diff --git a/app/controllers/exchanges/hbx_profiles_controller.rb b/app/controllers/exchanges/hbx_profiles_controller.rb index 64a74eea1dc..5cdbe44520a 100644 --- a/app/controllers/exchanges/hbx_profiles_controller.rb +++ b/app/controllers/exchanges/hbx_profiles_controller.rb @@ -8,10 +8,9 @@ class Exchanges::HbxProfilesController < ApplicationController include HtmlScrubberUtil include StringScrubberUtil - before_action :modify_admin_tabs?, only: [:binder_paid, :transmit_group_xml] before_action :check_hbx_staff_role, except: [:request_help, :configuration, :show, :assister_index, :family_index, :update_cancel_enrollment, :update_terminate_enrollment] before_action :set_hbx_profile, only: [:edit, :update, :destroy] - before_action :view_the_configuration_tab?, only: [:configuration, :set_date] + before_action :view_the_configuration_tab?, only: [:set_date] before_action :can_submit_time_travel_request?, only: [:set_date] before_action :find_hbx_profile, only: [:employer_index, :configuration, :broker_agency_index, :inbox, :show, :binder_index] #before_action :authorize_for, except: [:edit, :update, :destroy, :request_help, :staff_index, :assister_index] @@ -90,6 +89,8 @@ def update_fein end def binder_paid + authorize HbxProfile, :binder_paid? + return unless params[:ids] begin @@ -106,6 +107,8 @@ def binder_paid end def transmit_group_xml + authorize HbxProfile, :transmit_group_xml? + HbxProfile.transmit_group_xml(params[:id].split) @employer_profile = EmployerProfile.find(params[:id]) @fein = @employer_profile.fein @@ -219,6 +222,8 @@ def staff_index end def assister_index + authorize HbxProfile, :assister_index? + @q = params.permit(:q)[:q] @staff = Person.where(assister_role: {:$exists => true}) @page_alphabets = page_alphabets(@staff, "last_name") @@ -239,6 +244,9 @@ def find_email(agent, role) end def request_help + @person = Person.find(params[:person]) + authorize @person.primary_family, :request_help? + role = nil if params[:type] cac_flag = params[:type] == 'CAC' @@ -269,12 +277,13 @@ def request_help else status_text = call_customer_service params[:firstname].strip, params[:lastname].strip end - @person = Person.find(params[:person]) broker_view = render_to_string 'insured/families/_consumer_brokers_widget', :layout => false render :text => {broker: broker_view, status: status_text}.to_json, layout: false end def family_index + authorize HbxProfile, :family_index? + @q = params.permit(:q)[:q] page_string = params.permit(:families_page)[:families_page] page_no = page_string.blank? ? nil : page_string.to_i @@ -376,6 +385,8 @@ def cancel_enrollment end def update_cancel_enrollment + authorize HbxProfile, :update_cancel_enrollment? + params_parser = ::Forms::BulkActionsForAdmin.new(params.permit(uniq_cancel_params).to_h) @result = params_parser.result @row = params_parser.row @@ -395,6 +406,8 @@ def terminate_enrollment end def update_terminate_enrollment + authorize HbxProfile, :update_terminate_enrollment? + params_parser = ::Forms::BulkActionsForAdmin.new(params.permit(uniq_terminate_params).to_h) @result = params_parser.result @row = params_parser.row @@ -617,6 +630,8 @@ def product_index end def configuration + authorize HbxProfile, :configuration? + @time_keeper = Forms::TimeKeeper.new respond_to do |format| format.html { render partial: "configuration_index" } @@ -703,6 +718,9 @@ def show return end end + + authorize HbxProfile, :show? + session[:person_id] = nil session[:dismiss_announcements] = nil @unread_messages = @profile.inbox.unread_messages.try(:count) || 0 diff --git a/app/policies/family_policy.rb b/app/policies/family_policy.rb index 414652bfe91..a1237a093bc 100644 --- a/app/policies/family_policy.rb +++ b/app/policies/family_policy.rb @@ -139,6 +139,10 @@ def download_paper_application_coverall? coverall_market_admin? end + def request_help? + show? + end + # rubocop:disable Metrics/CyclomaticComplexity, Metrics/PerceivedComplexity def legacy_show? user_person = @user.person diff --git a/app/policies/hbx_profile_policy.rb b/app/policies/hbx_profile_policy.rb index ad37dbbb843..a09f889a3c2 100644 --- a/app/policies/hbx_profile_policy.rb +++ b/app/policies/hbx_profile_policy.rb @@ -1,5 +1,46 @@ class HbxProfilePolicy < ApplicationPolicy + def binder_paid? + staff_modify_admin_tabs? + end + + def transmit_group_xml? + staff_modify_admin_tabs? + end + + def update_cancel_enrollment? + can_update_ssn? + end + + def