health-connector · RyanEddyIC · Oct 7, 2024 · Oct 7, 2024 · Oct 8, 2024 · Oct 8, 2024
diff --git a/app/controllers/exchanges/hbx_profiles_controller.rb b/app/controllers/exchanges/hbx_profiles_controller.rb
@@ -8,10 +8,9 @@ class Exchanges::HbxProfilesController < ApplicationController
   include HtmlScrubberUtil
   include StringScrubberUtil
 
-  before_action :modify_admin_tabs?, only: [:binder_paid, :transmit_group_xml]
   before_action :check_hbx_staff_role, except: [:request_help, :configuration, :show, :assister_index, :family_index, :update_cancel_enrollment, :update_terminate_enrollment]
   before_action :set_hbx_profile, only: [:edit, :update, :destroy]
-  before_action :view_the_configuration_tab?, only: [:configuration, :set_date]
+  before_action :view_the_configuration_tab?, only: [:set_date]
   before_action :can_submit_time_travel_request?, only: [:set_date]
   before_action :find_hbx_profile, only: [:employer_index, :configuration, :broker_agency_index, :inbox, :show, :binder_index]
   #before_action :authorize_for, except: [:edit, :update, :destroy, :request_help, :staff_index, :assister_index]
@@ -90,6 +89,8 @@ def update_fein
   end
 
   def binder_paid
+    authorize HbxProfile, :binder_paid?
+
     return unless params[:ids]
 
     begin
@@ -106,6 +107,8 @@ def binder_paid
   end
 
   def transmit_group_xml
+    authorize HbxProfile, :transmit_group_xml?
+
     HbxProfile.transmit_group_xml(params[:id].split)
     @employer_profile = EmployerProfile.find(params[:id])
     @fein = @employer_profile.fein
@@ -219,6 +222,8 @@ def staff_index
   end
 
   def assister_index
+    authorize HbxProfile, :assister_index?
+
     @q = params.permit(:q)[:q]
     @staff = Person.where(assister_role: {:$exists => true})
     @page_alphabets = page_alphabets(@staff, "last_name")
@@ -239,6 +244,9 @@ def find_email(agent, role)
   end
 
   def request_help
+    @person = Person.find(params[:person])
+    authorize @person.primary_family, :request_help?
+
     role = nil
     if params[:type]
       cac_flag = params[:type] == 'CAC'
@@ -269,12 +277,13 @@ def request_help
     else
       status_text = call_customer_service params[:firstname].strip, params[:lastname].strip
     end
-    @person = Person.find(params[:person])
     broker_view = render_to_string 'insured/families/_consumer_brokers_widget', :layout => false
     render :text => {broker: broker_view, status: status_text}.to_json, layout: false
   end
 
   def family_index
+    authorize HbxProfile, :family_index?
+
     @q = params.permit(:q)[:q]
     page_string = params.permit(:families_page)[:families_page]
     page_no = page_string.blank? ? nil : page_string.to_i
@@ -376,6 +385,8 @@ def cancel_enrollment
   end
 
   def update_cancel_enrollment
+    authorize HbxProfile, :update_cancel_enrollment?
+
     params_parser = ::Forms::BulkActionsForAdmin.new(params.permit(uniq_cancel_params).to_h)
     @result = params_parser.result
     @row = params_parser.row
@@ -395,6 +406,8 @@ def terminate_enrollment
   end
 
   def update_terminate_enrollment
+    authorize HbxProfile, :update_terminate_enrollment?
+
     params_parser = ::Forms::BulkActionsForAdmin.new(params.permit(uniq_terminate_params).to_h)
     @result = params_parser.result
     @row = params_parser.row
@@ -617,6 +630,8 @@ def product_index
   end
 
   def configuration
+    authorize HbxProfile, :configuration?
+
     @time_keeper = Forms::TimeKeeper.new
     respond_to do |format|
       format.html { render partial: "configuration_index" }
@@ -703,6 +718,9 @@ def show
         return
       end
     end
+
+    authorize HbxProfile, :show?
+
     session[:person_id] = nil
     session[:dismiss_announcements] = nil
     @unread_messages = @profile.inbox.unread_messages.try(:count) || 0

diff --git a/app/policies/family_policy.rb b/app/policies/family_policy.rb
@@ -139,6 +139,10 @@ def download_paper_application_coverall?
     coverall_market_admin?
   end
 
+  def request_help?
+    show?
+  end
+
   # rubocop:disable Metrics/CyclomaticComplexity, Metrics/PerceivedComplexity
   def legacy_show?
     user_person = @user.person

diff --git a/app/policies/hbx_profile_policy.rb b/app/policies/hbx_profile_policy.rb
@@ -1,5 +1,46 @@
 class HbxProfilePolicy < ApplicationPolicy
 
