From b159137791ea15477bb5599e3ba87ed57cd7bf1f Mon Sep 17 00:00:00 2001 From: RyanEddyIC Date: Mon, 7 Oct 2024 16:23:41 -0400 Subject: [PATCH 1/8] add authorization to hbx_profiles_controller actions --- .../exchanges/hbx_profiles_controller.rb | 24 ++++++++++-- app/policies/family_policy.rb | 4 ++ app/policies/hbx_profile_policy.rb | 38 +++++++++++++++++++ .../exchanges/hbx_profiles_controller_spec.rb | 14 ++++++- 4 files changed, 75 insertions(+), 5 deletions(-) diff --git a/app/controllers/exchanges/hbx_profiles_controller.rb b/app/controllers/exchanges/hbx_profiles_controller.rb index 64a74eea1dc..5cdbe44520a 100644 --- a/app/controllers/exchanges/hbx_profiles_controller.rb +++ b/app/controllers/exchanges/hbx_profiles_controller.rb @@ -8,10 +8,9 @@ class Exchanges::HbxProfilesController < ApplicationController include HtmlScrubberUtil include StringScrubberUtil - before_action :modify_admin_tabs?, only: [:binder_paid, :transmit_group_xml] before_action :check_hbx_staff_role, except: [:request_help, :configuration, :show, :assister_index, :family_index, :update_cancel_enrollment, :update_terminate_enrollment] before_action :set_hbx_profile, only: [:edit, :update, :destroy] - before_action :view_the_configuration_tab?, only: [:configuration, :set_date] + before_action :view_the_configuration_tab?, only: [:set_date] before_action :can_submit_time_travel_request?, only: [:set_date] before_action :find_hbx_profile, only: [:employer_index, :configuration, :broker_agency_index, :inbox, :show, :binder_index] #before_action :authorize_for, except: [:edit, :update, :destroy, :request_help, :staff_index, :assister_index] @@ -90,6 +89,8 @@ def update_fein end def binder_paid + authorize HbxProfile, :binder_paid? + return unless params[:ids] begin @@ -106,6 +107,8 @@ def binder_paid end def transmit_group_xml + authorize HbxProfile, :transmit_group_xml? + HbxProfile.transmit_group_xml(params[:id].split) @employer_profile = EmployerProfile.find(params[:id]) @fein = @employer_profile.fein @@ -219,6 +222,8 @@ def staff_index end def assister_index + authorize HbxProfile, :assister_index? + @q = params.permit(:q)[:q] @staff = Person.where(assister_role: {:$exists => true}) @page_alphabets = page_alphabets(@staff, "last_name") @@ -239,6 +244,9 @@ def find_email(agent, role) end def request_help + @person = Person.find(params[:person]) + authorize @person.primary_family, :request_help? + role = nil if params[:type] cac_flag = params[:type] == 'CAC' @@ -269,12 +277,13 @@ def request_help else status_text = call_customer_service params[:firstname].strip, params[:lastname].strip end - @person = Person.find(params[:person]) broker_view = render_to_string 'insured/families/_consumer_brokers_widget', :layout => false render :text => {broker: broker_view, status: status_text}.to_json, layout: false end def family_index + authorize HbxProfile, :family_index? + @q = params.permit(:q)[:q] page_string = params.permit(:families_page)[:families_page] page_no = page_string.blank? ? nil : page_string.to_i @@ -376,6 +385,8 @@ def cancel_enrollment end def update_cancel_enrollment + authorize HbxProfile, :update_cancel_enrollment? + params_parser = ::Forms::BulkActionsForAdmin.new(params.permit(uniq_cancel_params).to_h) @result = params_parser.result @row = params_parser.row @@ -395,6 +406,8 @@ def terminate_enrollment end def update_terminate_enrollment + authorize HbxProfile, :update_terminate_enrollment? + params_parser = ::Forms::BulkActionsForAdmin.new(params.permit(uniq_terminate_params).to_h) @result = params_parser.result @row = params_parser.row @@ -617,6 +630,8 @@ def product_index end def configuration + authorize HbxProfile, :configuration? + @time_keeper = Forms::TimeKeeper.new respond_to do |format| format.html { render partial: "configuration_index" } @@ -703,6 +718,9 @@ def show return end end + + authorize