Staff access to filter non public places

CHANGELOG.md

@@ -45,6 +45,8 @@
         - Redaction support for photos.
         - UK Councils no questionnaires for non-updating users
         - Script to export/import response templates, #3549
+        - Include non-public report in front page search for staff. #3616
+        - Include staff categories in map filters for staff. #3616
     - Development improvements:
         - Include failure count in send report error output, #3316
         - Sort output in export script. #3323

perllib/FixMyStreet/App/Controller/Around.pm

@@ -243,7 +243,31 @@ sub check_and_stash_category : Private {
     my $where = { body_id => [ keys %bodies ], };
     $c->cobrand->call_hook('munge_around_category_where', $where);
 
-    my @categories = $c->model('DB::Contact')->not_deleted->search(
+    my $rs = $c->model('DB::Contact');
+    if ($c->user_exists) {
+        if ($c->user->is_superuser) {
+            $rs = $rs->not_deleted_admin;
+        } elsif ($c->user->has_body_permission_to('report_inspect') ||
+                 $c->user->has_body_permission_to('report_mark_private')) {
+            $where = {
+                -or => [
+                    {
+                        body_id => [ keys %bodies ],
+                        state => { -not_in => [ "deleted", "staff" ] },
+                    },
+                    {
+                        body_id => $c->user->from_body->id,
+                        state => { -not_in => [ "deleted" ] },
+                    }
+                ],
+            };
+        } else {
+            $rs = $rs->not_deleted;
+        }
+    } else {
+        $rs = $rs->not_deleted;
+    }
+    my @categories = $rs->search(
         $where,
         {
             columns => [ 'category', 'extra' ],
@@ -436,7 +460,20 @@ sub lookup_by_ref : Private {
             external_id => $ref
         ];
 
-    my $problems = $c->cobrand->problems->search({ non_public => 0, -or => $criteria });
+    my $params = {};
+    my $rs = $c->cobrand->problems;
+    $rs->non_public_if_possible($params, $c);
+    if ($params->{"-or"}) {
+        $params = {
+            -and => [
+                -or => $criteria,
+                -or => $params->{"-or"},
+            ]
+        };
+    } else {
+        $params->{"-or"} = $criteria;
+    }
+    my $problems = $rs->search($params);
 
     my $count = try {
         $problems->count;

perllib/FixMyStreet/App/Controller/Reports.pm

@@ -186,7 +186,13 @@ sub ward : Path : Args(2) {
 sub setup_categories :Private {
     my ($self, $c) = @_;
 
-    my @categories = $c->stash->{body}->contacts->not_deleted->search( undef, {
+    my $rs = $c->stash->{body}->contacts;
+    if ($c->user_exists && ($c->user->is_superuser || $c->user->from_body == $c->stash->{body}->id)) {
+        $rs = $rs->not_deleted_admin;
+    } else {
+        $rs = $rs->not_deleted;
+    }
+    my @categories = $rs->search( undef, {
         columns => [ 'id', 'category', 'extra', 'body_id', 'send_method' ],
         distinct => 1,
     } )->all_sorted;

t/app/controller/around.t

@@ -127,8 +127,9 @@ subtest 'check lat/lng for Maidenhead code' => sub {
       "got expected location for Maidenhead code";
 };
 
-my $body_edin_id = $mech->create_body_ok(2651, 'City of Edinburgh Council')->id;
-my $body_west_id = $mech->create_body_ok(2504, 'Westminster City Council')->id;
+my $body_edin = $mech->create_body_ok(2651, 'City of Edinburgh Council');
+my $body_edin_id = $body_edin->id;
+my $body_west = $mech->create_body_ok(2504, 'Westminster City Council');
 
 my @edinburgh_problems = $mech->create_problems_for_body( 5, $body_edin_id, 'Around page', {
     postcode  => 'EH1 1BB',
@@ -155,6 +156,17 @@ subtest 'check lookup by reference does not show non_public reports' => sub {
     $mech->content_contains('Searching found no reports');
 };
 
+subtest '...unless staff' => sub {
+    my $user = $mech->log_in_ok( 'test@example.com' );
+    $user->update({ from_body => $body_edin });
+    $user->user_body_permissions->find_or_create({ body => $body_edin, permission_type => 'report_mark_private' });
+    my $id = $edinburgh_problems[0]->id;
+    $mech->get_ok('/');
+    $mech->submit_form_ok( { with_fields => { pc => $id } }, 'non_public ref');
+    is $mech->uri->path, "/report/$id", "redirects to correct report";
+    $mech->log_out_ok;
+};
+
 subtest 'check non public reports are not displayed on around page' => sub {
     $mech->get_ok('/');
     $mech->submit_form_ok( { with_fields => { pc => 'EH1 1BB' } },
@@ -181,13 +193,11 @@ subtest 'check missing body message not shown when it does not need to be' => su
 
 for my $permission ( qw/ report_inspect report_mark_private/ ) {
     subtest "check non public reports are displayed on around page with $permission permission" => sub {
-        my $body = FixMyStreet::DB->resultset('Body')->find( $body_edin_id );
-        my $body2 = FixMyStreet::DB->resultset('Body')->find( $body_west_id );
         my $user = $mech->log_in_ok( 'test@example.com' );
         $user->user_body_permissions->delete();
-        $user->update({ from_body => $body });
+        $user->update({ from_body => $body_edin });
         $user->user_body_permissions->find_or_create({
-            body => $body,
+            body => $body_edin,
             permission_type => $permission,
         });
 
