diff --git a/app/controllers/insured/consumer_roles_controller.rb b/app/controllers/insured/consumer_roles_controller.rb index 9f82a9d1ad0..370c089b79e 100644 --- a/app/controllers/insured/consumer_roles_controller.rb +++ b/app/controllers/insured/consumer_roles_controller.rb @@ -20,6 +20,7 @@ class Insured::ConsumerRolesController < ApplicationController before_action :validate_person_match, only: [:update] before_action :redirect_to_contact_preferences_if_invalid, only: [:edit] before_action :manual_verification_of_oos_addresses, only: [:ridp_agreement] + before_action :redirect_to_family_home_if_ridp_complete, only: [:edit, :update, :contact_preferences, :create_contact_preferences] FIELDS_TO_ENCRYPT = [:ssn,:dob,:first_name,:middle_name,:last_name,:gender,:user_id].freeze @@ -230,6 +231,7 @@ def immigration_document_options def contact_preferences authorize @consumer_role, :contact_preferences? + set_consumer_bookmark_url @consumer_role.build_nested_models_for_person end @@ -248,6 +250,7 @@ def create_contact_preferences def edit authorize @consumer_role, :edit? + set_consumer_bookmark_url @consumer_role.build_nested_models_for_person @vlp_doc_subject = get_vlp_doc_subject_by_consumer_role(@consumer_role) @@ -697,6 +700,11 @@ def redirect_to_contact_preferences_if_invalid redirect_to contact_preferences_insured_consumer_role_path(@consumer_role) and return end + def redirect_to_family_home_if_ridp_complete + ridp_verified = RemoteIdentityProofingStatus.is_complete_for_consumer_role?(@consumer_role) + redirect_to home_insured_families_path if ridp_verified + end + def enable_bs4_layout @bs4 = true if EnrollRegistry.feature_enabled?(:bs4_consumer_flow) end diff --git a/app/policies/consumer_role_policy.rb b/app/policies/consumer_role_policy.rb index b4e07815899..563c678cef5 100644 --- a/app/policies/consumer_role_policy.rb +++ b/app/policies/consumer_role_policy.rb @@ -129,9 +129,7 @@ def edit? end return true if person.id == @record.person.id end - # FIXME: Shouldn't we be checking the access rights of the specific broker here? - return true if @user&.person&.has_broker_role? - return true if @user&.person&.has_assister_role? + false end diff --git a/features/insured/individual_ridp_complete_redirect.feature b/features/insured/individual_ridp_complete_redirect.feature new file mode 100644 index 00000000000..407a9f1ab71 --- /dev/null +++ b/features/insured/individual_ridp_complete_redirect.feature @@ -0,0 +1,20 @@ +Feature: RIDP-verified consumers are redirected away from pre-RIDP pages + + Consumers who have already completed Remote Identity Proofing should not + be able to revisit the pre-RIDP registration pages (edit personal info, + contact preferences). Attempting to do so should redirect them to the + family home page. + + Background: + Given bs4_consumer_flow feature is enabled + And a consumer exists who has completed RIDP + And the RIDP-verified consumer is logged in + + Scenario: RIDP-verified consumer visits the edit personal information page + When the consumer visits the edit consumer role page + Then the consumer should be redirected to the family home page + + Scenario: RIDP-verified consumer visits the contact preferences page + Given EnrollRegistry enroll_sms_notifications feature is enabled + When the consumer visits the contact preferences page + Then the consumer should be redirected to the family home page diff --git a/features/step_definitions/individual_ridp_complete_redirect_steps.rb b/features/step_definitions/individual_ridp_complete_redirect_steps.rb new file mode 100644 index 00000000000..de57d97ce61 --- /dev/null +++ b/features/step_definitions/individual_ridp_complete_redirect_steps.rb @@ -0,0 +1,23 @@ +# frozen_string_literal: true + +Given('a consumer exists who has completed RIDP') do + @ridp_user = FactoryBot.create(:user, :consumer, :with_consumer_role) + @ridp_consumer_role = @ridp_user.person.consumer_role + @ridp_consumer_role.move_identity_documents_to_verified +end + +Given('the RIDP-verified consumer is logged in') do + login_as @ridp_user, scope: :user +end + +When('the consumer visits the edit consumer role page') do + visit edit_insured_consumer_role_path(@ridp_consumer_role) +end + +When('the consumer visits the contact preferences page') do + visit contact_preferences_insured_consumer_role_path(@ridp_consumer_role) +end + +Then('the consumer should be redirected to the family home page') do + expect(current_path).to eq(home_insured_families_path) +end diff --git a/spec/controllers/insured/consumer_roles_controller/consumer_roles_controller_update_spec.rb