HbxProfile, :show? + session[:person_id] = nil session[:dismiss_announcements] = nil @unread_messages = @profile.inbox.unread_messages.try(:count) || 0 diff --git a/app/policies/family_policy.rb b/app/policies/family_policy.rb index 414652bfe91..a1237a093bc 100644 --- a/app/policies/family_policy.rb +++ b/app/policies/family_policy.rb @@ -139,6 +139,10 @@ def download_paper_application_coverall? coverall_market_admin? end + def request_help? + show? + end + # rubocop:disable Metrics/CyclomaticComplexity, Metrics/PerceivedComplexity def legacy_show? user_person = @user.person diff --git a/app/policies/hbx_profile_policy.rb b/app/policies/hbx_profile_policy.rb index ad37dbbb843..05b234c420e 100644 --- a/app/policies/hbx_profile_policy.rb +++ b/app/policies/hbx_profile_policy.rb @@ -1,5 +1,43 @@ class HbxProfilePolicy < ApplicationPolicy + def binder_paid? + staff_modify_admin_tabs? + end + + def transmit_group_xml? + staff_modify_admin_tabs? + end + + def update_cancel_enrollment? + staff_can_cancel_enrollment? + end + + def update_terminate_enrollment? + staff_can_terminate_enrollment? + end + + def configuration? + staff_view_the_configuration_tab? + end + + # Determines if the current user has permission to access the assister index. + # The user can access the assister index if they are a primary family member, + # an admin, an active associated broker staff, or an active associated broker in the ACA Shop market. + # + # @return [Boolean] Returns true if the user has permission to access the assister index, false otherwise. + # @note This method checks for permissions across multiple roles. + def assister_index? + # Fall back on a family if it exists for the current user. + @family = account_holder_family + + return true if shop_market_primary_family_member? + return true if shop_market_admin? + return true if active_associated_shop_market_family_broker? + return true if active_associated_shop_market_general_agency? + + false + end + def view_admin_tabs? role = user_hbx_staff_role return false unless role diff --git a/spec/controllers/exchanges/hbx_profiles_controller_spec.rb b/spec/controllers/exchanges/hbx_profiles_controller_spec.rb index 758e9e4b4ae..bb7f59214db 100644 --- a/spec/controllers/exchanges/hbx_profiles_controller_spec.rb +++ b/spec/controllers/exchanges/hbx_profiles_controller_spec.rb @@ -281,6 +281,7 @@ allow(admin_permission).to receive(:name).and_return(admin_permission.name) allow(admin_permission).to receive(:can_submit_time_travel_request).and_return(false) allow(admin_permission).to receive(:view_the_configuration_tab).and_return(true) + allow(admin_permission).to receive(:modify_family).and_return(true) allow(user).to receive(:has_hbx_staff_role?).and_return(true) allow(user).to receive(:view_the_configuration_tab?).and_return(true) allow(user).to receive(:can_submit_time_travel_request?).and_return(false) @@ -294,7 +295,9 @@ it "should not render the config index for a not super admin" do allow(admin_permission).to receive(:view_the_configuration_tab).and_return(false) + allow(admin_permission).to receive(:modify_family).and_return(true) allow(staff_permission).to receive(:view_the_configuration_tab).and_return(true) + allow(staff_permission).to receive(:modify_family).and_return(true) allow(hbx_staff_role).to receive(:view_the_configuration_tab).and_return(false) allow(hbx_staff_role).to receive(:permission).and_return(staff_permission) allow(hbx_staff_role).to receive(:subrole).and_return(staff_permission.name) @@ -502,6 +505,8 @@ let(:hbx_staff_role) { double("hbx_staff_role")} let(:hbx_profile) { double("hbx_profile")} let(:csr_role) { double("csr_role", cac: false)} + let(:admin_permission) { double("permission", name: "super_admin", modify_family: true)} + before :each do allow(person).to receive(:csr_role).and_return(double("csr_role", cac: false)) allow(user).to