diff --git a/app/controllers/hub/clients_controller.rb b/app/controllers/hub/clients_controller.rb
index eac137bcc4..41cd2dbffa 100644
--- a/app/controllers/hub/clients_controller.rb
+++ b/app/controllers/hub/clients_controller.rb
@@ -12,11 +12,8 @@ class ClientsController < Hub::BaseController
before_action :redirect_unless_client_is_hub_status_editable, only: [:edit, :edit_take_action, :update, :update_take_action]
layout "hub"
- MAX_COUNT = 1000
-
def index
@page_title = I18n.t("hub.clients.index.title")
-
@clients = @client_sorter.filtered_and_sorted_clients.page(params[:page]).load
@message_summaries = RecentMessageSummaryService.messages(@clients.map(&:id))
end
@@ -47,7 +44,7 @@ def destroy
end
def edit
- return render "public_pages/page_not_found", status: 404 if @client.intake.is_ctc?
+ raise CanCan::AccessDenied if @client.intake.is_ctc?
@form = UpdateClientForm.from_client(@client)
end
@@ -105,8 +102,6 @@ def update_take_action
end
def unlock
- raise CanCan::AccessDenied unless current_user.admin? || current_user.org_lead? || current_user.site_coordinator?
-
@client.unlock_access! if @client.access_locked?
flash[:notice] = I18n.t("hub.clients.unlock.account_unlocked", name: @client.preferred_name)
redirect_to(hub_client_path(id: @client))
@@ -297,13 +292,8 @@ def initialize(client)
@client = client
__setobj__(client)
@intake = client.intake
- if @intake.present? && @intake.product_year != Rails.configuration.product_year
- @archived = true
- end
- if @intake.blank?
- @intake = Archived::Intake2021.find_by(client_id: @client.id)
- @archived = true if @intake
- end
+ @archived = client.has_archived_intake?
+ @intake = @archived ? client.archived_intake : client.intake
# For a short while, we created Client records with no intake and/or moved which client the intake belonged to.
if !@intake && @client.created_at < Date.parse('2022-04-15')
@missing_intake = true
diff --git a/app/controllers/hub/ctc_clients_controller.rb b/app/controllers/hub/ctc_clients_controller.rb
index e6075e1d4e..48d617a53f 100644
--- a/app/controllers/hub/ctc_clients_controller.rb
+++ b/app/controllers/hub/ctc_clients_controller.rb
@@ -4,7 +4,7 @@ class CtcClientsController < Hub::BaseController
layout "hub"
def edit
- return render "public_pages/page_not_found", status: 404 unless @client.intake.is_ctc?
+ raise CanCan::AccessDenied unless @client.intake.is_ctc?
@is_dropoff = @client.tax_returns.any? { |tax_return| tax_return.service_type == "drop_off" }
@form = UpdateCtcClientForm.from_client(@client)
diff --git a/app/controllers/hub/notes_controller.rb b/app/controllers/hub/notes_controller.rb
index 466d81d1e5..9b4214bae2 100644
--- a/app/controllers/hub/notes_controller.rb
+++ b/app/controllers/hub/notes_controller.rb
@@ -1,7 +1,7 @@
module Hub
class NotesController < Hub::BaseController
load_and_authorize_resource :client
- load_and_authorize_resource through: :client, only: [:create]
+ load_and_authorize_resource through: :client
load_and_authorize_resource :user, parent: false, only: [:index]
layout "hub"
diff --git a/app/controllers/hub/tax_returns/certifications_controller.rb b/app/controllers/hub/tax_returns/certifications_controller.rb
index 16da2599e6..93c5f4d07a 100644
--- a/app/controllers/hub/tax_returns/certifications_controller.rb
+++ b/app/controllers/hub/tax_returns/certifications_controller.rb
@@ -10,6 +10,8 @@ def update
redirect_to next_path || hub_client_path(id: @tax_return.client.id)
end
+ private
+
def tax_return_params
params.permit(:certification_level)
end
diff --git a/app/controllers/hub/tax_returns_controller.rb b/app/controllers/hub/tax_returns_controller.rb
index d3be431c57..43ab71868b 100644
--- a/app/controllers/hub/tax_returns_controller.rb
+++ b/app/controllers/hub/tax_returns_controller.rb
@@ -1,10 +1,8 @@
module Hub
class TaxReturnsController < Hub::BaseController
include TaxReturnAssignableUsers
+ load_and_authorize_resource :client
load_and_authorize_resource except: [:new, :create]
- # on new/create, authorize through client but initialize tax return object
- before_action :load_client, only: [:new, :create]
- authorize_resource :client, parent: false, only: [:new, :create]
before_action :load_assignable_users, except: [:show]
before_action :load_and_authorize_assignee, only: [:update, :create]
@@ -59,10 +57,6 @@ def update
private
- def load_client
- @client = Client.accessible_to_user(current_user).find(params[:client_id])
- end
-
def load_assignable_users
@client ||= @tax_return.client
@assignable_users = assignable_users(@client, [current_user, @tax_return&.assigned_user].compact)
diff --git a/app/lib/ability.rb b/app/lib/ability.rb
index 56cdf8392a..cc387d7d2f 100644
--- a/app/lib/ability.rb
+++ b/app/lib/ability.rb
@@ -7,13 +7,14 @@ def initialize(user)
return
end
- # Custom actions
- alias_action :flag, :toggle_field, :edit_take_action, :update_take_action,
- :unlock, :edit_13614c_form_page1, :edit_13614c_form_page2,
- :edit_13614c_form_page3, :save_and_maybe_exit,
+ # Custom client controller actions
+ alias_action :flag, :toggle_field,
+ :edit_take_action, :update_take_action,
+ :edit_13614c_form_page1, :edit_13614c_form_page2,
+ :edit_13614c_form_page3, :edit_13614c_form_page4, :edit_13614c_form_page5,
:update_13614c_form_page1, :update_13614c_form_page2,
- :update_13614c_form_page3, :cancel_13614c,
- :resource_to_client_redirect,
+ :update_13614c_form_page3, :update_13614c_form_page4, :update_13614c_form_page5,
+ :cancel_13614c, :save_and_maybe_exit,
to: :hub_client_management
accessible_groups = user.accessible_vita_partners
@@ -44,7 +45,7 @@ def initialize(user)
%w[state_file unfilled state_file_az state_file_ny state_file_md state_file_nc state_file_id].include?(error.service_type)
end
end
- unless user.email.include?("@codeforamerica.org")
+ unless user.email.downcase.include?("@codeforamerica.org")
cannot :manage, :flipper_dashboard
end
return
@@ -76,57 +77,71 @@ def initialize(user)
can :read, Organization, id: accessible_groups.pluck(:id)
can :read, Site, id: accessible_groups.pluck(:id)
- # This was overly permissive. We should work out what the permissions should
- # be for each role and reduce this check. As we need to modify this, please
- # break out the role and specify permissions more granularly
+ # HUB CLIENT CONTROLLER PERMISSIONS
+ # overly permissive, need to narrow permissions
+ # break out role and specify permissions when making modifications
client_role_whitelist = [
:client_success, :admin, :org_lead, :site_coordinator,
:coalition_lead, :state_file_admin, :team_member
].freeze
if user.role?(client_role_whitelist)
- can :manage, Client, vita_partner: accessible_groups
+ can :read, Client, vita_partner: accessible_groups
+
+ can [:create, :update, :hub_client_management],
+ Client, vita_partner: accessible_groups, intake: { product_year: Rails.configuration.product_year }
+ end
+
+ if user.role?([:admin, :org_lead, :site_coordinator])
+ can :unlock, Client, vita_partner: accessible_groups, intake: { product_year: Rails.configuration.product_year }
end
if user.greeter?