@@ -206,9 +216,9 @@ for my $permission ( qw/ report_inspect report_mark_private/ ) {
             'problem marked public is not visible' );
 
         $user->user_body_permissions->delete();
-        $user->update({ from_body => $body2 });
+        $user->update({ from_body => $body_west });
         $user->user_body_permissions->find_or_create({
-            body => $body2,
+            body => $body_west,
             permission_type => $permission,
         });
 
@@ -229,16 +239,15 @@ for my $permission ( qw/ report_inspect report_mark_private/ ) {
 }
 
 subtest 'check assigned-only list items do not display shortlist buttons' => sub {
-    my $body = FixMyStreet::DB->resultset('Body')->find( $body_edin_id );
-    my $contact = $mech->create_contact_ok( category => 'Horses & Ponies', body_id => $body->id, email => "horses\@example.org" );
+    my $contact = $mech->create_contact_ok( category => 'Horses & Ponies', body_id => $body_edin->id, email => "horses\@example.org" );
     $edinburgh_problems[4]->update({ category => 'Horses & Ponies' });
 
     my $user = $mech->log_in_ok( 'test@example.com' );
     $user->set_extra_metadata(assigned_categories_only => 1);
     $user->user_body_permissions->delete();
     $user->set_extra_metadata(categories => [ $contact->id ]);
-    $user->update({ from_body => $body });
-    $user->user_body_permissions->find_or_create({ body => $body, permission_type => 'planned_reports' });
+    $user->update({ from_body => $body_edin });
+    $user->user_body_permissions->find_or_create({ body => $body_edin, permission_type => 'planned_reports' });
 
     $mech->get_ok('/around?pc=EH1+1BB');
     $mech->content_contains('shortlist-add-' . $edinburgh_problems[4]->id);
@@ -322,6 +331,8 @@ subtest 'check category, status and extra filtering works on /around' => sub {
     is scalar @$pins, 1, 'correct number of external_body reports';
 };
 
+my $district = $mech->create_body_ok(2421, "Oxford City");
+
 subtest 'check categories with same name are only shown once in filters' => sub {
     my $params = {
         postcode  => 'OX20 1SZ',
@@ -331,7 +342,6 @@ subtest 'check categories with same name are only shown once in filters' => sub
     my $bbox = ($params->{longitude} - 0.01) . ',' .  ($params->{latitude} - 0.01)
                 . ',' . ($params->{longitude} + 0.01) . ',' .  ($params->{latitude} + 0.01);
 
-    my $district = $mech->create_body_ok(2421, "Oxford City");
     # Identically-named categories should be combined even if their extra metadata is different
     my $contact2 = $mech->create_contact_ok( category => "Pothole", body_id => $district->id, email => 'pothole@district-example.org' );
     $contact2->set_extra_metadata(some_extra_field => "dummy");
@@ -353,6 +363,36 @@ subtest 'check categories with same name are only shown once in filters' => sub
     };
 };
 
+subtest 'check staff categories shown appropriately in filter' => sub {
+    my $params = {
+        postcode  => 'OX20 1SZ',
+        latitude  => 51.754926,
+        longitude => -1.256179,
+    };
+    my $bbox = ($params->{longitude} - 0.01) . ',' .  ($params->{latitude} - 0.01)
+                . ',' . ($params->{longitude} + 0.01) . ',' .  ($params->{latitude} + 0.01);
+
+    $mech->create_contact_ok( category => "Needles district", body_id => $district->id, email => 'needles@district.example.org', state => 'staff' );
+    $mech->create_contact_ok( category => "Needles county", body_id => $body->id, email => 'needles@county.example.org', state => 'staff' );
+
+    FixMyStreet::override_config {
+        ALLOWED_COBRANDS => 'fixmystreet',
+        MAPIT_URL => 'http://mapit.uk/',
+        COBRAND_FEATURES => { category_groups => { fixmystreet => 1 } },
+    }, sub {
+        $mech->get_ok( '/around?bbox=' . $bbox );
+        $mech->content_lacks('<option value="Needles district">');
+        $mech->content_lacks('<option value="Needles county">');
+        my $user = $mech->log_in_ok( 'test@example.com' );
+        $user->update({ from_body => $district });
+        $user->user_body_permissions->find_or_create({ body => $district, permission_type => 'report_mark_private' });
+        $mech->get_ok( '/around?bbox=' . $bbox );
+        $mech->content_contains('<option value="Needles district">');
+        $mech->content_lacks('<option value="Needles county">');
+        $mech->log_out_ok;
+    };
+};
+
 subtest 'check old problems not shown by default on around page' => sub {
     my $params = {
         postcode  => 'OX20 1SZ',

t/app/controller/report_new_staff.t

@@ -248,6 +248,9 @@ subtest 'staff-only categories when reporting' => sub {
         $mech->get_ok('/admin/templates/' . $body_ids{2651} . '/new');
         $mech->content_contains('Trees');
 
+        $mech->get_ok('/reports/City+of+Edinburgh');
+        $mech->content_contains('<option value="Trees">');
+
         my $extra_details = $mech->get_ok_json( '/report/new/ajax?latitude=55.952055&longitude=-3.189579' );
         is_deeply [ sort keys %{$extra_details->{by_category}} ], [ 'Street lighting', 'Trees' ], 'Superuser can see staff-only category';