Validate that the Project#user belongs to the same school as the project

tuzz · floehopper · commit 67576db9f98b · 2024-04-11T17:31:38.000+01:00
diff --git a/app/models/project.rb b/app/models/project.rb
@@ -16,6 +16,7 @@ class Project < ApplicationRecord
   validates :identifier, presence: true, uniqueness: { scope: :locale }
   validate :identifier_cannot_be_taken_by_another_user
   validates :locale, presence: true, unless: :user_id
+  validate :user_has_a_role_within_the_school
 
   scope :internal_projects, -> { where(user_id: nil) }
 
@@ -49,4 +50,16 @@ def identifier_cannot_be_taken_by_another_user
 
     errors.add(:identifier, "can't be taken by another user")
   end
+
+  def user_has_a_role_within_the_school
+    return unless user_id_changed? && errors.blank? && school
+
+    _, user = with_user
+
+    return if user.blank?
+    return if user.org_roles(organisation_id: school.id).any?
+
+    msg = "'#{user_id}' does not have any roles for for organisation '#{school.id}'"
+    errors.add(:user, msg)
+  end
 end
diff --git a/app/models/user.rb b/app/models/user.rb
@@ -27,12 +27,6 @@ def attributes
     ATTRIBUTES.index_with { |_k| nil }
   end
 
-  def role?(role:)
-    return false if roles.nil?
-
-    roles.to_s.split(',').map(&:strip).include? role.to_s
-  end
-
   def organisation_ids
     organisations&.keys || []
   end
@@ -58,7 +52,7 @@ def school_student?(organisation_id:)
   end
 
   def admin?
-    role?(role: 'editor-admin')
+    organisation_ids.any? { |organisation_id| org_role?(organisation_id:, role: 'editor-admin') }
   end
 
   def ==(other)
diff --git a/spec/factories/user.rb b/spec/factories/user.rb
@@ -8,7 +8,7 @@
     organisations { {} }
 
     factory :admin_user do
-      roles { 'editor-admin' }
+      organisations { { '12345678-1234-1234-1234-123456789abc' => 'editor-admin' } }
     end
 
     skip_create
diff --git a/spec/features/project/creating_a_project_spec.rb b/spec/features/project/creating_a_project_spec.rb
@@ -5,6 +5,7 @@
 RSpec.describe 'Creating a project', type: :request do
   before do
     stub_hydra_public_api
+    stub_user_info_api
     mock_phrase_generation
   end
 
diff --git a/spec/models/project_spec.rb b/spec/models/project_spec.rb
@@ -25,6 +25,14 @@
     let(:project) { create(:project) }
     let(:identifier) { project.identifier }
 
+    it 'has a valid default factory' do
+      expect(build(:project)).to be_valid
+    end
+
+    it 'can save the default factory' do
+      expect { build(:project).save! }.not_to raise_error
+    end
+
     it 'is invalid if no user or locale' do
       invalid_project = build(:project, locale: nil, user_id: nil)
       expect(invalid_project).to be_invalid
@@ -62,6 +70,17 @@
         expect(new_project).to be_invalid
       end
     end
+
+    context 'when the project has a school' do
+      before do
+        project.update!(school: create(:school))
+      end
+
+      it 'requires a user that has a role within the school' do
+        project.user_id = SecureRandom.uuid
+        expect(project).to be_invalid
+      end
+    end
   end
 
   describe 'check_unique_not_null', :sample_words do
