public async Task OnPostAsync_GivenUserDoesNotHaveCreateSpecificationPermissionForAnyFundingStream_ThenReturnsForbidResult() { // Arrange IEnumerable <Reference> fundingPeriods = new[] { new Reference { Id = "fp1", Name = "Funding Period 1" }, new Reference { Id = "fp2", Name = "Funding Period 2" } }; IEnumerable <FundingStream> fundingStreams = new[] { new FundingStream { Id = "fp1", Name = "funding" } }; IAuthorizationHelper authorizationHelper = Substitute.For <IAuthorizationHelper>(); authorizationHelper .DoesUserHavePermission(Arg.Any <ClaimsPrincipal>(), Arg.Any <IEnumerable <string> >(), Arg.Is(FundingStreamActionTypes.CanCreateSpecification)) .Returns(false); IMapper mapper = MappingHelper.CreateFrontEndMapper(); CreateSpecificationViewModel createModel = new CreateSpecificationViewModel { Description = "Test spec", FundingPeriodId = "FY1819", FundingStreamIds = new List <string> { "fs1", "fs2" }, Name = "Test spec" }; CreateSpecificationPageModel pageModel = CreatePageModel(authorizationHelper: authorizationHelper, mapper: mapper); pageModel.CreateSpecificationViewModel = createModel; // Act IActionResult result = await pageModel.OnPostAsync(); // Assert result.Should().BeOfType <ForbidResult>(); pageModel .IsAuthorizedToCreate .Should().BeFalse(); }
public async Task <IActionResult> CreateSpecification([FromBody] CreateSpecificationViewModel viewModel) { if (!ModelState.IsValid) { return(new BadRequestObjectResult(ModelState)); } var fundingStreamIds = new List <string> { viewModel.FundingStreamId }; IEnumerable <FundingStreamPermission> fundingStreamPermissions = await _authorizationHelper.GetUserFundingStreamPermissions(User); bool hasPermissionsOnAllTheseStreams = fundingStreamIds .All(fundingStreamId => fundingStreamPermissions .Any(x => x.FundingStreamId == fundingStreamId && x.CanCreateSpecification)); if (!hasPermissionsOnAllTheseStreams) { return(new ForbidResult()); } CreateSpecificationModel specification = new CreateSpecificationModel { Description = viewModel.Description, Name = viewModel.Name, FundingPeriodId = viewModel.FundingPeriodId, FundingStreamIds = fundingStreamIds, ProviderVersionId = viewModel.ProviderVersionId, AssignedTemplateIds = viewModel.AssignedTemplateIds, ProviderSnapshotId = viewModel.ProviderSnapshotId }; ValidatedApiResponse <SpecificationSummary> result = await _specificationsApiClient.CreateSpecification(specification); if (result.IsBadRequest(out BadRequestObjectResult badRequest)) { return(badRequest); } if (result.StatusCode.IsSuccess()) { return(new OkObjectResult(result.Content)); } return(new InternalServerErrorResult($"Unable to create specification - result '{result.StatusCode}'")); }