Protect staff name & phone fields in FMS front-end.

.cypress/cypress/integration/staff.js

@@ -3,7 +3,7 @@ Cypress.Commands.add('cleanUpXHR', function() {
 });
 
 describe('Staff user tests', function() {
-    it('report as defaults to body', function() {
+    beforeEach(function() {
         cy.server();
         cy.route('/report/new/ajax*').as('report-ajax');
         cy.request({
@@ -18,29 +18,47 @@ describe('Staff user tests', function() {
         cy.get('[name=pc]').parents('form').submit();
         cy.url().should('include', '/around');
         cy.get('#map_box').click(240, 249);
+        cy.wait('@report-ajax');
+    });
+
+    it('report as defaults to body', function() {
         cy.get('[name=form_as]').should('have.value', 'body');
         cy.cleanUpXHR();
     });
 
     it('report title and detail are correctly prefilled', function() {
-        cy.server();
-        cy.route('/report/new/ajax*').as('report-ajax');
-        cy.request({
-          method: 'POST',
-          url: '/auth?r=/',
-          form: true,
-          body: { username: 'cs_full@example.org', password_sign_in: 'password' }
-        });
-        cy.visit('/');
-        cy.contains('Go');
-        cy.get('[name=pc]').type(Cypress.env('postcode'));
-        cy.get('[name=pc]').parents('form').submit();
-        cy.url().should('include', '/around');
-        cy.get('#map_box').click(240, 249);
-        cy.wait('@report-ajax');
         cy.pickCategory('Graffiti (offensive)');
         cy.get('[name=title]').should('have.value', 'A Graffiti (offensive) problem has been found');
         cy.get('[name=detail]').should('have.value', 'A Graffiti (offensive) problem has been found by Borsetshire County Council');
         cy.cleanUpXHR();
     });
+
+    it('does not let staff update their name, phone or email address whilst reporting or updating', function() {
+        // Lest CS staff forget to select 'report as another user' and type the reporter's details over their own.
+
+        cy.pickCategory('Flytipping');
+        // Skip through to about you page
+        cy.nextPageReporting();
+        cy.nextPageReporting();
+        cy.nextPageReporting();
+
+        // about you page
+        cy.get('#form_as').select('myself');
+        cy.get('[name=username]').should('be.disabled'); // (already protected)
+        cy.get('[name=phone]').should('be.disabled');
+        cy.get('[name=name]').should('have.attr', 'readonly');
+        cy.get('#map_sidebar').parents('form').submit();
+
+        // now check update page (going via 'Your account')
+        // (clicking on h1 conf link leaves staff fields still locked, so test passes in error)
+        cy.visit('/my');
+        cy.get('#js-reports-list li:first-child').click();
+
+        // update about you
+        cy.get('#form_update').type("this is an update");
+        cy.get('button.js-reporting-page--next').click();
+        cy.get('[name=username]').should('be.disabled'); // (already protected)
+        cy.get('[name=name]').should('have.attr', 'readonly');
+        cy.get('input[name=submit_register]').click();
+    });
 });

CHANGELOG.md

@@ -7,6 +7,7 @@
         - Map page pagination links now styled as links rather than buttons. #3727
         - Include username in inactive email.
         - Update document title on client-side new report page transition.
+        - Disable staff phone and name fields to avoid accidental overwriting.
     - Bugfixes:
         - Add ID attributes to change password form inputs.
         - Fix link deactivation for privacy policy link on privacy policy page. #3704

docs/_includes/admin-tasks-content.md

@@ -165,6 +165,14 @@ citizen’s experience](/pro-manual/citizens-experience/)'. Those with the appro
 the report-making interface, labeled ‘Report As’. Select either the council, ‘yourself’, ‘anonymous’ or
 ‘another user’.
 
+In order to reduce confusion for customer service staff, the email,
+name and phone number fields in the reporting and update pages are
+disabled for staff users. This avoids accidental overwriting of their
+own details with those of e.g. citizens making reports over the
+telephone in case staff forget to switch the ‘Report As’ control to
+‘another user’.
+
+
 If a user has the ‘Default to creating reports/update as the council’
 permission then the dropdown will default to reporting as the council.
 Staff with the ’Markup problem details’ permission will also default to

