redirect ridp verified consumers on pre ridp pages

app/controllers/insured/consumer_roles_controller.rb

@@ -20,6 +20,7 @@ class Insured::ConsumerRolesController < ApplicationController
   before_action :validate_person_match, only: [:update]
   before_action :redirect_to_contact_preferences_if_invalid, only: [:edit]
   before_action :manual_verification_of_oos_addresses, only: [:ridp_agreement]
+  before_action :redirect_to_family_home_if_ridp_complete, only: [:edit, :update, :contact_preferences, :create_contact_preferences]
 
   FIELDS_TO_ENCRYPT = [:ssn,:dob,:first_name,:middle_name,:last_name,:gender,:user_id].freeze
 
@@ -230,6 +231,7 @@ def immigration_document_options
 
   def contact_preferences
     authorize @consumer_role, :contact_preferences?
+
     set_consumer_bookmark_url
     @consumer_role.build_nested_models_for_person
   end
@@ -248,6 +250,7 @@ def create_contact_preferences
 
   def edit
     authorize @consumer_role, :edit?
+
     set_consumer_bookmark_url
     @consumer_role.build_nested_models_for_person
     @vlp_doc_subject = get_vlp_doc_subject_by_consumer_role(@consumer_role)
@@ -697,6 +700,11 @@ def redirect_to_contact_preferences_if_invalid
     redirect_to contact_preferences_insured_consumer_role_path(@consumer_role) and return
   end
 
+  def redirect_to_family_home_if_ridp_complete
+    ridp_verified = RemoteIdentityProofingStatus.is_complete_for_consumer_role?(@consumer_role)
+    redirect_to home_insured_families_path if ridp_verified
+  end
+
   def enable_bs4_layout
     @bs4 = true if EnrollRegistry.feature_enabled?(:bs4_consumer_flow)
   end

app/policies/consumer_role_policy.rb

@@ -129,9 +129,7 @@ def edit?
       end
       return true if person.id == @record.person.id
     end
-    # FIXME: Shouldn't we be checking the access rights of the specific broker here?
-    return true if @user&.person&.has_broker_role?
-    return true if @user&.person&.has_assister_role?
+
     false
   end
 

features/insured/individual_ridp_complete_redirect.feature

@@ -0,0 +1,20 @@
+Feature: RIDP-verified consumers are redirected away from pre-RIDP pages
+
+  Consumers who have already completed Remote Identity Proofing should not
+  be able to revisit the pre-RIDP registration pages (edit personal info,
+  contact preferences). Attempting to do so should redirect them to the
+  family home page.
+
+  Background:
+    Given bs4_consumer_flow feature is enabled
+    And a consumer exists who has completed RIDP
+    And the RIDP-verified consumer is logged in
+
+  Scenario: RIDP-verified consumer visits the edit personal information page
+    When the consumer visits the edit consumer role page
+    Then the consumer should be redirected to the family home page
+
+  Scenario: RIDP-verified consumer visits the contact preferences page
+    Given EnrollRegistry enroll_sms_notifications feature is enabled
+    When the consumer visits the contact preferences page
+    Then the consumer should be redirected to the family home page

features/step_definitions/individual_ridp_complete_redirect_steps.rb

@@ -0,0 +1,23 @@
+# frozen_string_literal: true
+
+Given('a consumer exists who has completed RIDP') do
+  @ridp_user = FactoryBot.create(:user, :consumer, :with_consumer_role)
+  @ridp_consumer_role = @ridp_user.person.consumer_role
+  @ridp_consumer_role.move_identity_documents_to_verified
+end
+
+Given('the RIDP-verified consumer is logged in') do
+  login_as @ridp_user, scope: :user
+end
+
+When('the consumer visits the edit consumer role page') do
+  visit edit_insured_consumer_role_path(@ridp_consumer_role)
+end
+
+When('the consumer visits the contact preferences page') do
+  visit contact_preferences_insured_consumer_role_path(@ridp_consumer_role)
+end
+
+Then('the consumer should be redirected to the family home page') do
+  expect(current_path).to eq(home_insured_families_path)
+end

spec/controllers/insured/consumer_roles_controller/consumer_roles_controller_update_spec.rb

