Create Safeguarding flags in SchoolStudentsController

The Profile API requires that the authenticated user has:

- either the school:owner or school:teacher safeguarding flags set in
  order to be able to create, edit and list students
- the school:owner safeguarding flag set in order to be able to delete
  students

Safeguarding flags can only be set in Profile API for the authenticated
user so we're conditionally creating them here before the user then
attempts to interact with Profile API to CRUD students.

Author: chrisroos

app/controllers/api/school_students_controller.rb

@@ -5,6 +5,7 @@ class SchoolStudentsController < ApiController
     before_action :authorize_user
     load_and_authorize_resource :school
     authorize_resource :school_student, class: false
+    before_action :create_safeguarding_flags
 
     def index
       result = SchoolStudent::List.call(school: @school, token: current_user.token)
@@ -62,5 +63,28 @@ def destroy
     def school_student_params
       params.require(:school_student).permit(:username, :password, :name)
     end
+
+    def create_safeguarding_flags
+      create_teacher_safeguarding_flag
+      create_owner_safeguarding_flag
+    end
+
+    def create_teacher_safeguarding_flag
+      return unless current_user.school_teacher?(@school)
+
+      ProfileApiClient.create_safeguarding_flag(
+        token: current_user.token,
+        flag: ProfileApiClient::SAFEGUARDING_FLAGS[:teacher]
+      )
+    end
+
+    def create_owner_safeguarding_flag
+      return unless current_user.school_owner?(@school)
+
+      ProfileApiClient.create_safeguarding_flag(
+        token: current_user.token,
+        flag: ProfileApiClient::SAFEGUARDING_FLAGS[:owner]
+      )
+    end
   end
 end

spec/features/school_student/creating_a_batch_of_school_students_spec.rb

@@ -6,6 +6,7 @@
   before do
     authenticated_in_hydra_as(owner)
     stub_profile_api_create_school_student
+    stub_profile_api_create_safeguarding_flag
   end
 
   let(:headers) { { Authorization: UserProfileMock::TOKEN } }
@@ -15,6 +16,16 @@
 
   let(:file) { fixture_file_upload('students.csv') }
 
+  it 'creates the school owner safeguarding flag' do
+    post("/api/schools/#{school.id}/students/batch", headers:, params: { file: })
+    expect(ProfileApiClient).to have_received(:create_safeguarding_flag).with(token: UserProfileMock::TOKEN, flag: ProfileApiClient::SAFEGUARDING_FLAGS[:owner])
+  end
+
+  it 'does not create the school teacher safeguarding flag' do
+    post("/api/schools/#{school.id}/students/batch", headers:, params: { file: })
+    expect(ProfileApiClient).not_to have_received(:create_safeguarding_flag).with(token: UserProfileMock::TOKEN, flag: ProfileApiClient::SAFEGUARDING_FLAGS[:teacher])
+  end
+
   it 'responds 204 No Content' do
     post("/api/schools/#{school.id}/students/batch", headers:, params: { file: })
     expect(response).to have_http_status(:no_content)
@@ -28,6 +39,22 @@
     expect(response).to have_http_status(:no_content)
   end
 
+  it 'does not create the school owner safeguarding flag when the user is a school-teacher' do
+    teacher = create(:teacher, school:)
+    authenticated_in_hydra_as(teacher)
+
+    post("/api/schools/#{school.id}/students/batch", headers:, params: { file: })
+    expect(ProfileApiClient).not_to have_received(:create_safeguarding_flag).with(token: UserProfileMock::TOKEN, flag: ProfileApiClient::SAFEGUARDING_FLAGS[:owner])
+  end
+
+  it 'creates the school teacher safeguarding flag when the user is a school-teacher' do
+    teacher = create(:teacher, school:)
+    authenticated_in_hydra_as(teacher)
+
+    post("/api/schools/#{school.id}/students/batch", headers:, params: { file: })
+    expect(ProfileApiClient).to have_received(:create_safeguarding_flag).with(token: UserProfileMock::TOKEN, flag: ProfileApiClient::SAFEGUARDING_FLAGS[:teacher])
+  end
+
   it 'responds 422 Unprocessable Entity when params are invalid' do
     post("/api/schools/#{school.id}/students/batch", headers:, params: {})
     expect(response).to have_http_status(:unprocessable_entity)

