diff --git a/app/models/signon_identity.rb b/app/models/signon_identity.rb index e3007820e..bd10aa347 100644 --- a/app/models/signon_identity.rb +++ b/app/models/signon_identity.rb @@ -7,6 +7,7 @@ class SignonIdentity class InvalidSessionData < RuntimeError; end ADMIN_ROLE = 'ROLE_PVB_ADMIN' + REQUEST_ROLE = 'ROLE_PVB_REQUESTS' class << self def from_omniauth(omniauth_auth) @@ -92,7 +93,14 @@ def logout_url(redirect_to: nil) end def accessible_estates - @accessible_estates ||= estate_sso_mapper.accessible_estates.order(:nomis_id).to_a + @accessible_estates ||= begin + # Ensure that user has at least one valid role + if @roles.select { |role| [ADMIN_ROLE, REQUEST_ROLE].include?(role) }.empty? + [] + else + estate_sso_mapper.accessible_estates.order(:nomis_id).to_a + end + end end def accessible_estates?(estates) diff --git a/spec/controllers/sessions_controller_spec.rb b/spec/controllers/sessions_controller_spec.rb index cb4cf63a2..01bc05dd7 100644 --- a/spec/controllers/sessions_controller_spec.rb +++ b/spec/controllers/sessions_controller_spec.rb @@ -70,7 +70,7 @@ { 'user_id' => user.id, 'full_name' => 'Joe Bloggs', - 'roles' => [], + 'roles' => [SignonIdentity::REQUEST_ROLE], 'logout_url' => 'http://example.com/logout', 'organisations' => [estate_nomis_id] } diff --git a/spec/models/signon_identity_spec.rb b/spec/models/signon_identity_spec.rb index 89c02b6ed..37210b68b 100644 --- a/spec/models/signon_identity_spec.rb +++ b/spec/models/signon_identity_spec.rb @@ -11,7 +11,7 @@ 'organisations' => organisations, 'first_name' => 'Joe', 'last_name' => 'Bloggs', - 'roles' => [] + 'roles' => [SignonIdentity::REQUEST_ROLE] } end @@ -127,7 +127,7 @@ let!(:swansea_org_name) { 'swansea.noms' } let!(:swansea_estate) { create(:estate, sso_organisation_name: swansea_org_name, nomis_id: 'SWI') } let!(:orgs) { [swansea_estate, cardiff_estate] } - let!(:roles) { [] } + let!(:roles) { [SignonIdentity::REQUEST_ROLE] } let!(:serialization) do { 'user_id' => user.id, @@ -168,6 +168,14 @@ expect(subject.accessible_estates).to include(pentonville_estate) end end + + context 'without the role' do + let(:roles) { [] } + + it 'has no estates' do + expect(subject.accessible_estates).to eq([]) + end + end end it 'builds the logout url required for SSO' do diff --git a/spec/shared_process_setup_context.rb b/spec/shared_process_setup_context.rb index 62bd2756a..3b6258776 100644 --- a/spec/shared_process_setup_context.rb +++ b/spec/shared_process_setup_context.rb @@ -47,7 +47,7 @@ def choose_date 'organisations' => [ vst.prison.estate.nomis_id ], - 'roles' => [], + 'roles' => [SignonIdentity::REQUEST_ROLE], } } end diff --git a/spec/support/helpers/controller_helper.rb b/spec/support/helpers/controller_helper.rb index 57695e84b..1bd99cfb2 100644 --- a/spec/support/helpers/controller_helper.rb +++ b/spec/support/helpers/controller_helper.rb @@ -5,7 +5,7 @@ def login_user(user, current_estates:, available_estates: [current_estates.first sso_identity = SignonIdentity.new( user, full_name: FFaker::Name.name, - roles: [], + roles: [SignonIdentity::REQUEST_ROLE], logout_url: '', organisations: orgs ) diff --git a/spec/support/helpers/service_helpers.rb b/spec/support/helpers/service_helpers.rb index eee708df1..9553fbcbf 100644 --- a/spec/support/helpers/service_helpers.rb +++ b/spec/support/helpers/service_helpers.rb @@ -24,7 +24,7 @@ def simulate_api_error_for(api, exception_class = Nomis::APIError) end # allow feature tests to login for specific prisons - def prison_login(estates, email_address = 'joe@example.com', roles = []) + def prison_login(estates, email_address = 'joe@example.com', roles = [SignonIdentity::REQUEST_ROLE]) sso_response = { 'uid' => '1234-1234-1234-1234',