@@ -50,6 +50,9 @@
     before(:each) do
       sign_in(user)
       allow(ConsumerRole).to receive(:find).with(consumer_role_id).and_return(consumer_role)
+      allow(consumer_role).to receive(:identity_verified?).and_return(false)
+      allow(person).to receive(:user).and_return(user)
+      allow(user).to receive(:identity_verified?).and_return(false)
       allow(consumer_role).to receive(:skip_consumer_role_callbacks=).and_return(true)
       allow(consumer_role).to receive(:update_by_person).with({"skip_person_updated_event_callback" => true, "skip_lawful_presence_determination_callbacks" => true}.merge(person_controller_parameters)).and_return(true)
       allow(EnrollRegistry[:mec_check].feature).to receive(:is_enabled).and_return(false)

spec/controllers/insured/consumer_roles_controller_spec.rb

@@ -358,6 +358,18 @@
         expect(response).to redirect_to("/insured/consumer_role/test/edit")
       end
     end
+
+    context "when RIDP is complete for the consumer role and SMS notifications are enabled" do
+      before do
+        allow(RemoteIdentityProofingStatus).to receive(:is_complete_for_consumer_role?).and_return(true)
+        allow(EnrollRegistry).to receive(:feature_enabled?).with(:enroll_sms_notifications).and_return(true)
+      end
+
+      it "redirects to family home" do
+        get :contact_preferences, params: { id: "test" }
+        expect(response).to redirect_to(home_insured_families_path)
+      end
+    end
   end
 
   context "PATCH create_contact_preferences", dbclean: :after_each do
@@ -437,6 +449,20 @@
         expect(response).to redirect_to("/insured/consumer_role/test/edit")
       end
     end
+
+    context "when RIDP is complete for the consumer role and SMS notifications are enabled" do
+      before do
+        allow(RemoteIdentityProofingStatus).to receive(:is_complete_for_consumer_role?).and_return(true)
+        allow(EnrollRegistry).to receive(:feature_enabled?).with(:enroll_sms_notifications).and_return(true)
+        allow(EnrollRegistry).to receive(:feature_enabled?).with(:ridp_rba).and_return(false)
+      end
+
+      it "redirects to family home without saving contact preferences" do
+        expect(person).not_to receive(:save)
+        patch :create_contact_preferences, params: { id: "test", person: person_params }
+        expect(response).to redirect_to(home_insured_families_path)
+      end
+    end
   end
 
   context "GET edit", dbclean: :after_each do
@@ -484,6 +510,18 @@
         include_examples "edit action behavior", sms_enabled, preferences_valid, expected_behavior
       end
     end
+
+    context "when RIDP is complete for the consumer role" do
+      before do
+        allow(RemoteIdentityProofingStatus).to receive(:is_complete_for_consumer_role?).and_return(true)
+        allow(EnrollRegistry).to receive(:feature_enabled?).with(:enroll_sms_notifications).and_return(false)
+      end
+
+      it "redirects to family home" do
+        get :edit, params: { id: "test" }
+        expect(response).to redirect_to(home_insured_families_path)
+      end
+    end
   end
 
 
@@ -536,6 +574,17 @@
       sign_in user
     end
 
+    context "when RIDP is complete for the consumer role" do
+      before do
+        allow(RemoteIdentityProofingStatus).to receive(:is_complete_for_consumer_role?).and_return(true)
+      end
+
+      it "redirects to family home" do
+        put :update, params: { person: person_params, id: "test" }
+        expect(response).to redirect_to(home_insured_families_path)
+      end
+    end
+
     context "to verify new addreses not created on updating the existing address" do
 
       before :each do

spec/policies/consumer_role_policy_spec.rb

@@ -46,18 +46,37 @@
       let(:hbx_staff_role) { FactoryBot.create(:hbx_staff_role, person: person)}
       let(:permission) { FactoryBot.create(:permission)}
 
-      it "grants access when hbx_staff" do
+      it "grants access when hbx_staff can update ssn" do
         allow(hbx_staff_role).to receive(:permission).and_return permission
         allow(person).to receive(:hbx_staff_role).and_return hbx_staff_role
         allow(hbx_staff_user).to receive(:person).and_return person
         allow(permission).to receive(:can_update_ssn).and_return true
         expect(subject).to permit(hbx_staff_user, consumer_role)
       end
 
+      it "grants access when hbx_staff may view personal info page" do
+        allow(hbx_staff_role).to receive(:permission).and_return permission
+        allow(person).to receive(:hbx_staff_role).and_return hbx_staff_role
+        allow(hbx_staff_user).to receive(:person).and_return person
+        allow(permission).to receive(:can_update_ssn).and_return false
+        allow(permission).to receive(:view_personal_info_page).and_return true
+        expect(subject).to permit(hbx_staff_user, consumer_role)
+      end
+
       it "denies access when normal user" do
         expect(subject).not_to permit(User.new, consumer_role)
       end
 