- can [:update, :read, :hub_client_management],
- Client,
- tax_returns: {
- current_state: [
- 'intake_ready',
- 'intake_greeter_info_requested',
- 'intake_needs_doc_help',
- ],
- },
- vita_partner: accessible_groups
-
- can [:update, :read, :hub_client_management],
- Client,
- tax_returns: {
- current_state: [
- 'file_not_filing',
- 'file_hold',
- ],
- assigned_user: user,
- },
- vita_partner: accessible_groups
+ general_states = %w[intake_ready intake_greeter_info_requested intake_needs_doc_help]
+ assigned_states = %w[file_not_filing file_hold]
+
+ can :read, Client, tax_returns: { current_state: general_states }, vita_partner: accessible_groups
+ can :read, Client, tax_returns: { current_state: assigned_states, assigned_user: user }, vita_partner: accessible_groups
+
+ can [:update, :hub_client_management], Client,
+ tax_returns: { current_state: general_states },
+ vita_partner: accessible_groups, intake: { product_year: Rails.configuration.product_year }
+
+ can [:update, :hub_client_management], Client,
+ tax_returns: { current_state: assigned_states, assigned_user: user },
+ vita_partner: accessible_groups, intake: { product_year: Rails.configuration.product_year }
end
# Only admins can destroy clients
cannot :destroy, Client unless user.admin?
- can :manage, [
+
+ can [:read], [
+ Note,
Document,
+ TaxReturn
+ ], client: { vita_partner: accessible_groups }
+
+ can [:create, :update, :destroy], [
+ Note,
+ TaxReturn
+ ], client: { vita_partner: accessible_groups, intake: { product_year: Rails.configuration.product_year } }
+
+ can [:create, :update, :destroy, :archived, :confirm],
+ Document, client: { vita_partner: accessible_groups, intake: { product_year: Rails.configuration.product_year } }
+
+ can :manage, [
IncomingEmail,
IncomingTextMessage,
- Note,
OutgoingEmail,
OutgoingTextMessage,
SystemNote,
- TaxReturn,
], client: { vita_partner: accessible_groups }
- can :manage, TaxReturnSelection, tax_returns: { client: { vita_partner: accessible_groups } }
- cannot :manage, TaxReturnSelection, tax_returns: { client: { vita_partner: VitaPartner.where.not(id: accessible_groups) }}
+ can :manage, TaxReturnSelection, tax_returns: { client: { vita_partner: accessible_groups, intake: { product_year: Rails.configuration.product_year } } }
+ cannot :manage, TaxReturnSelection, tax_returns: { client: { vita_partner: VitaPartner.where.not(id: accessible_groups) } }
+ cannot :manage, TaxReturnSelection do |selection|
+ selection.tax_returns.any? { |tax_return| tax_return.client.has_archived_intake? }
+ end
can :manage, EfileSubmission, tax_return: { client: { vita_partner: accessible_groups } }
diff --git a/app/models/client.rb b/app/models/client.rb
index 2e8e4dec6e..358d82f1cb 100644
--- a/app/models/client.rb
+++ b/app/models/client.rb
@@ -267,6 +267,18 @@ def online_ctc?
intake.is_ctc? && intake.tax_returns.any? { |tr| tr.service_type == "online_intake" }
end
+ def has_archived_intake?
+ archived_intake.present?
+ end
+
+ def archived_intake
+ if intake.present? && intake.product_year != Rails.configuration.product_year
+ intake
+ elsif intake.blank?
+ Archived::Intake2021.find_by(client_id: self.id)
+ end
+ end
+
def recaptcha_scores_average
return efile_security_informations.last&.recaptcha_score unless recaptcha_scores.present?
diff --git a/app/views/devise/invitations/new.html.erb b/app/views/devise/invitations/new.html.erb
index 676abdda8f..6f1569365a 100644
--- a/app/views/devise/invitations/new.html.erb
+++ b/app/views/devise/invitations/new.html.erb
@@ -53,7 +53,7 @@
<%= f.hidden_field(:role, value: params[:role]) %>
- <%= f.submit t(".submit"), class: "button button--primary" %>
+ <%= f.submit t(".submit"), class: "button button--primary spacing-below-25" %>
<%= link_to "Back", :back, class: "button button--secondary" %>
diff --git a/spec/controllers/hub/bulk_actions/base_bulk_actions_controller_spec.rb b/spec/controllers/hub/bulk_actions/base_bulk_actions_controller_spec.rb
index 4e9c80f57a..4b896273fe 100644
--- a/spec/controllers/hub/bulk_actions/base_bulk_actions_controller_spec.rb
+++ b/spec/controllers/hub/bulk_actions/base_bulk_actions_controller_spec.rb
@@ -62,6 +62,16 @@ def edit
end
end
+ context "with a tax return selection connected to an archived intake" do
+ let!(:tax_return_selection) { create :tax_return_selection, tax_returns: [tax_return_1, tax_return_2, tax_return_3] }
+ let(:tax_return_3) { create :tax_return, year: 2021, client: create(:client, intake: build(:intake, product_year: Rails.configuration.product_year - 2)) }
+
+ it "response is forbidden (403)" do
+ get :edit, params: params
+ expect(response).to be_forbidden
+ end
+ end
+
context "with only clients who don't have sufficient contact info" do
let(:intake) { build :intake, email_notification_opt_in: "yes", email_address: nil, sms_notification_opt_in: "yes", sms_phone_number: nil }
diff --git a/spec/controllers/hub/bulk_actions/change_assignee_and_status_controller_spec.rb b/spec/controllers/hub/bulk_actions/change_assignee_and_status_controller_spec.rb
index aec77b3020..999c25fe05 100644
--- a/spec/controllers/hub/bulk_actions/change_assignee_and_status_controller_spec.rb
+++ b/spec/controllers/hub/bulk_actions/change_assignee_and_status_controller_spec.rb
@@ -1,7 +1,7 @@
require 'rails_helper'
RSpec.describe Hub::BulkActions::ChangeAssigneeAndStatusController do
- let(:client) { create :client, vita_partner: site, intake: build(:intake) }
+ let(:client) { create :client, vita_partner: site, intake: build(:intake, product_year: Rails.configuration.product_year) }
let(:site) { create :site }
let(:organization) { create :organization }
@@ -36,6 +36,17 @@
expect(assigns(:assignable_users)).to match_array [team_member, site_coordinator]
expect(assigns(:assignable_users)).not_to include inaccessible_user
end
+
+ context "with an archived intake" do
+ before do
+ client.intake.update(product_year: Rails.configuration.product_year - 2)
+ end
+
+ it "response is forbidden (403)" do
+ get :edit, params: params
+ expect(response).to be_forbidden
+ end
+ end
end
context "an unauthorized user" do
@@ -131,6 +142,17 @@
end.not_to have_enqueued_job(BulkActionJob)
end
end
+
+ context "with an archived intake" do
