WIP: Add safeguarding flags in SchoolStudentsController

Author: chrisroos

app/controllers/api/school_students_controller.rb

@@ -5,6 +5,7 @@ class SchoolStudentsController < ApiController
     before_action :authorize_user
     load_and_authorize_resource :school
     authorize_resource :school_student, class: false
+    before_action :create_safeguarding_flags
 
     def index
       result = SchoolStudent::List.call(school: @school, token: current_user.token)
@@ -62,5 +63,28 @@ def destroy
     def school_student_params
       params.require(:school_student).permit(:username, :password, :name)
     end
+
+    def create_safeguarding_flags
+      create_teacher_safeguarding_flag
+      create_owner_safeguarding_flag
+    end
+
+    def create_teacher_safeguarding_flag
+      return unless current_user.school_teacher?(@school)
+
+      ProfileApiClient.create_safeguarding_flag(
+        token: current_user.token,
+        flag: ProfileApiClient::SAFEGUARDING_FLAGS[:teacher]
+      )
+    end
+
+    def create_owner_safeguarding_flag
+      return unless current_user.school_owner?(@school)
+
+      ProfileApiClient.create_safeguarding_flag(
+        token: current_user.token,
+        flag: ProfileApiClient::SAFEGUARDING_FLAGS[:owner]
+      )
+    end
   end
 end

spec/features/school_student/creating_a_batch_of_school_students_spec.rb

@@ -6,6 +6,7 @@
   before do
     authenticated_in_hydra_as(owner)
     stub_profile_api_create_school_student
+    stub_profile_api_create_safeguarding_flag
   end
 
   let(:headers) { { Authorization: UserProfileMock::TOKEN } }
@@ -15,6 +16,16 @@
 
   let(:file) { fixture_file_upload('students.csv') }
 
+  it 'creates the school owner safeguarding flag' do
+    post("/api/schools/#{school.id}/students/batch", headers:, params: { file: })
+    expect(ProfileApiClient).to have_received(:create_safeguarding_flag).with(token: UserProfileMock::TOKEN, flag: ProfileApiClient::SAFEGUARDING_FLAGS[:owner])
+  end
+
+  it 'does not create the school teacher safeguarding flag' do
+    post("/api/schools/#{school.id}/students/batch", headers:, params: { file: })
+    expect(ProfileApiClient).not_to have_received(:create_safeguarding_flag).with(token: UserProfileMock::TOKEN, flag: ProfileApiClient::SAFEGUARDING_FLAGS[:teacher])
+  end
+
   it 'responds 204 No Content' do
     post("/api/schools/#{school.id}/students/batch", headers:, params: { file: })
     expect(response).to have_http_status(:no_content)
@@ -28,6 +39,22 @@
     expect(response).to have_http_status(:no_content)
   end
 
+  it 'does not createt the school owner safeguarding flag when the user is a school-teacher' do
+    teacher = create(:teacher, school:)
+    authenticated_in_hydra_as(teacher)
+
+    post("/api/schools/#{school.id}/students/batch", headers:, params: { file: })
+    expect(ProfileApiClient).not_to have_received(:create_safeguarding_flag).with(token: UserProfileMock::TOKEN, flag: ProfileApiClient::SAFEGUARDING_FLAGS[:owner])
+  end
+
+  it 'does not create the school teacher safeguarding flag when the user is a school-teacher' do
+    teacher = create(:teacher, school:)
+    authenticated_in_hydra_as(teacher)
+
+    post("/api/schools/#{school.id}/students/batch", headers:, params: { file: })
+    expect(ProfileApiClient).to have_received(:create_safeguarding_flag).with(token: UserProfileMock::TOKEN, flag: ProfileApiClient::SAFEGUARDING_FLAGS[:teacher])
+  end
+
   it 'responds 422 Unprocessable Entity when params are invalid' do
     post("/api/schools/#{school.id}/students/batch", headers:, params: {})
     expect(response).to have_http_status(:unprocessable_entity)

spec/features/school_student/creating_a_school_student_spec.rb

@@ -6,6 +6,7 @@
   before do
     authenticated_in_hydra_as(owner)
     stub_profile_api_create_school_student
+    stub_profile_api_create_safeguarding_flag
   end
 
   let(:headers) { { Authorization: UserProfileMock::TOKEN } }
@@ -22,6 +23,16 @@
     }
   end
 