b/spec/controllers/insured/consumer_roles_controller/consumer_roles_controller_update_spec.rb index 6f3ab30887e..23093063ce7 100644 --- a/spec/controllers/insured/consumer_roles_controller/consumer_roles_controller_update_spec.rb +++ b/spec/controllers/insured/consumer_roles_controller/consumer_roles_controller_update_spec.rb @@ -50,6 +50,9 @@ before(:each) do sign_in(user) allow(ConsumerRole).to receive(:find).with(consumer_role_id).and_return(consumer_role) + allow(consumer_role).to receive(:identity_verified?).and_return(false) + allow(person).to receive(:user).and_return(user) + allow(user).to receive(:identity_verified?).and_return(false) allow(consumer_role).to receive(:skip_consumer_role_callbacks=).and_return(true) allow(consumer_role).to receive(:update_by_person).with({"skip_person_updated_event_callback" => true, "skip_lawful_presence_determination_callbacks" => true}.merge(person_controller_parameters)).and_return(true) allow(EnrollRegistry[:mec_check].feature).to receive(:is_enabled).and_return(false) diff --git a/spec/controllers/insured/consumer_roles_controller_spec.rb b/spec/controllers/insured/consumer_roles_controller_spec.rb index bdfce37511a..fe035eaa85e 100644 --- a/spec/controllers/insured/consumer_roles_controller_spec.rb +++ b/spec/controllers/insured/consumer_roles_controller_spec.rb @@ -358,6 +358,18 @@ expect(response).to redirect_to("/insured/consumer_role/test/edit") end end + + context "when RIDP is complete for the consumer role and SMS notifications are enabled" do + before do + allow(RemoteIdentityProofingStatus).to receive(:is_complete_for_consumer_role?).and_return(true) + allow(EnrollRegistry).to receive(:feature_enabled?).with(:enroll_sms_notifications).and_return(true) + end + + it "redirects to family home" do + get :contact_preferences, params: { id: "test" } + expect(response).to redirect_to(home_insured_families_path) + end + end end context "PATCH create_contact_preferences", dbclean: :after_each do @@ -437,6 +449,20 @@ expect(response).to redirect_to("/insured/consumer_role/test/edit") end end + + context "when RIDP is complete for the consumer role and SMS notifications are enabled" do + before do + allow(RemoteIdentityProofingStatus).to receive(:is_complete_for_consumer_role?).and_return(true) + allow(EnrollRegistry).to receive(:feature_enabled?).with(:enroll_sms_notifications).and_return(true) + allow(EnrollRegistry).to receive(:feature_enabled?).with(:ridp_rba).and_return(false) + end + + it "redirects to family home without saving contact preferences" do + expect(person).not_to receive(:save) + patch :create_contact_preferences, params: { id: "test", person: person_params } + expect(response).to redirect_to(home_insured_families_path) + end + end end context "GET edit", dbclean: :after_each do @@ -484,6 +510,18 @@ include_examples "edit action behavior", sms_enabled, preferences_valid, expected_behavior end end + + context "when RIDP is complete for the consumer role" do + before do + allow(RemoteIdentityProofingStatus).to receive(:is_complete_for_consumer_role?).and_return(true) + allow(EnrollRegistry).to receive(:feature_enabled?).with(:enroll_sms_notifications).and_return(false) + end + + it "redirects to family home" do + get :edit, params: { id: "test" } + expect(response).to redirect_to(home_insured_families_path) + end + end end @@ -536,6 +574,17 @@ sign_in user end + context "when RIDP is complete for the consumer role" do + before do + allow(RemoteIdentityProofingStatus).to receive(:is_complete_for_consumer_role?).and_return(true) + end + + it "redirects to family home" do + put :update, params: { person: person_params, id: "test" } + expect(response).to redirect_to(home_insured_families_path) + end + end + context "to verify new addreses not created on updating the existing address" do before :each do diff --git a/spec/policies/consumer_role_policy_spec.rb b/spec/policies/consumer_role_policy_spec.rb index 7ac9fa59460..a9a3ff06bde 100644 --- a/spec/policies/consumer_role_policy_spec.rb +++ b/spec/policies/consumer_role_policy_spec.rb @@ -46,7 +46,7 @@ let(:hbx_staff_role) { FactoryBot.create(:hbx_staff_role, person: person)} let(:permission) { FactoryBot.create(:permission)} - it "grants access when hbx_staff" do + it "grants access when hbx_staff can update ssn" do allow(hbx_staff_role).to receive(:permission).and_return permission allow(person).to receive(:hbx_staff_role).and_return hbx_staff_role allow(hbx_staff_user).to receive(:person).and_return person @@ -54,10 +54,29 @@ expect(subject).to