+ before do
+ client.intake.update(product_year: Rails.configuration.product_year - 2)
+ end
+
+ it "response is forbidden (403)" do
+ put :update, params: params
+ expect(response).to be_forbidden
+ end
+ end
end
end
end
diff --git a/spec/controllers/hub/bulk_actions/change_organization_controller_spec.rb b/spec/controllers/hub/bulk_actions/change_organization_controller_spec.rb
index 18df46ec7c..0495034453 100644
--- a/spec/controllers/hub/bulk_actions/change_organization_controller_spec.rb
+++ b/spec/controllers/hub/bulk_actions/change_organization_controller_spec.rb
@@ -2,10 +2,10 @@
RSpec.describe Hub::BulkActions::ChangeOrganizationController do
let(:organization) { create :organization }
- let(:client) { create :client, vita_partner: organization }
- let(:tax_return_1) { create :tax_return, client: client, year: 2020 }
- let(:tax_return_2) { create :tax_return, client: client, year: 2019 }
- let(:tax_return_3) { create :tax_return, client: client, year: 2018 }
+ let(:intake){ create :intake, client: create(:client, vita_partner: organization), product_year: Rails.configuration.product_year }
+ let(:tax_return_1) { create :tax_return, client: intake.client, year: 2020 }
+ let(:tax_return_2) { create :tax_return, client: intake.client, year: 2019 }
+ let(:tax_return_3) { create :tax_return, client: intake.client, year: 2018 }
let!(:tax_return_selection) { create :tax_return_selection, tax_returns: [tax_return_1, tax_return_2, tax_return_3] }
let(:user) { create :organization_lead_user, organization: organization }
@@ -29,6 +29,17 @@
expect(assigns(:vita_partners)).to match_array [organization, site, other_site]
end
end
+
+ context "with an archived intake" do
+ before do
+ intake.update(product_year: Rails.configuration.product_year - 2)
+ end
+
+ it "response is forbidden (403)" do
+ get :edit, params: params
+ expect(response).to be_forbidden
+ end
+ end
end
end
@@ -81,6 +92,17 @@
}.not_to have_enqueued_job
end
end
+
+ context "with an archived intake" do
+ before do
+ intake.update(product_year: Rails.configuration.product_year - 2)
+ end
+
+ it "response is forbidden (403)" do
+ put :update, params: params
+ expect(response).to be_forbidden
+ end
+ end
end
end
end
diff --git a/spec/controllers/hub/bulk_actions/send_a_message_controller_spec.rb b/spec/controllers/hub/bulk_actions/send_a_message_controller_spec.rb
index 58cb8e1c96..2de6f78aef 100644
--- a/spec/controllers/hub/bulk_actions/send_a_message_controller_spec.rb
+++ b/spec/controllers/hub/bulk_actions/send_a_message_controller_spec.rb
@@ -2,7 +2,7 @@
RSpec.describe Hub::BulkActions::SendAMessageController do
let(:organization) { create :organization }
- let(:client) { create :client, vita_partner: organization }
+ let(:client) { create :client, vita_partner: organization, intake: build(:intake, product_year: Rails.configuration.product_year) }
let(:tax_return_1) { create :tax_return, client: client, year: 2020 }
let(:tax_return_2) { create :tax_return, client: client, year: 2019 }
let(:tax_return_3) { create :tax_return, client: client, year: 2018 }
@@ -69,6 +69,17 @@
}.not_to have_enqueued_job
end
end
+
+ context "with an archived intake" do
+ before do
+ client.intake.update(product_year: Rails.configuration.product_year - 2)
+ end
+
+ it "response is forbidden (403)" do
+ put :update, params: params
+ expect(response).to be_forbidden
+ end
+ end
end
end
end
diff --git a/spec/controllers/hub/clients_controller_spec.rb b/spec/controllers/hub/clients_controller_spec.rb
index cc8a66f551..9718b51496 100644
--- a/spec/controllers/hub/clients_controller_spec.rb
+++ b/spec/controllers/hub/clients_controller_spec.rb
@@ -865,7 +865,8 @@
let(:params) do
{ id: client.id, client: { action: "set" } }
end
- let(:client) { create :client, vita_partner: organization }
+ let(:intake) { create :intake, client: create(:client, vita_partner: organization) }
+ let(:client) { intake.client }
before { sign_in(user) }
it "redirects to hub client path" do
@@ -910,6 +911,19 @@
)
end
end
+
+ context "with a client with an archived intake" do
+ before do
+ client.intake.destroy!
+ create(:intake, client: client, product_year: Rails.configuration.product_year - 1)
+ end
+
+ it "response is forbidden (403)" do
+ patch :flag, params: params
+
+ expect(response).to be_forbidden
+ end
+ end
end
describe "#edit" do
@@ -937,10 +951,10 @@
create(:archived_2021_gyr_intake, client: client)
end
- it "redirects to the /show page for the client" do
+ it "redirects to Access Denied page" do
get :edit, params: params
- expect(response).to redirect_to(hub_client_path(id: client.id))
+ expect(response).to be_forbidden
end
end
end
@@ -1051,10 +1065,10 @@
create(:archived_2021_gyr_intake, client: client)
end
- it "redirects to the /show page for the client" do
+ it "response is forbidden (403)" do
post :update, params: { id: client.id }
- expect(response).to redirect_to(hub_client_path(id: client.id))
+ expect(response).to be_forbidden
end
end
@@ -1153,6 +1167,11 @@
delete :destroy, params: params
end.not_to change(Client, :count)
end
+
+ it "redirects to access denied page" do
+ delete :destroy, params: params
+ expect(response).to be_forbidden
+ end
end
end
@@ -1180,10 +1199,10 @@
create(:archived_2021_gyr_intake, client: client)
end
- it "redirects to the /show page for the client" do
+ it "redirects to Access Denied page" do
get :edit_take_action, params: params
- expect(response).to redirect_to(hub_client_path(id: client.id))
+ expect(response).to be_forbidden
end
end
@@ -1298,13 +1317,11 @@
end
context "when the client is not hub updatable" do
- before do
- allow_any_instance_of(Hub::ClientsController::HubClientPresenter).to receive(:hub_status_updatable).and_return(false)
- end
+ let(:intake) { build :ctc_intake, email_address: "gob@example.com", sms_phone_number: "+14155551212" }
it "raises bad request" do
post :update_take_action, params: params
- expect(response).to redirect_to hub_client_path(id: client.id)
+ expect(response).to be_forbidden
end
end
@@ -1321,6 +1338,19 @@
expect(response).to redirect_to hub_client_path(id: client.id)
end
end
+
+ context "with a client with an archived intake" do
+ before do
+ client.intake.destroy!