spec/features/school_student/creating_a_school_student_spec.rb

@@ -6,6 +6,7 @@
   before do
     authenticated_in_hydra_as(owner)
     stub_profile_api_create_school_student
+    stub_profile_api_create_safeguarding_flag
   end
 
   let(:headers) { { Authorization: UserProfileMock::TOKEN } }
@@ -22,6 +23,16 @@
     }
   end
 
+  it 'creates the school owner safeguarding flag' do
+    post("/api/schools/#{school.id}/students", headers:, params:)
+    expect(ProfileApiClient).to have_received(:create_safeguarding_flag).with(token: UserProfileMock::TOKEN, flag: ProfileApiClient::SAFEGUARDING_FLAGS[:owner])
+  end
+
+  it 'does not create the school teacher safeguarding flag' do
+    post("/api/schools/#{school.id}/students", headers:, params:)
+    expect(ProfileApiClient).not_to have_received(:create_safeguarding_flag).with(token: UserProfileMock::TOKEN, flag: ProfileApiClient::SAFEGUARDING_FLAGS[:teacher])
+  end
+
   it 'responds 204 No Content' do
     post("/api/schools/#{school.id}/students", headers:, params:)
     expect(response).to have_http_status(:no_content)
@@ -35,6 +46,22 @@
     expect(response).to have_http_status(:no_content)
   end
 
+  it 'does not create the school owner safeguarding flag when the user is a school teacher' do
+    teacher = create(:teacher, school:)
+    authenticated_in_hydra_as(teacher)
+
+    post("/api/schools/#{school.id}/students", headers:, params:)
+    expect(ProfileApiClient).not_to have_received(:create_safeguarding_flag).with(token: UserProfileMock::TOKEN, flag: ProfileApiClient::SAFEGUARDING_FLAGS[:owner])
+  end
+
+  it 'creates the school teacher safeguarding flag when the user is a school teacher' do
+    teacher = create(:teacher, school:)
+    authenticated_in_hydra_as(teacher)
+
+    post("/api/schools/#{school.id}/students", headers:, params:)
+    expect(ProfileApiClient).to have_received(:create_safeguarding_flag).with(token: UserProfileMock::TOKEN, flag: ProfileApiClient::SAFEGUARDING_FLAGS[:teacher])
+  end
+
   it 'responds 400 Bad Request when params are missing' do
     post("/api/schools/#{school.id}/students", headers:)
     expect(response).to have_http_status(:bad_request)

spec/features/school_student/deleting_a_school_student_spec.rb

@@ -6,13 +6,24 @@
   before do
     authenticated_in_hydra_as(owner)
     stub_profile_api_delete_school_student
+    stub_profile_api_create_safeguarding_flag
   end
 
   let(:headers) { { Authorization: UserProfileMock::TOKEN } }
   let(:school) { create(:school) }
   let(:student_id) { SecureRandom.uuid }
   let(:owner) { create(:owner, school:) }
 
+  it 'creates the school owner safeguarding flag' do
+    delete("/api/schools/#{school.id}/students/#{student_id}", headers:)
+    expect(ProfileApiClient).to have_received(:create_safeguarding_flag).with(token: UserProfileMock::TOKEN, flag: ProfileApiClient::SAFEGUARDING_FLAGS[:owner])
+  end
+
+  it 'does not create the school teacher safeguarding flag' do
+    delete("/api/schools/#{school.id}/students/#{student_id}", headers:)
+    expect(ProfileApiClient).not_to have_received(:create_safeguarding_flag).with(token: UserProfileMock::TOKEN, flag: ProfileApiClient::SAFEGUARDING_FLAGS[:teacher])
+  end
+
   it 'responds 204 No Content' do
     delete("/api/schools/#{school.id}/students/#{student_id}", headers:)
     expect(response).to have_http_status(:no_content)
@@ -39,6 +50,22 @@
     expect(response).to have_http_status(:forbidden)
   end
 