+  def binder_paid?
+    staff_modify_admin_tabs?
+  end
+
+  def transmit_group_xml?
+    staff_modify_admin_tabs?
+  end
+
+  def update_cancel_enrollment?
+    can_update_ssn?
+  end
+
+  def update_terminate_enrollment?
+    can_update_ssn?
+  end
+
+  # Determines if the current user has permission to access the assister index.
+  # The user can access the assister index if they are a primary family member,
+  # an admin, an active associated broker staff, or an active associated broker in the ACA Shop market.
+  #
+  # @return [Boolean] Returns true if the user has permission to access the assister index, false otherwise.
+  # @note This method checks for permissions across multiple roles.
+  def assister_index?
+    # Fall back on a family if it exists for the current user.
+    @family = account_holder_family
+
+    return true if shop_market_primary_family_member?
+    return true if shop_market_admin?
+    return true if active_associated_shop_market_family_broker?
+    return true if active_associated_shop_market_general_agency?
+
+    false
+  end
+
+  def can_update_ssn?
+    role = user_hbx_staff_role
+    return false unless role
+
+    role.permission.can_update_ssn
+  end
+
   def view_admin_tabs?
     role = user_hbx_staff_role
     return false unless role
@@ -73,7 +114,7 @@ def can_force_publish?
   end
 
   def show?
-    @user.has_role?(:hbx_staff) ||
+    index? ||
       @user.has_role?(:csr) ||
       @user.has_role?(:assister)
   end
@@ -105,7 +146,7 @@ def product_index?
   end
 
   def configuration?
-    index?
+    view_the_configuration_tab?
   end
 
   def new?

diff --git a/features/permissions/change_fein.feature b/features/permissions/change_fein.feature
@@ -19,4 +19,3 @@ Feature: As a Super Admin I will be the only user
       | HBX Tier3     | see     |
       | HBX Staff     | not see |
       | HBX Read Only | not see |
-      | Developer     | not see |
diff --git a/features/permissions/edit_dob_ssn_permission.feature b/features/permissions/edit_dob_ssn_permission.feature
@@ -39,13 +39,7 @@ Feature: Only Super Admin HBX Staff HBX Tier3 will be able to see & access the E
 
     Examples:
       | subrole       | action  |
-      | Super Admin   | see     |	
+      | Super Admin   | see     |
       | HBX Tier3     | see     |
       | HBX Staff     | see     |
       | HBX Read Only | not see |
-      | Developer     | not see |
-
-
-
-
-
diff --git a/features/permissions/extend_open_enrollment.feature b/features/permissions/extend_open_enrollment.feature
@@ -18,5 +18,4 @@ Feature: As a Super Admin I will be the only user
       | Super Admin   | see     |
       | HBX Staff     | not see |
       | HBX Read Only | not see |
-      | Developer     | not see |
       | HBX Tier3     | see |
diff --git a/features/permissions/force_publish.feature b/features/permissions/force_publish.feature
@@ -20,4 +20,3 @@ Feature: As a Super Admin I will be the only user
       | HBX Tier3     | see     |
       | HBX Staff     | not see |
       | HBX Read Only | not see |
-      | Developer     | not see |
diff --git a/features/permissions/new_plan_year_button.feature b/features/permissions/new_plan_year_button.feature
@@ -19,4 +19,3 @@ Feature: As a Super Admin I will be the only user
       | HBX Tier3     | see     |
       | HBX Staff     | not see |
       | HBX Read Only | not see |
-      | Developer     | not see |
diff --git a/features/permissions/view_configuration_tab.feature b/features/permissions/view_configuration_tab.feature
@@ -5,7 +5,7 @@ Feature: As a Super Admin I will be the only user
     Given a CCA site exists with a benefit market
     And there is an employer ABC Widgets
     Given benefit market catalog exists for ABC Widgets initial employer with health benefits
-    And initial employer ABC Widgets has enrollment_open benefit application 
+    And initial employer ABC Widgets has enrollment_open benefit application
 
 
   Scenario Outline: HBX Staff with <subrole> subroles should <action> the config tab
@@ -19,7 +19,6 @@ Feature: As a Super Admin I will be the only user
       | HBX Tier3     | see     |
       | HBX Staff     | see     |
       | HBX Read Only | see     |
-      | Developer     | see     |
 