+ create(:intake, client: client, product_year: Rails.configuration.product_year - 1)
+ end
+
+ it "response is forbidden (403)" do
+ post :update_take_action, params: params
+
+ expect(response).to be_forbidden
+ end
+ end
end
end
@@ -1382,6 +1412,18 @@
expect(response).to redirect_to(hub_client_path(id: client))
expect(flash[:notice]).to eq "Unlocked #{client.preferred_name}'s account."
end
+
+ context "with an archived intake" do
+ before do
+ client.intake.update(product_year: Rails.configuration.product_year - 2)
+ end
+
+ it "response is forbidden (403)" do
+ patch :unlock, params: params
+ expect(client.reload.access_locked?).to eq true
+ expect(response).to be_forbidden
+ end
+ end
end
context "as a organization lead user" do
@@ -1843,6 +1885,18 @@
end
end
end
+
+ context "with a client with an archived intake" do
+ before do
+ client.intake.update(product_year: Rails.configuration.product_year - 1)
+ end
+
+ it "response is forbidden (403)" do
+ put :update_13614c_form_page1, params: params
+
+ expect(response).to be_forbidden
+ end
+ end
end
end
@@ -1976,6 +2030,18 @@
client.reload
expect(client.intake.job_count).to eq 3
end
+
+ context "with a client with an archived intake" do
+ before do
+ client.intake.update(product_year: Rails.configuration.product_year - 1)
+ end
+
+ it "response is forbidden (403)" do
+ put :update_13614c_form_page2, params: params
+
+ expect(response).to be_forbidden
+ end
+ end
end
end
@@ -2028,6 +2094,18 @@
client.reload
expect(client.intake.tax_credit_disallowed_year).to eq 2001
end
+
+ context "with a client with an archived intake" do
+ before do
+ client.intake.update(product_year: Rails.configuration.product_year - 1)
+ end
+
+ it "response is forbidden (403)" do
+ put :update_13614c_form_page3, params: params
+
+ expect(response).to be_forbidden
+ end
+ end
end
end
@@ -2100,6 +2178,18 @@
client.reload
expect(client.intake.demographic_english_conversation).to eq "well"
end
+
+ context "with a client with an archived intake" do
+ before do
+ client.intake.update(product_year: Rails.configuration.product_year - 1)
+ end
+
+ it "response is forbidden (403)" do
+ put :update_13614c_form_page4, params: params
+
+ expect(response).to be_forbidden
+ end
+ end
end
end
@@ -2151,6 +2241,171 @@
client.reload
expect(client.intake.additional_notes_comments).to eq 'Call me Ishmael.'
end
+
+ context "with a client with an archived intake" do
+ before do
+ client.intake.update(product_year: Rails.configuration.product_year - 1)
+ end
+
+ it "response is forbidden (403)" do
+ put :update_13614c_form_page5, params: params
+
+ expect(response).to be_forbidden
+ end
+ end
+ end
+ end
+ end
+
+ context "editing 13614c" do
+ let(:client) { create :client, vita_partner: organization, intake: intake }
+
+ let(:intake) { build :intake, :with_contact_info, preferred_interview_language: "en", ever_married: "yes", dependents: [build(:dependent), build(:dependent)] }
+ let(:first_dependent) { intake.dependents.first }
+ let(:params) { { id: client } }
+
+ describe "#edit_13614c_form_page1" do
+ it_behaves_like :a_get_action_for_authenticated_users_only, action: :edit_13614c_form_page1
+
+ context "with a signed in user" do
+ let(:user) { create(:user, role: create(:organization_lead_role, organization: organization)) }
+
+ before do
+ sign_in user
+ end
+
+ it "renders edit 13614c page 1" do
+ get :edit_13614c_form_page1, params: params
+ expect(response).to be_ok
+ end
+
+ context "with a client with an archived intake" do
+ before do
+ client.intake.update(product_year: Rails.configuration.product_year - 1)
+ end
+
+ it "response is forbidden (403)" do
+ put :update_13614c_form_page1, params: params
+
+ expect(response).to be_forbidden
+ end
+ end
+ end
+ end
+
+ describe "#edit_13614c_form_page2" do
+ it_behaves_like :a_get_action_for_authenticated_users_only, action: :edit_13614c_form_page2
+
+ context "with a signed in user" do
+ let(:user) { create(:user, role: create(:organization_lead_role, organization: organization)) }
+
+ before do
+ sign_in user
+ end
+
+ it "renders edit 13614c page 2" do
+ get :edit_13614c_form_page2, params: params
+ expect(response).to be_ok
+ end
+
+ context "with a client with an archived intake" do
+ before do
+ client.intake.update(product_year: Rails.configuration.product_year - 1)
+ end
+
+ it "response is forbidden (403)" do
+ put :update_13614c_form_page2, params: params
+
+ expect(response).to be_forbidden
+ end
+ end
+ end
+ end
+
+ describe "#edit_13614c_form_page3" do
+ it_behaves_like :a_get_action_for_authenticated_users_only, action: :edit_13614c_form_page3
+
+ context "with a signed in user" do
+ let(:user) { create(:user, role: create(:organization_lead_role, organization: organization)) }
+
+ before do
+ sign_in user
+ end
+
+ it "renders edit 13614c page 3" do
+ get :edit_13614c_form_page3, params: params
+ expect(response).to be_ok
+ end
+
+ context "with a client with an archived intake" do
+ before do
+ client.intake.update(product_year: Rails.configuration.product_year - 1)
+ end
+
+ it "response is forbidden (403)" do
+ put :update_13614c_form_page3, params: params
+
+ expect(response).to be_forbidden
+ end
+ end
+ end
+ end
+
+ describe "#edit_13614c_form_page4" do
+ it_behaves_like :a_get_action_for_authenticated_users_only, action: :edit_13614c_form_page4
+
+ context "with a signed in user" do
+ let(:user) { create(:user, role: create(:organization_lead_role, organization: organization)) }
+
+ before do
+ sign_in user
+ end
+
+ it "renders edit 13614c page 4" do
+ get :edit_13614c_form_page4, params: params
+ expect(response).to be_ok
+ end
+
+ context "with a client with an archived intake" do
+ before do
+ client.intake.update(product_year: Rails.configuration.product_year - 1)
+ end
+
+ it "response is forbidden (403)" do
+ put :update_13614c_form_page4, params: params
+
+ expect(response).to be_forbidden
+ end
+ end
+ end
+ end
+
+ describe "#edit_13614c_form_page5" do
+ it_behaves_like :a_get_action_for_authenticated_users_only, action: :edit_13614c_form_page5
+
+ context "with a signed in user" do
+ let(:user) { create(:user, role: create(:organization_lead_role, organization: organization)) }
+
+ before do
+ sign_in user
+ end
+
+ it "renders edit 13614c page 5" do
+ get :edit_13614c_form_page5, params: params
+ expect(response).to be_ok
+ end
+
+ context "with a client with an archived intake" do
+ before do
+ client.intake.update(product_year: Rails.configuration.product_year - 1)
+ end
+
+ it "response is forbidden (403)" do
+ put :update_13614c_form_page5, params: params
+
+ expect(response).to be_forbidden
+ end
+ end
end
end
end
@@ -2196,7 +2451,6 @@