update_terminate_enrollment? + can_update_ssn? + end + + # Determines if the current user has permission to access the assister index. + # The user can access the assister index if they are a primary family member, + # an admin, an active associated broker staff, or an active associated broker in the ACA Shop market. + # + # @return [Boolean] Returns true if the user has permission to access the assister index, false otherwise. + # @note This method checks for permissions across multiple roles. + def assister_index? + # Fall back on a family if it exists for the current user. + @family = account_holder_family + + return true if shop_market_primary_family_member? + return true if shop_market_admin? + return true if active_associated_shop_market_family_broker? + return true if active_associated_shop_market_general_agency? + + false + end + + def can_update_ssn? + role = user_hbx_staff_role + return false unless role + + role.permission.can_update_ssn + end + def view_admin_tabs? role = user_hbx_staff_role return false unless role @@ -77,7 +118,7 @@ def can_force_publish? end def show? - @user.has_role?(:hbx_staff) || + index? || @user.has_role?(:csr) || @user.has_role?(:assister) end @@ -109,7 +150,7 @@ def product_index? end def configuration? - index? + view_the_configuration_tab? end def new? diff --git a/features/permissions/change_fein.feature b/features/permissions/change_fein.feature index b2f8603f8eb..6381775d07c 100644 --- a/features/permissions/change_fein.feature +++ b/features/permissions/change_fein.feature @@ -19,4 +19,3 @@ Feature: As a Super Admin I will be the only user | HBX Tier3 | see | | HBX Staff | not see | | HBX Read Only | not see | - | Developer | not see | diff --git a/features/permissions/edit_dob_ssn_permission.feature b/features/permissions/edit_dob_ssn_permission.feature index db390580795..2d30457d069 100644 --- a/features/permissions/edit_dob_ssn_permission.feature +++ b/features/permissions/edit_dob_ssn_permission.feature @@ -39,13 +39,7 @@ Feature: Only Super Admin HBX Staff HBX Tier3 will be able to see & access the E Examples: | subrole | action | - | Super Admin | see | + | Super Admin | see | | HBX Tier3 | see | | HBX Staff | see | | HBX Read Only | not see | - | Developer | not see | - - - - - diff --git a/features/permissions/extend_open_enrollment.feature b/features/permissions/extend_open_enrollment.feature index ff9c659b62d..d58cb06b320 100644 --- a/features/permissions/extend_open_enrollment.feature +++ b/features/permissions/extend_open_enrollment.feature @@ -18,5 +18,4 @@ Feature: As a Super Admin I will be the only user | Super Admin | see | | HBX Staff | not see | | HBX Read Only | not see | - | Developer | not see | | HBX Tier3 | see | diff --git a/features/permissions/force_publish.feature b/features/permissions/force_publish.feature index b52f4a8252f..8387e068153 100644 --- a/features/permissions/force_publish.feature +++ b/features/permissions/force_publish.feature @@ -20,4 +20,3 @@ Feature: As a Super Admin I will be the only user | HBX Tier3 | see | | HBX Staff | not see | | HBX Read Only | not see | - | Developer | not see | diff --git a/features/permissions/new_plan_year_button.feature b/features/permissions/new_plan_year_button.feature index 1a8ed2437c5..88546efc76a 100644 --- a/features/permissions/new_plan_year_button.feature +++ b/features/permissions/new_plan_year_button.feature @@ -19,4 +19,3 @@ Feature: As a Super Admin I will be the only user | HBX Tier3 | see | | HBX Staff | not see | | HBX Read Only | not see | - | Developer | not see | diff --git a/features/permissions/view_configuration_tab.feature b/features/permissions/view_configuration_tab.feature index 7d0e932020c..4a7546a5d59 100644 --- a/features/permissions/view_configuration_tab.feature +++ b/features/permissions/view_configuration_tab.feature @@ -5,7 +5,7 @@ Feature: As a Super Admin I will be the only user Given a CCA site exists with a benefit market And there is an employer ABC Widgets Given benefit market catalog exists for ABC Widgets initial employer with health benefits - And initial employer ABC Widgets has enrollment_open benefit application + And initial employer ABC Widgets has enrollment_open benefit application Scenario Outline: HBX Staff with subroles should the config tab @@ -19,7 +19,6 @@ Feature: As a Super Admin I will be the only user | HBX Tier3 | see | | HBX Staff | see | | HBX Read Only | see | - | Developer | see | Scenario: HBX Staff with