receive(:person).and_return(person) @@ -510,6 +515,8 @@ it "renders the 'families index' template for hbx_staff" do allow(user).to receive(:has_hbx_staff_role?).and_return(true) + allow(person).to receive(:hbx_staff_role).and_return(hbx_staff_role) + allow(hbx_staff_role).to receive(:permission).and_return(admin_permission) get :family_index expect(response).to have_http_status(:success) expect(response).to render_template("insured/families/index") @@ -517,6 +524,8 @@ it "renders the 'families index' template for csr" do allow(user).to receive(:has_hbx_staff_role?).and_return(false) + allow(person).to receive(:hbx_staff_role).and_return(hbx_staff_role) + allow(hbx_staff_role).to receive(:permission).and_return(admin_permission) get :family_index expect(response).to have_http_status(:success) expect(response).to render_template("insured/families/index") @@ -559,13 +568,14 @@ allow(hbx_staff_role).to receive(:subrole).and_return(permission.name) allow(permission).to receive(:name).and_return(permission.name) + allow(permission).to receive(:modify_family).and_return(true) sign_in(user) get :configuration end it "should render the configuration partial" do - expect(response).to have_http_status(:redirect) - expect(response).to_not render_template(:partial => 'exchanges/hbx_profiles/_configuration_index') + expect(response).to have_http_status(:success) + expect(response).to render_template(:partial => 'exchanges/hbx_profiles/_configuration_index') end end From 5d59f799702d3dc2ccababbed1243e6eac24f0a9 Mon Sep 17 00:00:00 2001 From: RyanEddyIC Date: Mon, 7 Oct 2024 16:41:51 -0400 Subject: [PATCH 2/8] update hbx_profile_policy show --- app/policies/hbx_profile_policy.rb | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/app/policies/hbx_profile_policy.rb b/app/policies/hbx_profile_policy.rb index 05b234c420e..0c71f48cf9b 100644 --- a/app/policies/hbx_profile_policy.rb +++ b/app/policies/hbx_profile_policy.rb @@ -115,9 +115,7 @@ def can_force_publish? end def show? - @user.has_role?(:hbx_staff) || - @user.has_role?(:csr) || - @user.has_role?(:assister) + index? end def index? From d9aeda326eb56f00d03edbb149beb766d445ea40 Mon Sep 17 00:00:00 2001 From: RyanEddyIC Date: Tue, 8 Oct 2024 09:46:07 -0400 Subject: [PATCH 3/8] remove developer subrole from admin portal test steps --- features/permissions/change_fein.feature | 1 - features/permissions/edit_dob_ssn_permission.feature | 8 +------- features/permissions/extend_open_enrollment.feature | 1 - features/permissions/force_publish.feature | 1 - features/permissions/new_plan_year_button.feature | 1 - features/permissions/view_configuration_tab.feature | 6 +----- 6 files changed, 2 insertions(+), 16 deletions(-) diff --git a/features/permissions/change_fein.feature b/features/permissions/change_fein.feature index b2f8603f8eb..6381775d07c 100644 --- a/features/permissions/change_fein.feature +++ b/features/permissions/change_fein.feature @@ -19,4 +19,3 @@ Feature: As a Super Admin I will be the only user | HBX Tier3 | see | | HBX Staff | not see | | HBX Read Only | not see | - | Developer | not see | diff --git a/features/permissions/edit_dob_ssn_permission.feature b/features/permissions/edit_dob_ssn_permission.feature index db390580795..2d30457d069 100644 --- a/features/permissions/edit_dob_ssn_permission.feature +++ b/features/permissions/edit_dob_ssn_permission.feature @@ -39,13 +39,7 @@ Feature: Only Super Admin HBX Staff HBX Tier3 will be able to see & access the E Examples: | subrole | action | - | Super Admin | see | + | Super Admin | see | | HBX Tier3 | see | | HBX Staff | see | | HBX Read Only | not see | - | Developer | not see | - - - - - diff --git a/features/permissions/extend_open_enrollment.feature b/features/permissions/extend_open_enrollment.feature index ff9c659b62d..d58cb06b320 100644 --- a/features/permissions/extend_open_enrollment.feature +++ b/features/permissions/extend_open_enrollment.feature @@ -18,5 +18,4 @@ Feature: As a Super Admin I will be the only user | Super Admin | see | | HBX Staff | not see | | HBX Read Only | not see | - | Developer | not see | | HBX Tier3 | see | diff --git a/features/permissions/force_publish.feature b/features/permissions/force_publish.feature index b52f4a8252f..8387e068153 100644 --- a/features/permissions/force_publish.feature +++ b/features/permissions/force_publish.feature @@ -20,4 +20,3 @@ Feature: As a Super Admin I will be the only user | HBX Tier3 | see | | HBX Staff | not see | | HBX Read Only | not see | - | Developer | not see | diff --git a/features/permissions/new_plan_year_button.feature b/features/permissions/new_plan_year_button.feature index 1a8ed2437c5..88546efc76a 100644 --- a/features/permissions/new_plan_year_button.feature +++ b/features/permissions/new_plan_year_button.feature @@ -19,4 +19,3 @@ Feature: As a Super Admin I will be the only user | HBX Tier3 | see | | HBX Staff | not see | | HBX Read Only | not see | - | Developer | not see | diff --git a/features/permissions/view_configuration_tab.feature b/features/permissions/view_configuration_tab.feature index 7d0e932020c..4a7546a5d59 100644 --- a/features/permissions/view_configuration_tab.feature +++ b/features/permissions/view_configuration_tab.feature @@ -5,7 +5,7 @@ Feature: As a Super Admin I will be the only user Given a CCA site exists with a benefit market And there is an employer ABC Widgets Given benefit market catalog exists for ABC Widgets initial employer with health benefits - And initial employer ABC Widgets has enrollment_open benefit application + And initial employer ABC Widgets has enrollment_open benefit application Scenario Outline: HBX Staff with subroles should the config tab @@ -19,7 +19,6 @@ Feature: As a Super Admin I will be the only user | HBX Tier3 | see | | HBX Staff | see | | HBX Read Only | see | - | Developer | see | Scenario: HBX Staff with Super Admin subroles should not have the option to time travel Given that a user with a HBX staff role with Super Admin subrole exists and is logged in @@ -33,6 +32,3 @@ Scenario: HBX Staff with Super Admin subroles and a time travel ability enabled And the user is on the Main Page And the user goes to the Config Page Then the user will see the Time Tavel option - - - From cadb6d7ed7f8c215dae770503f29993f4a3b13c2 Mon Sep 17 00:00:00 2001 From: RyanEddyIC Date: Tue, 8 Oct 2024 10:24:54 -0400 Subject: [PATCH 4/8] rspec fixes --- app/policies/hbx_profile_policy.rb | 4 +++- spec/controllers/exchanges/hbx_profiles_controller_spec.rb | 2 ++ 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/app/policies/hbx_profile_policy.rb b/app/policies/hbx_profile_policy.rb index 0c71f48cf9b..e2cde54d16e 100644 --- a/app/policies/hbx_profile_policy.rb +++ b/app/policies/hbx_profile_policy.rb @@ -115,7 +115,9 @@ def can_force_publish? end def show? - index? + index? || + @user.has_role?(:csr) || + @user.has_role?(:assister) end def index? diff --git a/spec/controllers/exchanges/hbx_profiles_controller_spec.rb b/spec/controllers/exchanges/hbx_profiles_controller_spec.rb index bb7f59214db..0b69a5df659 100644 --- a/spec/controllers/exchanges/hbx_profiles_controller_spec.rb +++ b/spec/controllers/exchanges/hbx_profiles_controller_spec.rb @@ -336,6 +336,7 @@ let(:person) { double("person")} let(:hbx_staff_role) { double("hbx_staff_role")} let(:hbx_profile) { double("hbx_profile", inbox: double("inbox", unread_messages: double("test")))} + let(:admin_permission) { double("permission", name: "super_admin", modify_family: true)} before :each do allow(user).to receive(:has_hbx_staff_role?).and_return(true) @@ -345,6 +346,7 @@ allow(user).to receive(:save) allow(person).to receive(:hbx_staff_role).and_return(hbx_staff_role) allow(hbx_staff_role).to