create(:client, **good_client_params)
get :index
- # puts Client.where(filterable_product_year: 2024).first
expect(assigns(:clients)).not_to be_empty
end
@@ -2262,7 +2516,6 @@
create(:client, **good_client_params)
get :index
- # puts Client.where(filterable_product_year: 2024).first
expect(assigns(:clients)).to be_empty
end
@@ -2330,7 +2583,6 @@
create(:client, **good_client_params)
get :index
- # puts Client.where(filterable_product_year: 2024).first
expect(assigns(:clients)).to be_empty
end
@@ -2396,7 +2648,6 @@
create(:client, **good_client_params)
get :index
- # puts Client.where(filterable_product_year: 2024).first
expect(assigns(:clients)).to be_empty
end
@@ -2462,7 +2713,6 @@
create(:client, **good_client_params)
get :index
- # puts Client.where(filterable_product_year: 2024).first
expect(assigns(:clients)).not_to be_empty
end
diff --git a/spec/controllers/hub/ctc_clients_controller_spec.rb b/spec/controllers/hub/ctc_clients_controller_spec.rb
index 671adaed42..21c6d3c6ab 100644
--- a/spec/controllers/hub/ctc_clients_controller_spec.rb
+++ b/spec/controllers/hub/ctc_clients_controller_spec.rb
@@ -5,7 +5,7 @@
let(:user) { create(:user, role: create(:organization_lead_role, organization: organization), timezone: "America/Los_Angeles") }
describe "#edit" do
- let(:client) { create :client, :with_ctc_return, intake: (build :ctc_intake), vita_partner: organization }
+ let(:client) { create :client, :with_ctc_return, intake: (build :ctc_intake, product_year: Rails.configuration.product_year), vita_partner: organization }
let(:params) {
{ id: client.id }
}
@@ -21,13 +21,22 @@
expect(response).to be_ok
expect(assigns(:form)).to be_an_instance_of Hub::UpdateCtcClientForm
end
+
+ context "with an archived intake" do
+ let(:client) { create :client, :with_ctc_return, intake: (build :ctc_intake), vita_partner: organization }
+
+ it "response is forbidden (403)" do
+ get :edit, params: params
+ expect(response).to be_forbidden
+ end
+ end
end
end
describe "#update" do
let!(:client) { create :client, :with_ctc_return, intake: intake, vita_partner: organization }
- let(:intake) { build :ctc_intake, :filled_out_ctc, :with_contact_info, :with_ssns, :with_dependents, email_address: "cher@example.com", primary_last_name: "Cherimoya" }
+ let(:intake) { build :ctc_intake, :filled_out_ctc, :with_contact_info, :with_ssns, :with_dependents, email_address: "cher@example.com", primary_last_name: "Cherimoya", product_year: Rails.configuration.product_year }
let(:first_dependent) { intake.dependents.first }
let!(:params) do
{
@@ -121,7 +130,7 @@
"spouse_last_four_ssn" => ["[REDACTED]", "[REDACTED]"],
"primary_last_four_ssn" => ["[REDACTED]", "[REDACTED]"],
"preferred_interview_language" => ["en", nil],
- })
+ })
end
context "when the client's email address has changed" do
@@ -214,6 +223,15 @@
expect(flash[:alert]).to eq "Please fix indicated errors before continuing."
end
end
+
+ context "with an archived intake" do
+ let(:client) { create :client, :with_ctc_return, intake: (build :ctc_intake), vita_partner: organization }
+
+ it "response is forbidden (403)" do
+ post :update, params: params
+ expect(response).to be_forbidden
+ end
+ end
end
end
end
diff --git a/spec/controllers/hub/tax_returns/certifications_controller_spec.rb b/spec/controllers/hub/tax_returns/certifications_controller_spec.rb
index 8b0698d415..45da41f0a4 100644
--- a/spec/controllers/hub/tax_returns/certifications_controller_spec.rb
+++ b/spec/controllers/hub/tax_returns/certifications_controller_spec.rb
@@ -1,9 +1,13 @@
require 'rails_helper'
RSpec.describe Hub::TaxReturns::CertificationsController do
+ let(:user) { create :organization_lead_user }
+ let!(:unauthorized_org_lead) { create :organization_lead_user }
+ let(:intake){ create :intake, product_year: product_year, client: create(:client, :with_gyr_return, vita_partner: user.role.organization)}
+ let(:product_year) { Rails.configuration.product_year }
+ let(:tax_return) { intake.client.tax_returns.first }
+
describe "#update" do
- let(:user) { create :organization_lead_user }
- let(:tax_return) { create :gyr_tax_return, client: (create :client, vita_partner: user.role.organization) }
let(:next_path) { "/next/path" }
let(:params) { { id: tax_return.id, certification_level: "foreign_student", next: next_path } }
@@ -20,6 +24,7 @@
tax_return.reload
}.to change(tax_return, :certification_level).to('foreign_student')
end
+
context "redirecting on success" do
context "with next param" do
it "redirects to referring path without params" do
@@ -45,6 +50,25 @@
end
end
end
+
+ context "with an archived intake" do
+ let(:product_year) { Rails.configuration.product_year - 1 }
+ it "response is forbidden (403)" do
+ patch :update, params: params
+ expect(response).to be_forbidden
+ end
+ end
+ end
+
+ context "with an unauthorized user" do
+ before do
+ sign_in unauthorized_org_lead
+ end
+
+ it "is not allowed to access the page" do
+ patch :update, params: params
+ expect(response).to be_forbidden
+ end
end
end
end
diff --git a/spec/controllers/hub/tax_returns_controller_spec.rb b/spec/controllers/hub/tax_returns_controller_spec.rb
index f8014fe3ec..6019e184b0 100644
--- a/spec/controllers/hub/tax_returns_controller_spec.rb
+++ b/spec/controllers/hub/tax_returns_controller_spec.rb
@@ -43,9 +43,8 @@
end
it "is not allowed to access the page" do
- expect do
- get :new, params: params
- end.to raise_error(ActiveRecord::RecordNotFound)
+ get :new, params: params
+ expect(response).to be_forbidden
end
end
@@ -63,6 +62,19 @@
expect(assigns(:form).tax_return_years).to eq [2018]
expect(assigns(:form).remaining_years).to eq(MultiTenantService.gyr.filing_years(fake_time) - [2018])
end
+
+ context "with an archived intake" do
+ let(:user) { team_member }
+
+ before do
+ client.intake.update(product_year: Rails.configuration.product_year - 2)
+ end
+
+ it "response is forbidden (403)" do
+ get :new, params: params
+ expect(response).to be_forbidden
+ end
+ end
end
end
@@ -158,6 +170,30 @@
expect(response).to be_forbidden
end
end
+
+ context "with an archived intake" do
+ let(:user) { team_member }
+
+ before do
+ client.intake.update(product_year: Rails.configuration.product_year - 2)
+ end
+
+ it "response is forbidden (403)" do
+ post :create, params: params
+ expect(response).to be_forbidden
+ end
+ end
+ end
+
+ context "an unauthorized user" do
+ before do
+ sign_in unauthorized_team_member
+ end
+
+ it "is not allowed to access the page" do
+ post :create, params: params
+ expect(response).to be_forbidden
+ end
end
end
@@ -216,6 +252,28 @@
expect(assigns(:assignable_users)).not_to include suspended_user
end
end
+
+ context "with an archived intake" do
