' => sub { is $user->roles->count, 1; }; +subtest 'remove users from staff' => sub { + is $user4->from_body->id, $oxfordshire->id, 'user4 has a body'; + is $user4->email_verified, 1, 'user4 email is verified'; + is $user4->user_body_permissions->count, 1, 'user4 has permissions'; + is $user5->from_body->id, $oxfordshire->id, 'user5 has a body'; + is $user5->email_verified, 1, 'user5 email is verified'; + is $user5->user_roles->count, 1, 'user5 has a role'; + + $mech->get_ok('/admin/users'); + $mech->content_contains($user4->email); + $mech->content_contains($user5->email); + + $mech->submit_form_ok({ with_fields => { uid => $user4->id, 'remove-staff' => 'remove-staff'} }); + $mech->content_lacks($user4->email); + $mech->content_contains($user5->email); + $user4->discard_changes; + $user5->discard_changes; + is $user4->from_body, undef, 'user4 removed from body'; + is $user4->email_verified, 0, 'user4 email unverified'; + is $user4->user_body_permissions->count, 0, 'no user4 permissions'; + is $user5->from_body->id, $oxfordshire->id, 'user5 has a body'; + is $user5->email_verified, 1, 'user5 email is verified'; + is $user5->user_roles->count, 1, 'user5 has a role'; + + $mech->submit_form_ok({ with_fields => { uid => $user5->id, 'remove-staff' => 'remove-staff'} }); + $mech->content_lacks($user5->email); + $user5->discard_changes; + is $user5->from_body, undef, 'user5 has no body'; + is $user5->email_verified, 0, 'user5 email unverified'; + is $user5->user_roles->count, 0, 'no user5 roles'; +}; + subtest 'search does not show user from another council' => sub { FixMyStreet::override_config { ALLOWED_COBRANDS => [ 'oxfordshire' ], -- cgit v1.2.3 From cfda101b3006f12280a41adc4b28ca555b867556 Mon Sep 17 00:00:00 2001 From: Struan Donald Date: Fri, 23 Oct 2020 14:28:38 +0100 Subject: prevent editing of category names with hardcoded flag If a category has hardcoded set to 1 in it's extra metadata then prevent the name being edited in the admin. This is to avoid issues where the name of the category is used in e.g. layers or other configuration and changing it breaks things. Also includes admin interface for setting this that is restricted to super users only. Fixes mysociety/fixmystreet-commercial#1992 --- t/app/controller/admin/bodies.t | 65 +++++++++++++++++++++++++++++++++++++++++ 1 file changed, 65 insertions(+) (limited to 't/app/controller/admin') diff --git a/t/app/controller/admin/bodies.t b/t/app/controller/admin/bodies.t index 542c3f4c0..811ac4362 100644 --- a/t/app/controller/admin/bodies.t +++ b/t/app/controller/admin/bodies.t @@ -15,6 +15,10 @@ my $mech = FixMyStreet::TestMech->new; my $superuser = $mech->create_user_ok('superuser@example.com', name => 'Super User', is_superuser => 1); $mech->log_in_ok( $superuser->email ); my $body = $mech->create_body_ok(2650, 'Aberdeen City Council'); +my $body2 = $mech->create_body_ok(2237, 'Oxfordshire County Council'); + +my $user = $mech->create_user_ok('user@example.com', name => 'OCC User', from_body => $body2); +$user->user_body_permissions->create({ body => $body2, permission_type => 'category_edit' }); # This override is wrapped around ALL the /admin/body tests FixMyStreet::override_config { @@ -117,6 +121,8 @@ subtest 'check contact renaming' => sub { $mech->submit_form_ok( { with_fields => { category => 'test category' } } ); }; + + subtest 'check contact updating' => sub { $mech->get_ok('/admin/body/' . $body->id . '/test%20category'); $mech->content_like(qr{test2\@example.com[^<]*[^<]*unconfirmed}s); @@ -442,4 +448,63 @@ subtest 'check update disallowed message' => sub { }; }; +subtest 'check hardcoded contact renaming' => sub { + FixMyStreet::override_config { + MAPIT_URL => 'http://mapit.uk/', + 'ALLOWED_COBRANDS' => [ 'oxfordshire' ], + }, sub { + my $contact = FixMyStreet::DB->resultset('Contact')->create( + { + body_id => $body2->id, + category => 'protected category', + state => 'confirmed', + editor => $0, + whenedited => \'current_timestamp', + note => 'protected contact', + email => 'protected@example.org', + } + ); + $contact->set_extra_metadata( 'hardcoded', 1 ); + $contact->update; + $mech->get_ok('/admin/body/' . $body2->id .'/protected%20category'); + $mech->content_contains( 'name="hardcoded"' ); + $mech->content_like( qr'value="protected category"[^>]*readonly's ); + $mech->submit_form_ok( { with_fields => { category => 'non protected category', note => 'rename category' } } ); + $mech->content_contains( 'protected category' ); + $mech->content_lacks( 'non protected category' ); + $mech->get('/admin/body/' . $body2->id . '/non%20protected%20category'); + is $mech->res->code, 404; + + $mech->get_ok('/admin/body/' . $body2->id .'/protected%20category'); + $mech->submit_form_ok( { with_fields => { hardcoded => 0, note => 'remove hardcoding' } } ); + $mech->get_ok('/admin/body/' . $body2->id .'/protected%20category'); + $mech->content_unlike( qr'value="protected category"[^>]*readonly's ); + $mech->submit_form_ok( { with_fields => { category => 'non protected category', note => 'rename category' } } ); + $mech->content_contains( 'non protected category' ); + $mech->get_ok('/admin/body/' . $body2->id . '/non%20protected%20category'); + $mech->get('/admin/body/' . $body2->id . '/protected%20category'); + is $mech->res->code, 404; + + $contact->discard_changes; + $contact->set_extra_metadata( 'hardcoded', 1 ); + $contact->update; + + $mech->log_out_ok( $superuser->email ); + $mech->log_in_ok( $user->email ); + $mech->get_ok('/admin/body/' . $body2->id . '/non%20protected%20category'); + $mech->content_lacks( 'name="hardcoded"' ); + $user->update( { is_superuser => 1 } ); + $mech->get_ok('/admin/body/' . $body2->id . '/non%20protected%20category'); + $mech->content_contains('name="hardcoded"' ); + $user->update( { is_superuser => 0 } ); + $mech->submit_form_ok( { with_fields => { hardcoded => 0, note => 'remove hardcoding' } } ); + $mech->content_lacks( 'name="hardcoded"' ); + + $contact->discard_changes; + is $contact->get_extra_metadata('hardcoded'), 1, "non superuser can't remove hardcoding"; + + $mech->log_out_ok( $user->email ); + }; +}; + done_testing(); -- cgit v1.2.3