templates/web/base/report/new/form_user_loggedin.html

@@ -18,7 +18,7 @@
 [% BLOCK form_as %]
     <label for="form_as">[% loc('Report as') %]</label>
     <select id="form_as" class="form-control js-contribute-as" name="form_as">
-        <option value="myself" [% c.user.from_body AND ( c.user.has_body_permission_to('planned_reports') || c.user.has_body_permission_to('default_to_body') ) ? '' : 'selected'  %]>[% loc('Yourself') %]</option>
+        <option value="myself" [% c.user.from_body AND ( c.user.has_body_permission_to('planned_reports') || c.user.has_body_permission_to('default_to_body') ) ? '' : 'selected'  %]>[% loc('Yourself') %] [% IF c.user.name %]([% c.user.name %])[% END %]</option>
       [% IF js || can_contribute_as_anonymous_user %]
         <option value="anonymous_user">[% loc('Anonymous user') %]</option>
       [% END %]

templates/web/base/report/update/form_user_loggedin.html

@@ -11,7 +11,7 @@
   [% IF can_contribute_as_another_user OR can_contribute_as_body OR can_contribute_as_anonymous_user %]
     <label for="form_as">[% loc('Provide update as') %]</label>
     <select id="form_as" class="form-control js-contribute-as" name="form_as">
-        <option value="myself" selected>[% loc('Yourself') %]</option>
+        <option value="myself" selected>[% loc('Yourself') %] [% IF c.user.name %]([% c.user.name %])[% END %]</option>
       [% IF can_contribute_as_another_user %]
         <option value="another_user">[% loc('Another user') %]</option>
       [% END %]

web/cobrands/fixmystreet/staff.js

@@ -102,13 +102,15 @@ fixmystreet.staff_set_up = {
         var $phoneInput = $('input[name=phone]');
         var $showNameCheckbox = $('input[name=may_show_name]');
         var $addAlertCheckbox = $('#form_add_alert');
+        var $extraTitle = $('select#form_fms_extra_title'); // May not be present
         if (val === 'myself') {
             $emailInput.val($emailInput.prop('defaultValue')).prop('disabled', true);
             $emailOptionalLabel.addClass('hidden');
-            $nameInput.val($nameInput.prop('defaultValue')).prop('disabled', false);
-            $phoneInput.val($phoneInput.prop('defaultValue')).prop('disabled', false);
+            $nameInput.val($nameInput.prop('defaultValue')).prop('disabled', false).prop('readonly', true);
+            $phoneInput.val($phoneInput.prop('defaultValue')).prop('disabled', true);
             $showNameCheckbox.prop('checked', false).prop('disabled', false);
             $addAlertCheckbox.prop('checked', true).prop('disabled', false);
+            $extraTitle.prop('disabled', true);
         } else if (val === 'another_user') {
             $emailInput.val('').prop('disabled', false);
             if (!$phoneInput.length) {
@@ -119,24 +121,27 @@ fixmystreet.staff_set_up = {
                 $emailOptionalLabel.removeClass('hidden');
                 $emailInput.removeClass('required');
             }
-            $nameInput.val('').prop('disabled', false);
+            $nameInput.val('').prop('disabled', false).prop('readonly', false);
             $phoneInput.val('').prop('disabled', false);
             $showNameCheckbox.prop('checked', false).prop('disabled', true);
             $addAlertCheckbox.prop('checked', true).prop('disabled', false);
+            $extraTitle.prop('disabled', false);
         } else if (val === 'anonymous_user') {
             $emailInput.val('-').prop('disabled', true);
             $emailOptionalLabel.addClass('hidden');
             $nameInput.val('-').prop('disabled', true);
             $phoneInput.val('-').prop('disabled', true);
             $showNameCheckbox.prop('checked', false).prop('disabled', true);
             $addAlertCheckbox.prop('checked', false).prop('disabled', true);
+            $extraTitle.prop('disabled', true);
         } else if (val === 'body') {
             $emailInput.val('-').prop('disabled', true);
             $emailOptionalLabel.addClass('hidden');
             $nameInput.val(txt).prop('disabled', true);
             $phoneInput.val('-').prop('disabled', true);
             $showNameCheckbox.prop('checked', true).prop('disabled', true);
             $addAlertCheckbox.prop('checked', false).prop('disabled', true);
+            $extraTitle.prop('disabled', true);
         }
     });
     $('.js-contribute-as').trigger('change');
@@ -454,6 +459,7 @@ $(function() {
 });
 
 $(fixmystreet).on('display:report', function() {
+    fixmystreet.staff_set_up.contribute_as();
     fixmystreet.staff_set_up.moderation();
     fixmystreet.staff_set_up.response_templates();
     if ($("#report_inspect_form").length) {