+ before do
+ client.intake.update(product_year: Rails.configuration.product_year - 2)
+ end
+
+ it "response is forbidden (403)" do
+ get :edit, params: params
+ expect(response).to be_forbidden
+ end
+ end
+ end
+
+ context "an unauthorized user" do
+ before do
+ sign_in unauthorized_team_member
+ end
+
+ it "is not allowed to access the page" do
+ get :edit, params: params
+ expect(response).to be_forbidden
+ end
end
end
@@ -328,6 +386,28 @@
expect(response).to be_forbidden
end
end
+
+ context "with an archived intake" do
+ before do
+ client.intake.update(product_year: Rails.configuration.product_year - 2)
+ end
+
+ it "response is forbidden (403)" do
+ put :update, params: params
+ expect(response).to be_forbidden
+ end
+ end
+ end
+
+ context "an unauthorized user" do
+ before do
+ sign_in unauthorized_team_member
+ end
+
+ it "is not allowed to access the page" do
+ put :update, params: params
+ expect(response).to be_forbidden
+ end
end
end
end
diff --git a/spec/lib/ability_spec.rb b/spec/lib/ability_spec.rb
index 31927aa2ca..f0e16c627a 100644
--- a/spec/lib/ability_spec.rb
+++ b/spec/lib/ability_spec.rb
@@ -195,7 +195,8 @@
preferred_name: "George Sr.",
needs_help_2019: "yes",
needs_help_2018: "yes",
- preferred_interview_language: "en", locale: "en"
+ preferred_interview_language: "en", locale: "en",
+ product_year: Rails.configuration.product_year
),
tax_returns: [
build(
@@ -216,14 +217,65 @@
it "can access all data for the client" do
expect(subject.can?(:read, accessible_client)).to eq true
expect(subject.can?(:update, accessible_client)).to eq true
- expect(subject.can?(:manage, Document.new(client: accessible_client))).to eq true
- expect(subject.can?(:manage, IncomingEmail.new(client: accessible_client))).to eq true
- expect(subject.can?(:manage, IncomingTextMessage.new(client: accessible_client))).to eq true
- expect(subject.can?(:manage, Note.new(client: accessible_client))).to eq true
- expect(subject.can?(:manage, OutgoingEmail.new(client: accessible_client))).to eq true
- expect(subject.can?(:manage, OutgoingTextMessage.new(client: accessible_client))).to eq true
- expect(subject.can?(:manage, SystemNote.new(client: accessible_client))).to eq true
- expect(subject.can?(:manage, TaxReturn.new(client: accessible_client))).to eq true
+ expect(subject.can?(:edit, accessible_client)).to eq true
+ expect(subject.can?(:flag, accessible_client)).to eq true
+ expect(subject.can?(:toggle_field, accessible_client)).to eq true
+ expect(subject.can?(:edit_take_action, accessible_client)).to eq true
+ expect(subject.can?(:update_take_action, accessible_client)).to eq true
+ expect(subject.can?(:save_and_maybe_exit, accessible_client)).to eq true
+
+ expect(subject.can?(:edit_13614c_form_page1, accessible_client)).to eq true
+ expect(subject.can?(:edit_13614c_form_page2, accessible_client)).to eq true
+ expect(subject.can?(:edit_13614c_form_page3, accessible_client)).to eq true
+ expect(subject.can?(:edit_13614c_form_page4, accessible_client)).to eq true
+ expect(subject.can?(:edit_13614c_form_page5, accessible_client)).to eq true
+ expect(subject.can?(:update_13614c_form_page1, accessible_client)).to eq true
+ expect(subject.can?(:update_13614c_form_page2, accessible_client)).to eq true
+ expect(subject.can?(:update_13614c_form_page3, accessible_client)).to eq true
+ expect(subject.can?(:update_13614c_form_page4, accessible_client)).to eq true
+ expect(subject.can?(:update_13614c_form_page5, accessible_client)).to eq true
+ expect(subject.can?(:cancel_13614c, accessible_client)).to eq true
+
+ expect(subject.can?(:read, Document.new(client: accessible_client))).to eq true
+ expect(subject.can?(:create, Document.new(client: accessible_client))).to eq true
+ expect(subject.can?(:update, Document.new(client: accessible_client))).to eq true
+ expect(subject.can?(:destroy, Document.new(client: accessible_client))).to eq true
+
+ expect(subject.can?(:read, IncomingEmail.new(client: accessible_client))).to eq true
+ expect(subject.can?(:create, IncomingEmail.new(client: accessible_client))).to eq true
+ expect(subject.can?(:update, IncomingEmail.new(client: accessible_client))).to eq true
+ expect(subject.can?(:destroy, IncomingEmail.new(client: accessible_client))).to eq true
+
+ expect(subject.can?(:read, IncomingTextMessage.new(client: accessible_client))).to eq true
+ expect(subject.can?(:create, IncomingTextMessage.new(client: accessible_client))).to eq true
+ expect(subject.can?(:update, IncomingTextMessage.new(client: accessible_client))).to eq true
+ expect(subject.can?(:destroy, IncomingTextMessage.new(client: accessible_client))).to eq true
+
+ expect(subject.can?(:read, Note.new(client: accessible_client))).to eq true
+ expect(subject.can?(:create, Note.new(client: accessible_client))).to eq true
+ expect(subject.can?(:update, Note.new(client: accessible_client))).to eq true
+ expect(subject.can?(:destroy, Note.new(client: accessible_client))).to eq true
+
+ expect(subject.can?(:read, OutgoingEmail.new(client: accessible_client))).to eq true
+ expect(subject.can?(:create, OutgoingEmail.new(client: accessible_client))).to eq true
+ expect(subject.can?(:update, OutgoingEmail.new(client: accessible_client))).to eq true
+ expect(subject.can?(:destroy, OutgoingEmail.new(client: accessible_client))).to eq true
+
+ expect(subject.can?(:read, OutgoingTextMessage.new(client: accessible_client))).to eq true
+ expect(subject.can?(:create, OutgoingTextMessage.new(client: accessible_client))).to eq true
+ expect(subject.can?(:update, OutgoingTextMessage.new(client: accessible_client))).to eq true
+ expect(subject.can?(:destroy, OutgoingTextMessage.new(client: accessible_client))).to eq true
+
+ expect(subject.can?(:read, SystemNote.new(client: accessible_client))).to eq true
+ expect(subject.can?(:create, SystemNote.new(client: accessible_client))).to eq true
+ expect(subject.can?(:update, SystemNote.new(client: accessible_client))).to eq true
+ expect(subject.can?(:destroy, SystemNote.new(client: accessible_client))).to eq true
+
+ expect(subject.can?(:read, TaxReturn.new(client: accessible_client))).to eq true
+ expect(subject.can?(:create, TaxReturn.new(client: accessible_client))).to eq true
+ expect(subject.can?(:update, TaxReturn.new(client: accessible_client))).to eq true
+ expect(subject.can?(:destroy, TaxReturn.new(client: accessible_client))).to eq true
+
expect(subject.can?(:manage, TaxReturnSelection.create!(tax_returns: [build(:gyr_tax_return, client: accessible_client)]))).to eq true
end
@@ -268,14 +320,66 @@
it "can access all data for the client" do
expect(subject.can?(:read, accessible_client)).to eq true