+  it 'creates the school owner safeguarding flag' do
+    post("/api/schools/#{school.id}/students", headers:, params:)
+    expect(ProfileApiClient).to have_received(:create_safeguarding_flag).with(token: UserProfileMock::TOKEN, flag: ProfileApiClient::SAFEGUARDING_FLAGS[:owner])
+  end
+
+  it 'does not create the school teacher safeguarding flag' do
+    post("/api/schools/#{school.id}/students", headers:, params:)
+    expect(ProfileApiClient).not_to have_received(:create_safeguarding_flag).with(token: UserProfileMock::TOKEN, flag: ProfileApiClient::SAFEGUARDING_FLAGS[:teacher])
+  end
+
   it 'responds 204 No Content' do
     post("/api/schools/#{school.id}/students", headers:, params:)
     expect(response).to have_http_status(:no_content)
@@ -35,6 +46,22 @@
     expect(response).to have_http_status(:no_content)
   end
 
+  it 'does not create the school owner safeguarding flag when the user is a school teacher' do
+    teacher = create(:teacher, school:)
+    authenticated_in_hydra_as(teacher)
+
+    post("/api/schools/#{school.id}/students", headers:, params:)
+    expect(ProfileApiClient).not_to have_received(:create_safeguarding_flag).with(token: UserProfileMock::TOKEN, flag: ProfileApiClient::SAFEGUARDING_FLAGS[:owner])
+  end
+
+  it 'creates the school teacher safeguarding flag when the user is a school teacher' do
+    teacher = create(:teacher, school:)
+    authenticated_in_hydra_as(teacher)
+
+    post("/api/schools/#{school.id}/students", headers:, params:)
+    expect(ProfileApiClient).to have_received(:create_safeguarding_flag).with(token: UserProfileMock::TOKEN, flag: ProfileApiClient::SAFEGUARDING_FLAGS[:teacher])
+  end
+
   it 'responds 400 Bad Request when params are missing' do
     post("/api/schools/#{school.id}/students", headers:)
     expect(response).to have_http_status(:bad_request)

spec/features/school_student/deleting_a_school_student_spec.rb

@@ -6,13 +6,24 @@
   before do
     authenticated_in_hydra_as(owner)
     stub_profile_api_delete_school_student
+    stub_profile_api_create_safeguarding_flag
   end
 
   let(:headers) { { Authorization: UserProfileMock::TOKEN } }
   let(:school) { create(:school) }
   let(:student_id) { SecureRandom.uuid }
   let(:owner) { create(:owner, school:) }
 
+  it 'creates the school owner safeguarding flag' do
+    delete("/api/schools/#{school.id}/students/#{student_id}", headers:)
+    expect(ProfileApiClient).to have_received(:create_safeguarding_flag).with(token: UserProfileMock::TOKEN, flag: ProfileApiClient::SAFEGUARDING_FLAGS[:owner])
+  end
+
+  it 'does not create the school teacher safeguarding flag' do
+    delete("/api/schools/#{school.id}/students/#{student_id}", headers:)
+    expect(ProfileApiClient).not_to have_received(:create_safeguarding_flag).with(token: UserProfileMock::TOKEN, flag: ProfileApiClient::SAFEGUARDING_FLAGS[:teacher])
+  end
+
   it 'responds 204 No Content' do
     delete("/api/schools/#{school.id}/students/#{student_id}", headers:)
     expect(response).to have_http_status(:no_content)
@@ -39,6 +50,22 @@
     expect(response).to have_http_status(:forbidden)
   end
 
+  it 'does not create the school owner safeguarding flag when logged in as a teacher' do
+    teacher = create(:teacher, school:)
+    authenticated_in_hydra_as(teacher)
+
+    delete("/api/schools/#{school.id}/students/#{student_id}", headers:)
+    expect(ProfileApiClient).not_to have_received(:create_safeguarding_flag).with(token: UserProfileMock::TOKEN, flag: ProfileApiClient::SAFEGUARDING_FLAGS[:owner])
+  end
+
+  it 'does not create the school teacher safeguarding flag when logged in as a teacher' do
+    teacher = create(:teacher, school:)
+    authenticated_in_hydra_as(teacher)
+
+    delete("/api/schools/#{school.id}/students/#{student_id}", headers:)
+    expect(ProfileApiClient).not_to have_received(:create_safeguarding_flag).with(token: UserProfileMock::TOKEN, flag: ProfileApiClient::SAFEGUARDING_FLAGS[:teacher])
+  end
+
   it 'responds 403 Forbidden when the user is a school-student' do
     student = create(:student, school:)
     authenticated_in_hydra_as(student)

spec/features/school_student/listing_school_students_spec.rb

@@ -7,6 +7,7 @@
     authenticated_in_hydra_as(owner)
     stub_profile_api_list_school_students(user_id: student.id)
     stub_user_info_api_for(student)
+    stub_profile_api_create_safeguarding_flag
   end
 
   let(:headers) { { Authorization: UserProfileMock::TOKEN } }
@@ -19,6 +20,16 @@
     expect(response).to have_http_status(:ok)
   end
 