permit(hbx_staff_user, consumer_role) end + it "grants access when hbx_staff may view personal info page" do + allow(hbx_staff_role).to receive(:permission).and_return permission + allow(person).to receive(:hbx_staff_role).and_return hbx_staff_role + allow(hbx_staff_user).to receive(:person).and_return person + allow(permission).to receive(:can_update_ssn).and_return false + allow(permission).to receive(:view_personal_info_page).and_return true + expect(subject).to permit(hbx_staff_user, consumer_role) + end + it "denies access when normal user" do expect(subject).not_to permit(User.new, consumer_role) end + it "denies access when broker editing another consumer's role" do + broker_user = FactoryBot.create(:user, :broker, person: broker_person) + expect(subject).not_to permit(broker_user, consumer_role) + end + + it "denies access when assister editing another consumer's role" do + assister_user = FactoryBot.create(:user, :assister, person: assister_person) + expect(subject).not_to permit(assister_user, consumer_role) + end + context "consumer" do let(:user) { FactoryBot.create(:user, :consumer, person: consumer_role.person) } let(:consumer_role) { FactoryBot.create(:consumer_role) } @@ -79,7 +98,7 @@ let(:hbx_staff_role) { FactoryBot.create(:hbx_staff_role, person: person)} let(:permission) { FactoryBot.create(:permission)} - it "grants access when hbx_staff" do + it "grants access when hbx_staff can update ssn" do allow(hbx_staff_role).to receive(:permission).and_return permission allow(person).to receive(:hbx_staff_role).and_return hbx_staff_role allow(hbx_staff_user).to receive(:person).and_return person @@ -87,10 +106,29 @@ expect(subject).to permit(hbx_staff_user, consumer_role) end + it "grants access when hbx_staff may view personal info page" do + allow(hbx_staff_role).to receive(:permission).and_return permission + allow(person).to receive(:hbx_staff_role).and_return hbx_staff_role + allow(hbx_staff_user).to receive(:person).and_return person + allow(permission).to receive(:can_update_ssn).and_return false + allow(permission).to receive(:view_personal_info_page).and_return true + expect(subject).to permit(hbx_staff_user, consumer_role) + end + it "denies access when normal user" do expect(subject).not_to permit(User.new, consumer_role) end + it "denies access when broker editing another consumer's role" do + broker_user = FactoryBot.create(:user, :broker, person: broker_person) + expect(subject).not_to permit(broker_user, consumer_role) + end + + it "denies access when assister editing another consumer's role" do + assister_user = FactoryBot.create(:user, :assister, person: assister_person) + expect(subject).not_to permit(assister_user, consumer_role) + end + context "consumer" do let(:user) { FactoryBot.create(:user, :consumer, person: consumer_role.person) } let(:consumer_role) { FactoryBot.create(:consumer_role) } @@ -112,7 +150,7 @@ let(:hbx_staff_role) { FactoryBot.create(:hbx_staff_role, person: person)} let(:permission) { FactoryBot.create(:permission)} - it "grants access when hbx_staff" do + it "grants access when hbx_staff can update ssn" do allow(hbx_staff_role).to receive(:permission).and_return permission allow(person).to receive(:hbx_staff_role).and_return hbx_staff_role allow(hbx_staff_user).to receive(:person).and_return person @@ -120,10 +158,29 @@ expect(subject).to permit(hbx_staff_user, consumer_role) end + it "grants access when hbx_staff may view personal info page" do + allow(hbx_staff_role).to receive(:permission).and_return permission + allow(person).to receive(:hbx_staff_role).and_return hbx_staff_role + allow(hbx_staff_user).to receive(:person).and_return person + allow(permission).to receive(:can_update_ssn).and_return false + allow(permission).to receive(:view_personal_info_page).and_return true + expect(subject).to permit(hbx_staff_user, consumer_role) + end + it "denies access when normal user" do expect(subject).not_to permit(User.new, consumer_role) end + it "denies access when broker editing another consumer's role" do + broker_user = FactoryBot.create(:user, :broker, person: broker_person) + expect(subject).not_to permit(broker_user, consumer_role) + end + + it "denies access when assister editing another consumer's role" do + assister_user = FactoryBot.create(:user, :assister, person: assister_person) + expect(subject).not_to permit(assister_user, consumer_role) + end + context "consumer" do let(:user) { FactoryBot.create(:user, :consumer, person: consumer_role.person) } let(:consumer_role) { FactoryBot.create(:consumer_role) }