Add requirement for PVB_REQUEST role to application

app/models/signon_identity.rb

@@ -7,6 +7,7 @@ class SignonIdentity
   class InvalidSessionData < RuntimeError; end
 
   ADMIN_ROLE = 'ROLE_PVB_ADMIN'
+  REQUEST_ROLE = 'ROLE_PVB_REQUESTS'
 
   class << self
     def from_omniauth(omniauth_auth)
@@ -92,7 +93,14 @@ def logout_url(redirect_to: nil)
   end
 
   def accessible_estates
-    @accessible_estates ||= estate_sso_mapper.accessible_estates.order(:nomis_id).to_a
+    @accessible_estates ||= begin
+      # Ensure that user has at least one valid role
+      if @roles.select { |role| [ADMIN_ROLE, REQUEST_ROLE].include?(role) }.empty?
+        []
+      else
+        estate_sso_mapper.accessible_estates.order(:nomis_id).to_a
+      end
+    end
   end
 
   def accessible_estates?(estates)

spec/controllers/sessions_controller_spec.rb

@@ -70,7 +70,7 @@
       {
         'user_id' => user.id,
         'full_name' => 'Joe Bloggs',
-        'roles' => [],
+        'roles' => [SignonIdentity::REQUEST_ROLE],
         'logout_url' => 'http://example.com/logout',
         'organisations' => [estate_nomis_id]
       }

spec/models/signon_identity_spec.rb

@@ -11,7 +11,7 @@
         'organisations' => organisations,
         'first_name' => 'Joe',
         'last_name' => 'Bloggs',
-        'roles' => []
+        'roles' => [SignonIdentity::REQUEST_ROLE]
       }
     end
 
@@ -127,7 +127,7 @@
     let!(:swansea_org_name)   { 'swansea.noms' }
     let!(:swansea_estate)     { create(:estate, sso_organisation_name: swansea_org_name, nomis_id: 'SWI') }
     let!(:orgs)               { [swansea_estate, cardiff_estate] }
-    let!(:roles)               { [] }
+    let!(:roles)               { [SignonIdentity::REQUEST_ROLE] }
     let!(:serialization) do
       {
         'user_id' => user.id,
@@ -168,6 +168,14 @@
           expect(subject.accessible_estates).to include(pentonville_estate)
         end
       end
+
+      context 'without the role' do
+        let(:roles) { [] }
+
+        it 'has no estates' do
+          expect(subject.accessible_estates).to eq([])
+        end
+      end
     end
 
     it 'builds the logout url required for SSO' do

spec/shared_process_setup_context.rb

@@ -47,7 +47,7 @@ def choose_date
         'organisations' => [
           vst.prison.estate.nomis_id
         ],
-        'roles' => [],
+        'roles' => [SignonIdentity::REQUEST_ROLE],
       }
     }
   end

spec/support/helpers/controller_helper.rb

@@ -5,7 +5,7 @@ def login_user(user, current_estates:, available_estates: [current_estates.first
     sso_identity = SignonIdentity.new(
       user,
       full_name: FFaker::Name.name,
-      roles: [],
+      roles: [SignonIdentity::REQUEST_ROLE],
       logout_url: '',
       organisations: orgs
     )

spec/support/helpers/service_helpers.rb

@@ -24,7 +24,7 @@ def simulate_api_error_for(api, exception_class = Nomis::APIError)
   end
 
   # allow feature tests to login for specific prisons
-  def prison_login(estates, email_address = 'joe@example.com', roles = [])
+  def prison_login(estates, email_address = 'joe@example.com', roles = [SignonIdentity::REQUEST_ROLE])
     sso_response =
       {
         'uid' => '1234-1234-1234-1234',