add facilities check on mobile appts

modules/mobile/app/controllers/mobile/v0/appointments_controller.rb

@@ -137,6 +137,7 @@ def appointments_cache_interface
       def authorize
         raise_access_denied unless current_user.authorize(:vaos, :access?)
         raise_access_denied_no_icn if current_user.icn.blank?
+        raise_access_denied_no_facilities unless current_user.authorize(:vaos, :facilities?)
       end
 
       def raise_access_denied
@@ -147,6 +148,10 @@ def raise_access_denied_no_icn
         raise Common::Exceptions::Forbidden, detail: 'No patient ICN found'
       end
 
+      def raise_access_denied_no_facilities
+        raise Common::Exceptions::Forbidden, detail: 'No facility associated with user'
+      end
+
       def staging_custom_error
         if Settings.vsp_environment != 'production' && @current_user.email == 'vets.gov.user+141@gmail.com'
           raise Mobile::V0::Exceptions::CustomErrors.new(

modules/mobile/docs/examples/appointments/forbidden_facilities_error.yml

@@ -0,0 +1,5 @@
+errors:
+  - title: 'Forbidden'
+    detail: 'No facility associated with user'
+    code: '403'
+    status: '403'

modules/mobile/docs/examples/appointments/forbidden_no_icn_error.yml

@@ -0,0 +1,5 @@
+errors:
+  - title: 'Forbidden'
+    detail: 'No patient ICN found'
+    code: '403'
+    status: '403'

modules/mobile/docs/examples/appointments/forbidden_no_vaos_access_error.yml

@@ -0,0 +1,5 @@
+errors:
+  - title: 'Forbidden'
+    detail: 'You do not have access to online scheduling'
+    code: '403'
+    status: '403'

modules/mobile/docs/openapi.yaml

@@ -207,7 +207,18 @@ paths:
         '401':
           $ref: '#/components/responses/401'
         '403':
-          $ref: '#/components/responses/403'
+          content:
+            application/json:
+              examples:
+                Missing Facilities:
+                  value:
+                    $ref: ./examples/appointments/forbidden_facilities_error.yml
+                No VAOS Access:
+                  value:
+                    $ref: ./examples/appointments/forbidden_no_vaos_access_error.yml
+                No ICN:
+                  value:
+                    $ref: ./examples/appointments/forbidden_no_icn_error.yml
         '404':
           $ref: '#/components/responses/404'
         '408':

modules/mobile/spec/requests/mobile/v0/appointments/create_spec.rb

@@ -16,6 +16,7 @@
   let!(:user) { sis_user(icn: '1012846043V576341') }
 
   before do
+    allow_any_instance_of(User).to receive(:va_patient?).and_return(true)
     allow_any_instance_of(VAOS::UserService).to receive(:session).and_return('stubbed_token')
     allow_any_instance_of(VAOS::V2::MobileFacilityService).to \
       receive(:get_clinic).and_return(mock_clinic)
@@ -196,7 +197,6 @@
           VCR.use_cassette('mobile/appointments/post_appointments_va_proposed_clinic_200',
                            match_requests_on: %i[method uri]) do
             post '/mobile/v0/appointment', params: {}, headers: sis_headers
-
             expect(response).to have_http_status(:created)
             expect(json_body_for(response)).to match_camelized_schema('vaos/v2/appointment', { strict: false })
           end

modules/mobile/spec/requests/mobile/v0/appointments/vaos_v2_spec.rb

@@ -5,7 +5,7 @@
 RSpec.describe 'Mobile::V0::Appointments::VAOSV2', type: :request do
   include JsonSchemaMatchers
 
-  let!(:user) { sis_user(icn: '1012846043V576341') }
+  let!(:user) { sis_user(icn: '1012846043V576341', vha_facility_ids: [402, 555]) }
 
   before do
     Flipper.enable_actor(:appointments_consolidation, user)
@@ -340,7 +340,7 @@
       end
 
       context 'when custom error response is injected' do
-        let!(:user) { sis_user(email: 'vets.gov.user+141@gmail.com') }
+        let!(:user) { sis_user(email: 'vets.gov.user+141@gmail.com', vha_facility_ids: [402, 555]) }
 
         it 'raises 418 custom error' do
           get '/mobile/v0/appointments', headers: sis_headers
@@ -698,6 +698,23 @@
                                                                 'status' => '502' })
         end
       end
+
+      context 'appointment authorization' do
+        context 'when user has no facilities' do
+          let!(:user) { sis_user(icn: '1012846043V576341', vha_facility_ids: []) }
+
+          it 'returns forbidden error' do
+            VCR.use_cassette('mobile/appointments/VAOS_v2/get_appointment_200', match_requests_on: %i[method uri]) do
+              get '/mobile/v0/appointments', headers: sis_headers
+            end
+
+            expect(response.parsed_body.dig('errors', 0)).to eq({ 'title' => 'Forbidden',
+                                                                  'detail' => 'No facility associated with user',
+                                                                  'code' => '403',
+                                                                  'status' => '403' })
+          end
+        end
+      end
     end
   end
 end

modules/vaos/app/policies/vaos_policy.rb

@@ -4,4 +4,8 @@
   def access?
     Flipper.enabled?('va_online_scheduling', user) && user.loa3?
   end
+
+  def facilities?
+    user.va_patient?
+  end
 end