+  it 'creates the school owner safeguarding flag' do
+    get("/api/schools/#{school.id}/students", headers:)
+    expect(ProfileApiClient).to have_received(:create_safeguarding_flag).with(token: UserProfileMock::TOKEN, flag: ProfileApiClient::SAFEGUARDING_FLAGS[:owner])
+  end
+
+  it 'does not create the school teacher safeguarding flag' do
+    get("/api/schools/#{school.id}/students", headers:)
+    expect(ProfileApiClient).not_to have_received(:create_safeguarding_flag).with(token: UserProfileMock::TOKEN, flag: ProfileApiClient::SAFEGUARDING_FLAGS[:teacher])
+  end
+
   it 'responds 200 OK when the user is a school-teacher' do
     teacher = create(:teacher, school:)
     authenticated_in_hydra_as(teacher)
@@ -27,6 +38,22 @@
     expect(response).to have_http_status(:ok)
   end
 
+  it 'does not createt the school owner safeguarding flag when the user is a school teacher' do
+    teacher = create(:teacher, school:)
+    authenticated_in_hydra_as(teacher)
+
+    get("/api/schools/#{school.id}/students", headers:)
+    expect(ProfileApiClient).not_to have_received(:create_safeguarding_flag).with(token: UserProfileMock::TOKEN, flag: ProfileApiClient::SAFEGUARDING_FLAGS[:owner])
+  end
+
+  it 'creates the school teacher safeguarding flag when the user is a school teacher' do
+    teacher = create(:teacher, school:)
+    authenticated_in_hydra_as(teacher)
+
+    get("/api/schools/#{school.id}/students", headers:)
+    expect(ProfileApiClient).to have_received(:create_safeguarding_flag).with(token: UserProfileMock::TOKEN, flag: ProfileApiClient::SAFEGUARDING_FLAGS[:teacher])
+  end
+
   it 'responds with the school students JSON' do
     get("/api/schools/#{school.id}/students", headers:)
     data = JSON.parse(response.body, symbolize_names: true)

spec/features/school_student/updating_a_school_student_spec.rb

@@ -6,6 +6,7 @@
   before do
     authenticated_in_hydra_as(owner)
     stub_profile_api_update_school_student
+    stub_profile_api_create_safeguarding_flag
   end
 
   let(:headers) { { Authorization: UserProfileMock::TOKEN } }
@@ -23,6 +24,16 @@
     }
   end
 
+  it 'creates the school owner safeguarding flag' do
+    put("/api/schools/#{school.id}/students/#{student_id}", headers:, params:)
+    expect(ProfileApiClient).to have_received(:create_safeguarding_flag).with(token: UserProfileMock::TOKEN, flag: ProfileApiClient::SAFEGUARDING_FLAGS[:owner])
+  end
+
+  it 'does not create the school teacher safeguarding flag' do
+    put("/api/schools/#{school.id}/students/#{student_id}", headers:, params:)
+    expect(ProfileApiClient).not_to have_received(:create_safeguarding_flag).with(token: UserProfileMock::TOKEN, flag: ProfileApiClient::SAFEGUARDING_FLAGS[:teacher])
+  end
+
   it 'responds 204 No Content' do
     put("/api/schools/#{school.id}/students/#{student_id}", headers:, params:)
     expect(response).to have_http_status(:no_content)
@@ -36,6 +47,22 @@
     expect(response).to have_http_status(:no_content)
   end
 
+  it 'does not create the school owner safeguarding flag when the user is a school teacher' do
+    teacher = create(:teacher, school:)
+    authenticated_in_hydra_as(teacher)
+
+    put("/api/schools/#{school.id}/students/#{student_id}", headers:, params:)
+    expect(ProfileApiClient).not_to have_received(:create_safeguarding_flag).with(token: UserProfileMock::TOKEN, flag: ProfileApiClient::SAFEGUARDING_FLAGS[:owner])
+  end
+
+  it 'creates the school teacher safeguarding flag when the user is a school teacher' do
+    teacher = create(:teacher, school:)
+    authenticated_in_hydra_as(teacher)
+
+    put("/api/schools/#{school.id}/students/#{student_id}", headers:, params:)
+    expect(ProfileApiClient).to have_received(:create_safeguarding_flag).with(token: UserProfileMock::TOKEN, flag: ProfileApiClient::SAFEGUARDING_FLAGS[:teacher])
+  end
+
   it 'responds 401 Unauthorized when no token is given' do
     put("/api/schools/#{school.id}/students/#{student_id}", params:)
     expect(response).to have_http_status(:unauthorized)

spec/support/profile_api_mock.rb

@@ -38,4 +38,8 @@ def stub_profile_api_update_school_student
   def stub_profile_api_delete_school_student
     allow(ProfileApiClient).to receive(:delete_school_student)
   end
+
+  def stub_profile_api_create_safeguarding_flag
+    allow(ProfileApiClient).to receive(:create_safeguarding_flag)
+  end
 end