+      it "denies access when broker editing another consumer's role" do
+        broker_user = FactoryBot.create(:user, :broker, person: broker_person)
+        expect(subject).not_to permit(broker_user, consumer_role)
+      end
+
+      it "denies access when assister editing another consumer's role" do
+        assister_user = FactoryBot.create(:user, :assister, person: assister_person)
+        expect(subject).not_to permit(assister_user, consumer_role)
+      end
+
       context "consumer" do
         let(:user) { FactoryBot.create(:user, :consumer, person: consumer_role.person) }
         let(:consumer_role) { FactoryBot.create(:consumer_role) }
@@ -79,18 +98,37 @@
       let(:hbx_staff_role) { FactoryBot.create(:hbx_staff_role, person: person)}
       let(:permission) { FactoryBot.create(:permission)}
 
-      it "grants access when hbx_staff" do
+      it "grants access when hbx_staff can update ssn" do
         allow(hbx_staff_role).to receive(:permission).and_return permission
         allow(person).to receive(:hbx_staff_role).and_return hbx_staff_role
         allow(hbx_staff_user).to receive(:person).and_return person
         allow(permission).to receive(:can_update_ssn).and_return true
         expect(subject).to permit(hbx_staff_user, consumer_role)
       end
 
+      it "grants access when hbx_staff may view personal info page" do
+        allow(hbx_staff_role).to receive(:permission).and_return permission
+        allow(person).to receive(:hbx_staff_role).and_return hbx_staff_role
+        allow(hbx_staff_user).to receive(:person).and_return person
+        allow(permission).to receive(:can_update_ssn).and_return false
+        allow(permission).to receive(:view_personal_info_page).and_return true
+        expect(subject).to permit(hbx_staff_user, consumer_role)
+      end
+
       it "denies access when normal user" do
         expect(subject).not_to permit(User.new, consumer_role)
       end
 
+      it "denies access when broker editing another consumer's role" do
+        broker_user = FactoryBot.create(:user, :broker, person: broker_person)
+        expect(subject).not_to permit(broker_user, consumer_role)
+      end
+
+      it "denies access when assister editing another consumer's role" do
+        assister_user = FactoryBot.create(:user, :assister, person: assister_person)
+        expect(subject).not_to permit(assister_user, consumer_role)
+      end
+
       context "consumer" do
         let(:user) { FactoryBot.create(:user, :consumer, person: consumer_role.person) }
         let(:consumer_role) { FactoryBot.create(:consumer_role) }
@@ -112,18 +150,37 @@
       let(:hbx_staff_role) { FactoryBot.create(:hbx_staff_role, person: person)}
       let(:permission) { FactoryBot.create(:permission)}
 
-      it "grants access when hbx_staff" do
+      it "grants access when hbx_staff can update ssn" do
         allow(hbx_staff_role).to receive(:permission).and_return permission
         allow(person).to receive(:hbx_staff_role).and_return hbx_staff_role
         allow(hbx_staff_user).to receive(:person).and_return person
         allow(permission).to receive(:can_update_ssn).and_return true
         expect(subject).to permit(hbx_staff_user, consumer_role)
       end
 
+      it "grants access when hbx_staff may view personal info page" do
+        allow(hbx_staff_role).to receive(:permission).and_return permission
+        allow(person).to receive(:hbx_staff_role).and_return hbx_staff_role
+        allow(hbx_staff_user).to receive(:person).and_return person
+        allow(permission).to receive(:can_update_ssn).and_return false
+        allow(permission).to receive(:view_personal_info_page).and_return true
+        expect(subject).to permit(hbx_staff_user, consumer_role)
+      end
+
       it "denies access when normal user" do
         expect(subject).not_to permit(User.new, consumer_role)
       end
 
+      it "denies access when broker editing another consumer's role" do
+        broker_user = FactoryBot.create(:user, :broker, person: broker_person)
+        expect(subject).not_to permit(broker_user, consumer_role)
+      end
+
+      it "denies access when assister editing another consumer's role" do
+        assister_user = FactoryBot.create(:user, :assister, person: assister_person)
+        expect(subject).not_to permit(assister_user, consumer_role)
+      end
+
       context "consumer" do
         let(:user) { FactoryBot.create(:user, :consumer, person: consumer_role.person) }
         let(:consumer_role) { FactoryBot.create(:consumer_role) }