Merged in r2-3062-shared-with-others-clickthrough (pull request #6997)

dhernandez-quoin · pnabutovsky · commit bb700c512f28 · 2024-12-03T23:24:54.000Z
R2-3062 R2-3103 - Fix inaccurate click-throughs
diff --git a/app/services/permitted_field_service.rb b/app/services/permitted_field_service.rb
@@ -47,6 +47,12 @@ class PermittedFieldService
     consent_for_services disclosure_other_orgs
   ].freeze
 
+  PERMITTED_DASHBOARD_FILTERS = {
+    Permission::DASH_CASE_RISK => %w[risk_level],
+    Permission::DASH_SHARED_WITH_OTHERS => %w[transfer_status],
+    Permission::DASH_SHARED_FROM_MY_TEAM => %w[transfer_status]
+  }.freeze
+
   PERMITTED_FIELDS_FOR_ACTION_SCHEMA = {
     Permission::CLOSE => { 'status' => { 'type' => 'string' }, 'date_closure' => { 'type' => 'date' } },
     Permission::REOPEN => {
@@ -116,7 +122,7 @@ def permitted_field_names(module_unique_id = nil, writeable = false, update = fa
     @permitted_field_names += permitted_overdue_task_field_names
     @permitted_field_names += PERMITTED_RECORD_INFORMATION_FIELDS if user.can?(:read, model_class)
     @permitted_field_names += ID_SEARCH_FIELDS if id_search.present?
-    @permitted_field_names << 'risk_level' if user.can?(:case_risk, Dashboard)
+    @permitted_field_names += permitted_dashboard_filter_field_names
     @permitted_field_names += permitted_reporting_location_field if model_class == Child
     @permitted_field_names += permitted_incident_reporting_location_field if model_class == Incident
     @permitted_field_names += permitted_registry_record_id
@@ -248,5 +254,13 @@ def permitted_attachment_fields
 
     attachment_field_names
   end
+
+  def permitted_dashboard_filter_field_names
+    PERMITTED_DASHBOARD_FILTERS.reduce([]) do |memo, (dashboard, field_names)|
+      next memo unless user.can?(dashboard.to_sym, Dashboard)
+
+      memo + field_names
+    end
+  end
 end
 # rubocop:enable Metrics/ClassLength
diff --git a/spec/services/permitted_field_service_spec.rb b/spec/services/permitted_field_service_spec.rb
@@ -78,6 +78,28 @@
     )
   end
 
+  let(:shared_with_other_dashboard_role) do
+    Role.new_with_properties(
+      name: 'Test Role 2',
+      unique_id: 'test-role-2',
+      group_permission: Permission::SELF,
+      permissions: [
+        Permission.new(resource: Permission::DASHBOARD, actions: [Permission::DASH_SHARED_WITH_OTHERS])
+      ]
+    )
+  end
+
+  let(:shared_from_my_team_dashboard_role) do
+    Role.new_with_properties(
+      name: 'Test Role 3',
+      unique_id: 'test-role-3',
+      group_permission: Permission::SELF,
+      permissions: [
+        Permission.new(resource: Permission::DASHBOARD, actions: [Permission::DASH_SHARED_FROM_MY_TEAM])
+      ]
+    )
+  end
+
   let(:agency) do
     Agency.create!(
       name: 'Test Agency',
@@ -138,6 +160,32 @@
     )
   end
 
+  let(:user_with_shared_with_others) do
+    User.create!(
+      full_name: 'User With Shared With Others',
+      user_name: 'user_with_shared_with_others',
+      password: 'a12345632',
+      password_confirmation: 'a12345632',
+      email: 'user_with_shared_with_others@localhost.com',
+      agency_id: agency.id,
+      role: shared_with_other_dashboard_role,
+      services: ['Test type']
+    )
+  end
+
+  let(:user_with_shared_from_my_team) do
+    User.create!(
+      full_name: 'User With Shared From My Team',
+      user_name: 'user_with_shared_from_my_team',
+      password: 'a12345632',
+      password_confirmation: 'a12345632',
+      email: 'user_with_shared_from_my_team@localhost.com',
+      agency_id: agency.id,
+      role: shared_from_my_team_dashboard_role,
+      services: ['Test type']
+    )
+  end
+
   let(:system_settings) do
     SystemSettings.create(
       default_locale: 'en',
@@ -254,6 +302,18 @@
     expect(permitted_field_names).to include('risk_level')
   end
 
+  it 'returns the transfer_status field permitted for a role with a shared_with_other permission in dashboard' do
+    permitted_field_names = PermittedFieldService.new(user_with_shared_with_others, Child).permitted_field_names
+
+    expect(permitted_field_names).to include('transfer_status')
+  end
+
+  it 'returns the transfer_status field permitted for a role with a shared_from_my_team permission in dashboard' do
+    permitted_field_names = PermittedFieldService.new(user_with_shared_from_my_team, Child).permitted_field_names
+
+    expect(permitted_field_names).to include('transfer_status')
+  end
+
   describe 'MRM - Vioaltions forms and fields' do
     let(:mrm_form) do
       FormSection.create!(unique_id: 'A', name: 'A', parent_form: 'incident', form_group_id: 'm', fields: [mrm_field])