Super Admin subroles should not have the option to time travel Given that a user with a HBX staff role with Super Admin subrole exists and is logged in @@ -33,6 +32,3 @@ Scenario: HBX Staff with Super Admin subroles and a time travel ability enabled And the user is on the Main Page And the user goes to the Config Page Then the user will see the Time Tavel option - - - diff --git a/spec/controllers/exchanges/hbx_profiles_controller_spec.rb b/spec/controllers/exchanges/hbx_profiles_controller_spec.rb index 758e9e4b4ae..521916b0ceb 100644 --- a/spec/controllers/exchanges/hbx_profiles_controller_spec.rb +++ b/spec/controllers/exchanges/hbx_profiles_controller_spec.rb @@ -281,6 +281,7 @@ allow(admin_permission).to receive(:name).and_return(admin_permission.name) allow(admin_permission).to receive(:can_submit_time_travel_request).and_return(false) allow(admin_permission).to receive(:view_the_configuration_tab).and_return(true) + allow(admin_permission).to receive(:modify_family).and_return(true) allow(user).to receive(:has_hbx_staff_role?).and_return(true) allow(user).to receive(:view_the_configuration_tab?).and_return(true) allow(user).to receive(:can_submit_time_travel_request?).and_return(false) @@ -294,7 +295,9 @@ it "should not render the config index for a not super admin" do allow(admin_permission).to receive(:view_the_configuration_tab).and_return(false) + allow(admin_permission).to receive(:modify_family).and_return(true) allow(staff_permission).to receive(:view_the_configuration_tab).and_return(true) + allow(staff_permission).to receive(:modify_family).and_return(true) allow(hbx_staff_role).to receive(:view_the_configuration_tab).and_return(false) allow(hbx_staff_role).to receive(:permission).and_return(staff_permission) allow(hbx_staff_role).to receive(:subrole).and_return(staff_permission.name) @@ -333,6 +336,7 @@ let(:person) { double("person")} let(:hbx_staff_role) { double("hbx_staff_role")} let(:hbx_profile) { double("hbx_profile", inbox: double("inbox", unread_messages: double("test")))} + let(:admin_permission) { double("permission", name: "super_admin", modify_family: true)} before :each do allow(user).to receive(:has_hbx_staff_role?).and_return(true) @@ -342,6 +346,7 @@ allow(user).to receive(:save) allow(person).to receive(:hbx_staff_role).and_return(hbx_staff_role) allow(hbx_staff_role).to receive(:hbx_profile).and_return(hbx_profile) + allow(hbx_staff_role).to receive(:permission).and_return(admin_permission) session[:dismiss_announcements] = 'hello' sign_in(user) end @@ -502,6 +507,8 @@ let(:hbx_staff_role) { double("hbx_staff_role")} let(:hbx_profile) { double("hbx_profile")} let(:csr_role) { double("csr_role", cac: false)} + let(:admin_permission) { double("permission", name: "super_admin", modify_family: true)} + before :each do allow(person).to receive(:csr_role).and_return(double("csr_role", cac: false)) allow(user).to receive(:person).and_return(person) @@ -510,6 +517,8 @@ it "renders the 'families index' template for hbx_staff" do allow(user).to receive(:has_hbx_staff_role?).and_return(true) + allow(person).to receive(:hbx_staff_role).and_return(hbx_staff_role) + allow(hbx_staff_role).to receive(:permission).and_return(admin_permission) get :family_index expect(response).to have_http_status(:success) expect(response).to render_template("insured/families/index") @@ -517,6 +526,8 @@ it "renders the 'families index' template for csr" do allow(user).to receive(:has_hbx_staff_role?).and_return(false) + allow(person).to receive(:hbx_staff_role).and_return(hbx_staff_role) + allow(hbx_staff_role).to receive(:permission).and_return(admin_permission) get :family_index expect(response).to have_http_status(:success) expect(response).to render_template("insured/families/index") @@ -559,13 +570,15 @@ allow(hbx_staff_role).to receive(:subrole).and_return(permission.name) allow(permission).to receive(:name).and_return(permission.name) + allow(permission).to receive(:modify_family).and_return(true) + allow(permission).to receive(:view_the_configuration_tab).and_return(true) sign_in(user) get :configuration end it "should render the configuration partial" do - expect(response).to have_http_status(:redirect) - expect(response).to_not render_template(:partial => 'exchanges/hbx_profiles/_configuration_index') + expect(response).to have_http_status(:success) + expect(response).to render_template(:partial => 'exchanges/hbx_profiles/_configuration_index') end end