expect(subject.can?(:update, accessible_client)).to eq true
- expect(subject.can?(:manage, Document.new(client: accessible_client))).to eq true
- expect(subject.can?(:manage, IncomingEmail.new(client: accessible_client))).to eq true
- expect(subject.can?(:manage, IncomingTextMessage.new(client: accessible_client))).to eq true
- expect(subject.can?(:manage, Note.new(client: accessible_client))).to eq true
- expect(subject.can?(:manage, OutgoingEmail.new(client: accessible_client))).to eq true
- expect(subject.can?(:manage, OutgoingTextMessage.new(client: accessible_client))).to eq true
- expect(subject.can?(:manage, SystemNote.new(client: accessible_client))).to eq true
- expect(subject.can?(:manage, TaxReturn.new(client: accessible_client))).to eq true
+ expect(subject.can?(:edit, accessible_client)).to eq true
+ expect(subject.can?(:flag, accessible_client)).to eq true
+ expect(subject.can?(:toggle_field, accessible_client)).to eq true
+ expect(subject.can?(:edit_take_action, accessible_client)).to eq true
+ expect(subject.can?(:update_take_action, accessible_client)).to eq true
+ expect(subject.can?(:unlock, accessible_client)).to eq false
+ expect(subject.can?(:save_and_maybe_exit, accessible_client)).to eq true
+
+ expect(subject.can?(:edit_13614c_form_page1, accessible_client)).to eq true
+ expect(subject.can?(:edit_13614c_form_page2, accessible_client)).to eq true
+ expect(subject.can?(:edit_13614c_form_page3, accessible_client)).to eq true
+ expect(subject.can?(:edit_13614c_form_page4, accessible_client)).to eq true
+ expect(subject.can?(:edit_13614c_form_page5, accessible_client)).to eq true
+ expect(subject.can?(:update_13614c_form_page1, accessible_client)).to eq true
+ expect(subject.can?(:update_13614c_form_page2, accessible_client)).to eq true
+ expect(subject.can?(:update_13614c_form_page3, accessible_client)).to eq true
+ expect(subject.can?(:update_13614c_form_page4, accessible_client)).to eq true
+ expect(subject.can?(:update_13614c_form_page5, accessible_client)).to eq true
+ expect(subject.can?(:cancel_13614c, accessible_client)).to eq true
+
+ expect(subject.can?(:read, Document.new(client: accessible_client))).to eq true
+ expect(subject.can?(:create, Document.new(client: accessible_client))).to eq true
+ expect(subject.can?(:update, Document.new(client: accessible_client))).to eq true
+ expect(subject.can?(:destroy, Document.new(client: accessible_client))).to eq true
+
+ expect(subject.can?(:read, IncomingEmail.new(client: accessible_client))).to eq true
+ expect(subject.can?(:create, IncomingEmail.new(client: accessible_client))).to eq true
+ expect(subject.can?(:update, IncomingEmail.new(client: accessible_client))).to eq true
+ expect(subject.can?(:destroy, IncomingEmail.new(client: accessible_client))).to eq true
+
+ expect(subject.can?(:read, IncomingTextMessage.new(client: accessible_client))).to eq true
+ expect(subject.can?(:create, IncomingTextMessage.new(client: accessible_client))).to eq true
+ expect(subject.can?(:update, IncomingTextMessage.new(client: accessible_client))).to eq true
+ expect(subject.can?(:destroy, IncomingTextMessage.new(client: accessible_client))).to eq true
+
+ expect(subject.can?(:read, Note.new(client: accessible_client))).to eq true
+ expect(subject.can?(:create, Note.new(client: accessible_client))).to eq true
+ expect(subject.can?(:update, Note.new(client: accessible_client))).to eq true
+ expect(subject.can?(:destroy, Note.new(client: accessible_client))).to eq true
+
+ expect(subject.can?(:read, OutgoingEmail.new(client: accessible_client))).to eq true
+ expect(subject.can?(:create, OutgoingEmail.new(client: accessible_client))).to eq true
+ expect(subject.can?(:update, OutgoingEmail.new(client: accessible_client))).to eq true
+ expect(subject.can?(:destroy, OutgoingEmail.new(client: accessible_client))).to eq true
+
+ expect(subject.can?(:read, OutgoingTextMessage.new(client: accessible_client))).to eq true
+ expect(subject.can?(:create, OutgoingTextMessage.new(client: accessible_client))).to eq true
+ expect(subject.can?(:update, OutgoingTextMessage.new(client: accessible_client))).to eq true
+ expect(subject.can?(:destroy, OutgoingTextMessage.new(client: accessible_client))).to eq true
+
+ expect(subject.can?(:read, SystemNote.new(client: accessible_client))).to eq true
+ expect(subject.can?(:create, SystemNote.new(client: accessible_client))).to eq true
+ expect(subject.can?(:update, SystemNote.new(client: accessible_client))).to eq true
+ expect(subject.can?(:destroy, SystemNote.new(client: accessible_client))).to eq true
+
+ expect(subject.can?(:read, TaxReturn.new(client: accessible_client))).to eq true
+ expect(subject.can?(:create, TaxReturn.new(client: accessible_client))).to eq true
+ expect(subject.can?(:update, TaxReturn.new(client: accessible_client))).to eq true
+ expect(subject.can?(:destroy, TaxReturn.new(client: accessible_client))).to eq true
+
expect(subject.can?(:manage, TaxReturnSelection.create!(tax_returns: [build(:gyr_tax_return, client: accessible_client)]))).to eq true
end
@@ -310,6 +414,113 @@
end
end
+ shared_examples :can_read_but_not_update_accessible_client_with_archived_intake do
+ context "when the user can access a particular site" do
+ let(:accessible_site) { create(:site) }
+ let(:accessible_client) do
+ create(
+ :client,
+ vita_partner: accessible_site,
+ intake: build(
+ :intake,
+ :filled_out,
+ preferred_name: "George Sr.",
+ needs_help_2019: "yes",
+ needs_help_2018: "yes",
+ preferred_interview_language: "en", locale: "en",
+ product_year: Rails.configuration.product_year - 2
+ ),
+ tax_returns: [
+ build(
+ :tax_return,
+ :intake_ready,
+ year: 2019,
+ service_type: "drop_off",
+ filing_status: nil
+ ),
+ ]
+ )
+ end
+
+ before do
+ allow(user).to receive(:accessible_vita_partners).and_return(VitaPartner.where(id: accessible_site))
+ end
+
+ it "can access all data for the client" do
+ expect(subject.can?(:read, accessible_client)).to eq true
+ expect(subject.can?(:update, accessible_client)).to eq false
+ expect(subject.can?(:edit, accessible_client)).to eq false
+
+ expect(subject.can?(:flag, accessible_client)).to eq false
+ expect(subject.can?(:toggle_field, accessible_client)).to eq false
+ expect(subject.can?(:unlock, accessible_client)).to eq false
+
+ expect(subject.can?(:edit_take_action, accessible_client)).to eq false
+ expect(subject.can?(:update_take_action, accessible_client)).to eq false
+
+
+ expect(subject.can?(:edit_13614c_form_page1, accessible_client)).to eq false
+ expect(subject.can?(:edit_13614c_form_page2, accessible_client)).to eq false
+ expect(subject.can?(:edit_13614c_form_page3, accessible_client)).to eq false
