public async Task OnPostAsync_GivenUserDoesNotHaveCreateSpecificationPermissionForAnyFundingStream_ThenReturnsForbidResult()
{
// Arrange
IEnumerable <Reference> fundingPeriods = new[]
{
new Reference {
Id = "fp1", Name = "Funding Period 1"
},
new Reference {
Id = "fp2", Name = "Funding Period 2"
}
};
IEnumerable <FundingStream> fundingStreams = new[]
{
new FundingStream {
Id = "fp1", Name = "funding"
}
};
IAuthorizationHelper authorizationHelper = Substitute.For <IAuthorizationHelper>();
authorizationHelper
.DoesUserHavePermission(Arg.Any <ClaimsPrincipal>(), Arg.Any <IEnumerable <string> >(), Arg.Is(FundingStreamActionTypes.CanCreateSpecification))
.Returns(false);
IMapper mapper = MappingHelper.CreateFrontEndMapper();
CreateSpecificationViewModel createModel = new CreateSpecificationViewModel
{
Description = "Test spec",
FundingPeriodId = "FY1819",
FundingStreamIds = new List <string> {
"fs1", "fs2"
},
Name = "Test spec"
};
CreateSpecificationPageModel pageModel = CreatePageModel(authorizationHelper: authorizationHelper, mapper: mapper);
pageModel.CreateSpecificationViewModel = createModel;
// Act
IActionResult result = await pageModel.OnPostAsync();
// Assert
result.Should().BeOfType <ForbidResult>();
pageModel
.IsAuthorizedToCreate
.Should().BeFalse();
}
public async Task <IActionResult> CreateSpecification([FromBody] CreateSpecificationViewModel viewModel)
{
if (!ModelState.IsValid)
{
return(new BadRequestObjectResult(ModelState));
}
var fundingStreamIds = new List <string> {
viewModel.FundingStreamId
};
IEnumerable <FundingStreamPermission> fundingStreamPermissions = await _authorizationHelper.GetUserFundingStreamPermissions(User);
bool hasPermissionsOnAllTheseStreams = fundingStreamIds
.All(fundingStreamId => fundingStreamPermissions
.Any(x =>
x.FundingStreamId == fundingStreamId && x.CanCreateSpecification));
if (!hasPermissionsOnAllTheseStreams)
{
return(new ForbidResult());
}
CreateSpecificationModel specification = new CreateSpecificationModel
{
Description = viewModel.Description,
Name = viewModel.Name,
FundingPeriodId = viewModel.FundingPeriodId,
FundingStreamIds = fundingStreamIds,
ProviderVersionId = viewModel.ProviderVersionId,
AssignedTemplateIds = viewModel.AssignedTemplateIds,
ProviderSnapshotId = viewModel.ProviderSnapshotId
};
ValidatedApiResponse <SpecificationSummary> result = await _specificationsApiClient.CreateSpecification(specification);
if (result.IsBadRequest(out BadRequestObjectResult badRequest))
{
return(badRequest);
}
if (result.StatusCode.IsSuccess())
{
return(new OkObjectResult(result.Content));
}
return(new InternalServerErrorResult($"Unable to create specification - result '{result.StatusCode}'"));
}
