ECIL-485 Fix approval request workbasket logic.

Changes: - Only show approval requests to users with manage_contacts_and_agents permission - Fix unrelated ExampleConditionalGDSModelForm conditional_fields.
uktrade · Feb 21, 2025 · 9f64492 · 9f64492
1 parent 9c2f2ac
commit 9f64492
Show file tree

Hide file tree

Showing 3 changed files with 58 additions and 4 deletions.
diff --git a/web/domains/workbasket/app_data.py b/web/domains/workbasket/app_data.py
@@ -303,7 +303,12 @@ def _get_importer_queryset(user: User) -> list[QuerySet]:
         .filter(
             is_active=True,
             status=ApprovalRequest.Statuses.OPEN,
-            access_request__importeraccessrequest__link__in=main_importers,
+            # Only show approval requests for orgs the user can manage
+            access_request__importeraccessrequest__link__in=get_objects_for_user(
+                user,
+                Perms.obj.importer.manage_contacts_and_agents,
+                main_importers,
+            ),
         )
     )
 
@@ -381,7 +386,12 @@ def _get_exporter_queryset(user: User) -> list[QuerySet]:
         .filter(
             is_active=True,
             status=ApprovalRequest.Statuses.OPEN,
-            access_request__exporteraccessrequest__link__in=main_exporters,
+            # Only show approval requests for orgs the user can manage
+            access_request__exporteraccessrequest__link__in=get_objects_for_user(
+                user,
+                Perms.obj.exporter.manage_contacts_and_agents,
+                main_exporters,
+            ),
         )
     )
 

diff --git a/web/ecil/forms/forms_example.py b/web/ecil/forms/forms_example.py
@@ -221,7 +221,7 @@ class Meta:
         model = ECILExample
         fields = ["blue", "red", "yellow", "char_choice_field"]
         formfield_callback = gds_forms.GDSFormfieldCallback(
-            conditional_fields=["blue", "green", "red"],
+            conditional_fields=["blue", "red", "yellow"],
             gds_field_kwargs={"char_choice_field": FIELDSET_LABEL_HEADER},
         )
 

diff --git a/web/tests/domains/workbasket/test_views.py b/web/tests/domains/workbasket/test_views.py
@@ -2213,6 +2213,47 @@ def test_access_request_approval_rejected(self):
         exporter_user_expected_rows = {}
         check_expected_rows(self.exporter_client, exporter_user_expected_rows)
 
+    def test_access_request_approval_not_shown_without_manage_permission(self):
+        add_approval_request(self.iar, self.ilb_admin_user)
+        add_approval_request(self.ear, self.ilb_admin_user)
+
+        ar_user_expected_rows = {
+            "ear/1": {"Submitted": {"Access Request": ["View"]}},
+            "iar/1": {"Submitted": {"Access Request": ["View"]}},
+        }
+        check_expected_rows(self.ar_user_client, ar_user_expected_rows)
+
+        ilb_expected_rows = {
+            "ear/1": {"Submitted": {"Access Request\nApproval Requested": ["Manage"]}},
+            "iar/1": {"Submitted": {"Access Request\nApproval Requested": ["Manage"]}},
+        }
+        check_expected_rows(self.ilb_admin_client, ilb_expected_rows)
+
+        san_expected_rows = {
+            "iar/1": {"Submitted": {"Access Request\nApproval Requested": ["Manage"]}},
+        }
+        check_expected_rows(self.san_admin_client, san_expected_rows)
+
+        importer_user_expected_rows = {"iar/1": {"Open": {"Approval Request": ["Take Ownership"]}}}
+        check_expected_rows(self.importer_client, importer_user_expected_rows)
+
+        exporter_user_expected_rows = {
+            "ear/1": {"Open": {"Approval Request": ["Take Ownership"]}},
+        }
+        check_expected_rows(self.exporter_client, exporter_user_expected_rows)
+
+        # Removing the manage permission should remove the approval request from the workbasket
+        remove_perm(
+            Perms.obj.importer.manage_contacts_and_agents, self.importer_user, self.importer
+        )
+        check_expected_rows(self.importer_client, {})
+
+        # Removing the manage permission should remove the approval request from the workbasket
+        remove_perm(
+            Perms.obj.exporter.manage_contacts_and_agents, self.exporter_user, self.exporter
+        )
+        check_expected_rows(self.exporter_client, {})
+
     def test_access_request_complete_approved(self):
         self.iar.status = AccessRequest.Statuses.CLOSED
         self.iar.response = AccessRequest.APPROVED
@@ -2328,11 +2369,14 @@ def _test_exporter_contact_wb(self):
 
 
 def check_expected_rows(
-    client: Client, expected_rows: dict[str, dict[str, dict[str, list[str]]]]
+    client: Client, expected_rows: dict[str, dict[str, dict[str, list[str]]]], debug: bool = False
 ) -> None:
     url = reverse("workbasket")
     response = client.get(url)
 
+    if debug:
+        print(response.context["rows"])
+
     rows: list[WorkbasketRow] = response.context["rows"]
 
     # Check the references match