 Scenario: HBX Staff with Super Admin subroles should not have the option to time travel
   Given that a user with a HBX staff role with Super Admin subrole exists and is logged in
@@ -33,6 +32,3 @@ Scenario: HBX Staff with Super Admin subroles and a time travel ability enabled
   And the user is on the Main Page
   And the user goes to the Config Page
   Then the user will see the Time Tavel option
-
-
-
diff --git a/spec/controllers/exchanges/hbx_profiles_controller_spec.rb b/spec/controllers/exchanges/hbx_profiles_controller_spec.rb
@@ -281,6 +281,7 @@
       allow(admin_permission).to receive(:name).and_return(admin_permission.name)
       allow(admin_permission).to receive(:can_submit_time_travel_request).and_return(false)
       allow(admin_permission).to receive(:view_the_configuration_tab).and_return(true)
+      allow(admin_permission).to receive(:modify_family).and_return(true)
       allow(user).to receive(:has_hbx_staff_role?).and_return(true)
       allow(user).to receive(:view_the_configuration_tab?).and_return(true)
       allow(user).to receive(:can_submit_time_travel_request?).and_return(false)
@@ -294,7 +295,9 @@
 
     it "should not render the config index for a not super admin" do
       allow(admin_permission).to receive(:view_the_configuration_tab).and_return(false)
+      allow(admin_permission).to receive(:modify_family).and_return(true)
       allow(staff_permission).to receive(:view_the_configuration_tab).and_return(true)
+      allow(staff_permission).to receive(:modify_family).and_return(true)
       allow(hbx_staff_role).to receive(:view_the_configuration_tab).and_return(false)
       allow(hbx_staff_role).to receive(:permission).and_return(staff_permission)
       allow(hbx_staff_role).to receive(:subrole).and_return(staff_permission.name)
@@ -333,6 +336,7 @@
     let(:person) { double("person")}
     let(:hbx_staff_role) { double("hbx_staff_role")}
     let(:hbx_profile) { double("hbx_profile", inbox: double("inbox", unread_messages: double("test")))}
+    let(:admin_permission) { double("permission", name: "super_admin", modify_family: true)}
 
     before :each do
       allow(user).to receive(:has_hbx_staff_role?).and_return(true)
@@ -342,6 +346,7 @@
       allow(user).to receive(:save)
       allow(person).to receive(:hbx_staff_role).and_return(hbx_staff_role)
       allow(hbx_staff_role).to receive(:hbx_profile).and_return(hbx_profile)
+      allow(hbx_staff_role).to receive(:permission).and_return(admin_permission)
       session[:dismiss_announcements] = 'hello'
       sign_in(user)
     end
@@ -502,6 +507,8 @@
     let(:hbx_staff_role) { double("hbx_staff_role")}
     let(:hbx_profile) { double("hbx_profile")}
     let(:csr_role) { double("csr_role", cac: false)}
+    let(:admin_permission) { double("permission", name: "super_admin", modify_family: true)}
+
     before :each do
       allow(person).to receive(:csr_role).and_return(double("csr_role", cac: false))
       allow(user).to receive(:person).and_return(person)
@@ -510,13 +517,17 @@
 
     it "renders the 'families index' template for hbx_staff" do
       allow(user).to receive(:has_hbx_staff_role?).and_return(true)
+      allow(person).to receive(:hbx_staff_role).and_return(hbx_staff_role)
+      allow(hbx_staff_role).to receive(:permission).and_return(admin_permission)
       get :family_index
       expect(response).to have_http_status(:success)
       expect(response).to render_template("insured/families/index")
     end
 
     it "renders the 'families index' template for csr" do
       allow(user).to receive(:has_hbx_staff_role?).and_return(false)
+      allow(person).to receive(:hbx_staff_role).and_return(hbx_staff_role)
+      allow(hbx_staff_role).to receive(:permission).and_return(admin_permission)
       get :family_index
       expect(response).to have_http_status(:success)
       expect(response).to render_template("insured/families/index")
@@ -559,13 +570,15 @@
       allow(hbx_staff_role).to receive(:subrole).and_return(permission.name)
 
       allow(permission).to receive(:name).and_return(permission.name)
+      allow(permission).to receive(:modify_family).and_return(true)
+      allow(permission).to receive(:view_the_configuration_tab).and_return(true)
       sign_in(user)
       get :configuration
     end
 
     it "should render the configuration partial" do
-      expect(response).to have_http_status(:redirect)
-      expect(response).to_not render_template(:partial => 'exchanges/hbx_profiles/_configuration_index')
+      expect(response).to have_http_status(:success)
+      expect(response).to render_template(:partial => 'exchanges/hbx_profiles/_configuration_index')
     end
   end