Add pundit policy to plan design organization controller (#2710)

* adds pundit policy to plan design origanization controller * includes pundit in application controller * adds specs * fixes rubocop errors * fixes typo on the file name * replace the file --------- Co-authored-by: Sri Harsha <sriharsha.poosa@gmail.com>
health-connector · Jul 8, 2024 · c4233ea · c4233ea
1 parent 4268210
commit c4233ea
Show file tree

Hide file tree

Showing 6 changed files with 145 additions and 3 deletions.
diff --git a/...efit_sponsors/app/policies/benefit_sponsors/organizations/broker_agency_profile_policy.rb b/...efit_sponsors/app/policies/benefit_sponsors/organizations/broker_agency_profile_policy.rb
@@ -68,6 +68,14 @@ def inbox?
         access_to_broker_agency_profile?
       end
 
+      def plan_design_org_new?
+        access_to_broker_agency_profile?
+      end
+
+      def plan_design_org_create?
+        access_to_broker_agency_profile?
+      end
+
       protected
 
       def has_matching_broker_agency_staff_role?

diff --git a/components/sponsored_benefits/app/controllers/sponsored_benefits/application_controller.rb b/components/sponsored_benefits/app/controllers/sponsored_benefits/application_controller.rb
@@ -2,10 +2,12 @@
 
 module SponsoredBenefits
   class ApplicationController < ActionController::Base
+    include Pundit
     include ::L10nHelper
     include ::FileUploadHelper
 
     before_action :set_broker_agency_profile_from_user
+    rescue_from Pundit::NotAuthorizedError, with: :user_not_authorized
     rescue_from ActionController::InvalidAuthenticityToken, :with => :bad_token_due_to_session_expired
 
     private
@@ -21,6 +23,15 @@ def bad_token_due_to_session_expired
       end
     end
 
+    def user_not_authorized(exception)
+      flash[:error] = "Access not allowed for #{exception.query}, (Pundit policy)"
+      respond_to do |format|
+        format.json { render nothing: true, status: :forbidden }
+        format.html { redirect_to(request.referrer || main_app.root_path)}
+        format.js   { render nothing: true, status: :forbidden }
+      end
+    end
+
     def active_tab
       "employers-tab"
     end
@@ -67,4 +78,4 @@ def active_user
       current_user
     end
   end
-end
+end
diff --git a/.../app/controllers/sponsored_benefits/organizations/plan_design_organizations_controller.rb b/.../app/controllers/sponsored_benefits/organizations/plan_design_organizations_controller.rb
@@ -8,11 +8,12 @@ class Organizations::PlanDesignOrganizationsController < ApplicationController
     before_action :load_broker_agency_profile, only: [:new, :create]
 
     def new
+      authorize @broker_agency_profile, :plan_design_org_new?
       init_organization
     end
 
     def create
-      # old_broker_agency_profile = ::BrokerAgencyProfile.find(params[:broker_agency_id])
+      authorize @broker_agency_profile, :plan_design_org_create?
       broker_agency_profile = SponsoredBenefits::Organizations::BrokerAgencyProfile.find_or_initialize_broker_profile(@broker_agency_profile).broker_agency_profile
       broker_agency_profile.save unless broker_agency_profile.persisted?
 
@@ -28,6 +29,7 @@ def create
 
     def edit
       @organization = SponsoredBenefits::Organizations::PlanDesignOrganization.find(params[:id])
+      authorize @organization
 
       if @organization.is_prospect?
         get_sic_codes
@@ -39,6 +41,7 @@ def edit
 
     def update
       pdo = SponsoredBenefits::Organizations::PlanDesignOrganization.find(params[:id])
+      authorize pdo
 
       if pdo.is_prospect?
         pdo.assign_attributes(organization_params)
@@ -57,6 +60,7 @@ def update
 
     def destroy
       organization = SponsoredBenefits::Organizations::PlanDesignOrganization.find(params[:id])
+      authorize organization
 
       if organization.is_prospect?
         if organization.plan_design_proposals.blank?