receive(:hbx_profile).and_return(hbx_profile) + allow(hbx_staff_role).to receive(:permission).and_return(admin_permission) session[:dismiss_announcements] = 'hello' sign_in(user) end From d1d6f55a5122f309ca861d59a4efe783299d6adb Mon Sep 17 00:00:00 2001 From: RyanEddyIC Date: Fri, 18 Oct 2024 10:19:22 -0400 Subject: [PATCH 5/8] refactor hbx profile policy --- app/policies/hbx_profile_policy.rb | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) diff --git a/app/policies/hbx_profile_policy.rb b/app/policies/hbx_profile_policy.rb index e2cde54d16e..acda4e97f70 100644 --- a/app/policies/hbx_profile_policy.rb +++ b/app/policies/hbx_profile_policy.rb @@ -9,15 +9,11 @@ def transmit_group_xml? end def update_cancel_enrollment? - staff_can_cancel_enrollment? + can_update_ssn? end def update_terminate_enrollment? - staff_can_terminate_enrollment? - end - - def configuration? - staff_view_the_configuration_tab? + can_update_ssn? end # Determines if the current user has permission to access the assister index. @@ -38,6 +34,12 @@ def assister_index? false end + def can_update_ssn? + role = user_hbx_staff_role + return false unless role + role.permission.can_update_ssn + end + def view_admin_tabs? role = user_hbx_staff_role return false unless role @@ -147,7 +149,7 @@ def product_index? end def configuration? - index? + view_the_configuration_tab? end def new? From 5d280f424e4c5afa4373cfff189c335227b2c086 Mon Sep 17 00:00:00 2001 From: RyanEddyIC Date: Fri, 18 Oct 2024 12:08:23 -0400 Subject: [PATCH 6/8] rubocop fix --- app/policies/hbx_profile_policy.rb | 1 + 1 file changed, 1 insertion(+) diff --git a/app/policies/hbx_profile_policy.rb b/app/policies/hbx_profile_policy.rb index acda4e97f70..a09f889a3c2 100644 --- a/app/policies/hbx_profile_policy.rb +++ b/app/policies/hbx_profile_policy.rb @@ -37,6 +37,7 @@ def assister_index? def can_update_ssn? role = user_hbx_staff_role return false unless role + role.permission.can_update_ssn end From 9c28252e4eea3475df2a553e8eccd63ccc619e1b Mon Sep 17 00:00:00 2001 From: RyanEddyIC Date: Fri, 18 Oct 2024 13:02:19 -0400 Subject: [PATCH 7/8] spec permission fix --- spec/controllers/exchanges/hbx_profiles_controller_spec.rb | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/spec/controllers/exchanges/hbx_profiles_controller_spec.rb b/spec/controllers/exchanges/hbx_profiles_controller_spec.rb index 0b69a5df659..32b1ba31c50 100644 --- a/spec/controllers/exchanges/hbx_profiles_controller_spec.rb +++ b/spec/controllers/exchanges/hbx_profiles_controller_spec.rb @@ -571,12 +571,13 @@ allow(permission).to receive(:name).and_return(permission.name) allow(permission).to receive(:modify_family).and_return(true) + allow(permission).to receive(:view_the_configuration_tab).and_return(true) sign_in(user) get :configuration end it "should render the configuration partial" do - expect(response).to have_http_status(:success) +g expect(response).to have_http_status(:success) expect(response).to render_template(:partial => 'exchanges/hbx_profiles/_configuration_index') end end From bb94226957e090725c2ac5a1710151d4e4737537 Mon Sep 17 00:00:00 2001 From: RyanEddyIC Date: Fri, 18 Oct 2024 13:05:53 -0400 Subject: [PATCH 8/8] fix spec indentation --- spec/controllers/exchanges/hbx_profiles_controller_spec.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/spec/controllers/exchanges/hbx_profiles_controller_spec.rb b/spec/controllers/exchanges/hbx_profiles_controller_spec.rb index 32b1ba31c50..521916b0ceb 100644 --- a/spec/controllers/exchanges/hbx_profiles_controller_spec.rb +++ b/spec/controllers/exchanges/hbx_profiles_controller_spec.rb @@ -577,7 +577,7 @@ end it "should render the configuration partial" do -g expect(response).to have_http_status(:success) + expect(response).to have_http_status(:success) expect(response).to render_template(:partial => 'exchanges/hbx_profiles/_configuration_index') end end