feat: VOL-4718 permission service prevents last operator admin being …

…deleted (#182)
dvsa · Nov 19, 2024 · 0e98b2a · 0e98b2a
1 parent d47ff9c
commit 0e98b2a
Show file tree

Hide file tree

Showing 2 changed files with 45 additions and 8 deletions.
diff --git a/Common/src/Common/Rbac/Service/Permission.php b/Common/src/Common/Rbac/Service/Permission.php
@@ -46,8 +46,21 @@ public function canManageSelfserveUsers(): bool
         return $this->authService->isGranted(RefData::PERMISSION_CAN_MANAGE_USER_SELFSERVE);
     }
 
-    public function canRemoveSelfserveUser(string $userId): bool
+    /**
+     * $role, is the role of the user being deleted, as opposed to the role of the user doing the deleting
+     */
+    public function canRemoveSelfserveUser(string $userId, string $role): bool
     {
+        /**
+         * we have to check the auth service to see if operator admins can be deleted,
+         * since this needs calculating at an organisation level
+         *
+         * what we're preventing here is the last operator admin being deleted
+         */
+        if ($role === RefData::ROLE_OPERATOR_ADMIN && !$this->authService->getIdentity()->getUserData()['canDeleteOperatorAdmin']) {
+            return false;
+        }
+
         return $this->canManageSelfserveUsers() && !$this->isSelf($userId);
     }
 }
diff --git a/test/Common/src/Common/Rbac/Service/PermissionTest.php b/test/Common/src/Common/Rbac/Service/PermissionTest.php
@@ -75,27 +75,46 @@ public function testCanManageSelfserveUsers(): void
 
     public function testCanRemoveSelfserveUserWhenNotSelfserveUser(): void
     {
+        $user = $this->getUser('userId1');
         $this->authService->expects('isGranted')->with(RefData::PERMISSION_CAN_MANAGE_USER_SELFSERVE)->andReturnFalse();
-        $this->assertFalse($this->sut->canRemoveSelfserveUser('userId'));
+        $this->authService->expects('getIdentity')->withNoArgs()->andReturn($user);
+        $this->assertFalse($this->sut->canRemoveSelfserveUser('userId2', RefData::ROLE_OPERATOR_ADMIN));
+    }
+
+    public function testCanRemoveSelfserveUserWhenUsingBeingDeletedNotOperatorAdmin(): void
+    {
+        $user = $this->getUser('userId1');
+        $this->authService->expects('isGranted')->with(RefData::PERMISSION_CAN_MANAGE_USER_SELFSERVE)->andReturnTrue();
+        $this->authService->expects('getIdentity')->withNoArgs()->andReturn($user);
+        $this->assertTrue($this->sut->canRemoveSelfserveUser('userId2', RefData::ROLE_OPERATOR_TC));
     }
 
     public function testCanRemoveSelfserveUserWhenUserIsSelf(): void
     {
         $userId = 'userId1';
         $user = $this->getUser($userId);
         $this->authService->expects('isGranted')->with(RefData::PERMISSION_CAN_MANAGE_USER_SELFSERVE)->andReturnTrue();
-        $this->authService->expects('getIdentity')->andReturn($user);
+        $this->authService->expects('getIdentity')->twice()->withNoArgs()->andReturn($user);
 
-        $this->assertFalse($this->sut->canRemoveSelfserveUser($userId));
+        $this->assertFalse($this->sut->canRemoveSelfserveUser($userId, RefData::ROLE_OPERATOR_ADMIN));
     }
 
     public function testCanRemoveSelfserveUserWhenNotSelf(): void
     {
         $user = $this->getUser('userId1');
         $this->authService->expects('isGranted')->with(RefData::PERMISSION_CAN_MANAGE_USER_SELFSERVE)->andReturnTrue();
-        $this->authService->expects('getIdentity')->andReturn($user);
+        $this->authService->expects('getIdentity')->twice()->withNoArgs()->andReturn($user);
 
-        $this->assertTrue($this->sut->canRemoveSelfserveUser('userId2'));
+        $this->assertTrue($this->sut->canRemoveSelfserveUser('userId2', RefData::ROLE_OPERATOR_ADMIN));
+    }
+
+    public function testFinalOperatorAdminNotRemovable(): void
+    {
+        $user = $this->getUser('userId1', false);
+        $this->authService->expects('isGranted')->with(RefData::PERMISSION_CAN_MANAGE_USER_SELFSERVE)->never();
+        $this->authService->expects('getIdentity')->withNoArgs()->andReturn($user);
+
+        $this->assertFalse($this->sut->canRemoveSelfserveUser('userId2', RefData::ROLE_OPERATOR_ADMIN));
     }
 
     /**
@@ -118,10 +137,15 @@ public function dpIsGranted(): array
         ];
     }
 
-    public function getUser(string $userId): MockObject
+    public function getUser(string $userId, $canDeleteOperatorAdmin = true): MockObject
     {
+        $data = [
+            'id' => $userId,
+            'canDeleteOperatorAdmin' => $canDeleteOperatorAdmin,
+        ];
+
         $user = $this->createMock(User::class);
-        $user->method('getUserData')->willReturn(['id' => $userId]);
+        $user->method('getUserData')->willReturn($data);
 
         return $user;
     }