diff --git a/...benefits/app/policies/sponsored_benefits/organizations/plan_design_organization_policy.rb b/...benefits/app/policies/sponsored_benefits/organizations/plan_design_organization_policy.rb
@@ -0,0 +1,48 @@
+# frozen_string_literal: true
+
+module SponsoredBenefits
+  module Organizations
+    class PlanDesignOrganizationPolicy < ::ApplicationPolicy
+
+      def edit?
+        plan_design_organization_access?
+      end
+
+      def update?
+        plan_design_organization_access?
+      end
+
+      def destroy?
+        plan_design_organization_access?
+      end
+
+      private
+
+      def plan_design_organization_access?
+        return true if user.has_hbx_staff_role?
+        return false unless user.person
+
+        person = user.person
+
+        return true if broker_owns_plan_design_organization_via_broker_agency?(person)
+
+        true if broker_staff_owns_plan_design_organization_via_broker_agency?(person)
+      end
+
+      def broker_staff_owns_plan_design_organization_via_broker_agency?(person)
+        broker_agency_staff_roles = person.broker_agency_staff_roles&.active
+        return false if broker_agency_staff_roles.blank?
+
+        broker_agency_staff_roles.any? do |basr|
+          basr.benefit_sponsors_broker_agency_profile_id == record.owner_profile_id
+        end
+      end
+
+      def broker_owns_plan_design_organization_via_broker_agency?(person)
+        return false unless person.broker_role&.active?
+
+        person.broker_role.benefit_sponsors_broker_agency_profile_id == record.owner_profile_id
+      end
+    end
+  end
+end
diff --git a/...onsored_benefits/organizations/plan_design_organizations_controller_authorization_spec.rb b/...onsored_benefits/organizations/plan_design_organizations_controller_authorization_spec.rb
@@ -0,0 +1,68 @@
+# frozen_string_literal: true
+
+require 'rails_helper'
+require "#{SponsoredBenefits::Engine.root}/spec/shared_contexts/sponsored_benefits"
+
+module SponsoredBenefits
+  RSpec.describe Organizations::PlanDesignOrganizationsController, type: :controller, dbclean: :around_each  do
+    include_context "set up broker agency profile for BQT, by using configuration settings"
+
+    routes { SponsoredBenefits::Engine.routes }
+    include Rails.application.routes.url_helpers
+
+    context "when the logged-in user is not authorized to access" do
+      let(:fake_user) { FactoryBot.create(:user, person: fake_person) }
+      let(:fake_person) do
+        FactoryBot.create(:person, :with_broker_role).tap do |person|
+          person.broker_role.update_attributes(broker_agency_profile_id: broker_agency_profile.id.to_s)
+        end
+      end
+      let(:valid_attributes) do
+        {
+          "legal_name" => "Some Name",
+          "dba" => "",
+          "entity_kind" => "",
+          "sic_code" => "0116"
+        }
+      end
+
+      it "redirects to the root path and displays an error message" do
+        sign_in(fake_user)
+
+        get :edit, params: { id: prospect_plan_design_organization.to_param }
+        expect(response).to redirect_to(root_path)
+        expect(flash[:error]).to eq("Access not allowed for edit?, (Pundit policy)")
+      end
+
+      it "redirects to the root path and displays an error message" do
+        sign_in(fake_user)
+
+        delete :destroy, params: {:id => prospect_plan_design_organization.to_param }
+        expect(response).to redirect_to(root_path)
+        expect(flash[:error]).to eq("Access not allowed for destroy?, (Pundit policy)")
+      end
+
+      it "redirects to the root path and displays an error message" do
+        sign_in(fake_user)
+
+        patch :update, params: { organization: valid_attributes, id: prospect_plan_design_organization.id }
+        expect(flash[:error]).to eq("Access not allowed for update?, (Pundit policy)")
+      end
+
+      it "redirects to the root path and displays an error message" do
+        sign_in(fake_user)
+
+        get :new, params: { plan_design_organization_id: prospect_plan_design_organization.id, broker_agency_id:  broker_agency_profile.id }
+        expect(response).to redirect_to(root_path)
+        expect(flash[:error]).to eq("Access not allowed for plan_design_org_new?, (Pundit policy)")
+      end
+
+      it "redirects to the root path and displays an error message" do
+        sign_in(fake_user)
+
+        post :create, params: { organization: valid_attributes, broker_agency_id: broker_agency_profile.id, format: 'js'}
+        expect(flash[:error]).to eq("Access not allowed for plan_design_org_create?, (Pundit policy)")
+      end
+    end
+  end
+end
diff --git a/...controllers/sponsored_benefits/organizations/plan_design_organizations_controller_spec.rb b/...controllers/sponsored_benefits/organizations/plan_design_organizations_controller_spec.rb
@@ -69,6 +69,10 @@ module SponsoredBenefits
       }
     }
 
+    before do
+      allow(controller).to receive(:authorize).and_return(true)
+    end
+
     context "permissions" do
       context "unauthenticated user" do
         before do
@@ -424,6 +428,5 @@ module SponsoredBenefits
         end
       end
     end
-
   end
 end