+ expect(subject.can?(:edit_13614c_form_page4, accessible_client)).to eq false
+ expect(subject.can?(:edit_13614c_form_page5, accessible_client)).to eq false
+ expect(subject.can?(:update_13614c_form_page1, accessible_client)).to eq false
+ expect(subject.can?(:update_13614c_form_page2, accessible_client)).to eq false
+ expect(subject.can?(:update_13614c_form_page3, accessible_client)).to eq false
+ expect(subject.can?(:update_13614c_form_page4, accessible_client)).to eq false
+ expect(subject.can?(:update_13614c_form_page5, accessible_client)).to eq false
+ expect(subject.can?(:save_and_maybe_exit, accessible_client)).to eq false
+ expect(subject.can?(:cancel_13614c, accessible_client)).to eq false
+
+ expect(subject.can?(:read, Document.new(client: accessible_client))).to eq true
+ expect(subject.can?(:create, Document.new(client: accessible_client))).to eq false
+ expect(subject.can?(:update, Document.new(client: accessible_client))).to eq false
+ expect(subject.can?(:destroy, Document.new(client: accessible_client))).to eq false
+
+ expect(subject.can?(:read, IncomingEmail.new(client: accessible_client))).to eq true
+ expect(subject.can?(:create, IncomingEmail.new(client: accessible_client))).to eq true
+ expect(subject.can?(:update, IncomingEmail.new(client: accessible_client))).to eq true
+ expect(subject.can?(:destroy, IncomingEmail.new(client: accessible_client))).to eq true
+
+ expect(subject.can?(:read, IncomingTextMessage.new(client: accessible_client))).to eq true
+ expect(subject.can?(:create, IncomingTextMessage.new(client: accessible_client))).to eq true
+ expect(subject.can?(:update, IncomingTextMessage.new(client: accessible_client))).to eq true
+ expect(subject.can?(:destroy, IncomingTextMessage.new(client: accessible_client))).to eq true
+
+ expect(subject.can?(:read, Note.new(client: accessible_client))).to eq true
+ expect(subject.can?(:create, Note.new(client: accessible_client))).to eq false
+ expect(subject.can?(:update, Note.new(client: accessible_client))).to eq false
+ expect(subject.can?(:destroy, Note.new(client: accessible_client))).to eq false
+
+ expect(subject.can?(:read, OutgoingEmail.new(client: accessible_client))).to eq true
+ expect(subject.can?(:create, OutgoingEmail.new(client: accessible_client))).to eq true
+ expect(subject.can?(:update, OutgoingEmail.new(client: accessible_client))).to eq true
+ expect(subject.can?(:destroy, OutgoingEmail.new(client: accessible_client))).to eq true
+
+ expect(subject.can?(:read, OutgoingTextMessage.new(client: accessible_client))).to eq true
+ expect(subject.can?(:create, OutgoingTextMessage.new(client: accessible_client))).to eq true
+ expect(subject.can?(:update, OutgoingTextMessage.new(client: accessible_client))).to eq true
+ expect(subject.can?(:destroy, OutgoingTextMessage.new(client: accessible_client))).to eq true
+
+ expect(subject.can?(:read, SystemNote.new(client: accessible_client))).to eq true
+ expect(subject.can?(:create, SystemNote.new(client: accessible_client))).to eq true
+ expect(subject.can?(:update, SystemNote.new(client: accessible_client))).to eq true
+ expect(subject.can?(:destroy, SystemNote.new(client: accessible_client))).to eq true
+
+ expect(subject.can?(:read, TaxReturn.new(client: accessible_client))).to eq true
+ expect(subject.can?(:create, TaxReturn.new(client: accessible_client))).to eq false
+ expect(subject.can?(:update, TaxReturn.new(client: accessible_client))).to eq false
+ expect(subject.can?(:destroy, TaxReturn.new(client: accessible_client))).to eq false
+
+ expect(subject.can?(:manage, TaxReturnSelection.create!(tax_returns: [build(:gyr_tax_return, client: accessible_client)]))).to eq false
+ end
+
+ it "cannot delete a client" do
+ expect(subject.can?(:destroy, accessible_client)).to eq false
+ end
+ end
+ end
+
context "users with valid non-admin roles" do
context "a coalition lead" do
let(:user) { create :coalition_lead_user }
@@ -345,6 +556,7 @@
it_behaves_like :cannot_manage_inaccessible_client
it_behaves_like :can_only_read_accessible_org_or_site
it_behaves_like :cannot_manage_any_sites_or_orgs
+ it_behaves_like :can_read_but_not_update_accessible_client_with_archived_intake
end
context "a greeter" do
diff --git a/spec/models/client_spec.rb b/spec/models/client_spec.rb
index ce8685ffb6..15ead06d51 100644
--- a/spec/models/client_spec.rb
+++ b/spec/models/client_spec.rb
@@ -708,6 +708,80 @@
end
end
+ describe "#has_archived_intake?" do
+ context "intake is blank" do
+ let(:client) { create :client, intake: nil }
+
+ context "there is an Archived::Intake2021 with a matching client id" do
+ let!(:archived_2021_intake) { create :archived_2021_gyr_intake, client: client }
+ it "returns true" do
+ expect(client.has_archived_intake?).to eq(true)
+ end
+ end
+
+ context "there is no matching archived intake" do
+ it "returns false" do
+ expect(client.has_archived_intake?).to eq(false)
+ end
+ end
+ end
+
+ context "intake is present" do
+ let(:intake) { create :intake, product_year: product_year }
+ let(:product_year) { Rails.configuration.product_year }
+
+ context "product year matches current product year" do
+ it "returns false" do
+ expect(intake.client.has_archived_intake?).to eq(false)
+ end
+ end
+
+ context "product year doesn't match current product year" do
+ let(:product_year) { (Rails.configuration.product_year.to_i - 1) }
+ it "returns true" do
+ expect(intake.client.has_archived_intake?).to eq(true)
+ end
+ end
+ end
+ end
+
+ describe "#archived_intake" do
+ context "intake is blank" do
+ let(:client) { create :client, intake: nil }
+
+ context "there is an Archived::Intake2021 with a matching client id" do
+ let!(:archived_2021_intake) { create :archived_2021_gyr_intake, client: client }
+ it "returns archived 2021 intake" do
+ expect(client.archived_intake).to eq(archived_2021_intake)
+ end
+ end
+
+ context "there is no matching archived intake" do
+ it "returns nil" do
+ expect(client.archived_intake).to eq(nil)
+ end
+ end
+ end
+
+ context "intake is present" do
+ let(:intake) { create :intake, product_year: product_year }
+ let(:product_year) { Rails.configuration.product_year }
+
+ context "product year matches current product year" do
+ it "returns nil" do
+ expect(intake.client.archived_intake).to eq(nil)
+ end
+ end
+
+ context "product year doesn't match current product year" do
+ let(:product_year) { (Rails.configuration.product_year.to_i - 1) }
+ it "returns intake with past product year" do
+ expect(intake.client.archived_intake).to eq(intake)
+ end
+ end
+ end
+ end
+
describe "#request_doc_help" do
let(:client) { create :client, intake: (build :intake) }
let(:assigned_user_a) { create :user }