+  it 'does not create the school owner safeguarding flag when logged in as a teacher' do
+    teacher = create(:teacher, school:)
+    authenticated_in_hydra_as(teacher)
+
+    delete("/api/schools/#{school.id}/students/#{student_id}", headers:)
+    expect(ProfileApiClient).not_to have_received(:create_safeguarding_flag).with(token: UserProfileMock::TOKEN, flag: ProfileApiClient::SAFEGUARDING_FLAGS[:owner])
+  end
+
+  it 'does not create the school teacher safeguarding flag when logged in as a teacher' do
+    teacher = create(:teacher, school:)
+    authenticated_in_hydra_as(teacher)
+
+    delete("/api/schools/#{school.id}/students/#{student_id}", headers:)
+    expect(ProfileApiClient).not_to have_received(:create_safeguarding_flag).with(token: UserProfileMock::TOKEN, flag: ProfileApiClient::SAFEGUARDING_FLAGS[:teacher])
+  end
+
   it 'responds 403 Forbidden when the user is a school-student' do
     student = create(:student, school:)
     authenticated_in_hydra_as(student)

spec/features/school_student/listing_school_students_spec.rb

@@ -7,6 +7,7 @@
     authenticated_in_hydra_as(owner)
     stub_profile_api_list_school_students(user_id: student.id)
     stub_user_info_api_for(student)
+    stub_profile_api_create_safeguarding_flag
   end
 
   let(:headers) { { Authorization: UserProfileMock::TOKEN } }
@@ -19,6 +20,16 @@
     expect(response).to have_http_status(:ok)
   end
 
+  it 'creates the school owner safeguarding flag' do
+    get("/api/schools/#{school.id}/students", headers:)
+    expect(ProfileApiClient).to have_received(:create_safeguarding_flag).with(token: UserProfileMock::TOKEN, flag: ProfileApiClient::SAFEGUARDING_FLAGS[:owner])
+  end
+
+  it 'does not create the school teacher safeguarding flag' do
+    get("/api/schools/#{school.id}/students", headers:)
+    expect(ProfileApiClient).not_to have_received(:create_safeguarding_flag).with(token: UserProfileMock::TOKEN, flag: ProfileApiClient::SAFEGUARDING_FLAGS[:teacher])
+  end
+
   it 'responds 200 OK when the user is a school-teacher' do
     teacher = create(:teacher, school:)
     authenticated_in_hydra_as(teacher)
@@ -27,6 +38,22 @@
     expect(response).to have_http_status(:ok)
   end
 
+  it 'does not create the school owner safeguarding flag when the user is a school teacher' do
+    teacher = create(:teacher, school:)
+    authenticated_in_hydra_as(teacher)
+
+    get("/api/schools/#{school.id}/students", headers:)
+    expect(ProfileApiClient).not_to have_received(:create_safeguarding_flag).with(token: UserProfileMock::TOKEN, flag: ProfileApiClient::SAFEGUARDING_FLAGS[:owner])
+  end
+
+  it 'creates the school teacher safeguarding flag when the user is a school teacher' do
+    teacher = create(:teacher, school:)
+    authenticated_in_hydra_as(teacher)
+
+    get("/api/schools/#{school.id}/students", headers:)
+    expect(ProfileApiClient).to have_received(:create_safeguarding_flag).with(token: UserProfileMock::TOKEN, flag: ProfileApiClient::SAFEGUARDING_FLAGS[:teacher])
+  end
+
   it 'responds with the school students JSON' do
     get("/api/schools/#{school.id}/students", headers:)
     data = JSON.parse(response.body, symbolize_names: true)

spec/features/school_student/updating_a_school_student_spec.rb

@@ -6,6 +6,7 @@
   before do
     authenticated_in_hydra_as(owner)
     stub_profile_api_update_school_student
+    stub_profile_api_create_safeguarding_flag
   end
 
   let(:headers) { { Authorization: UserProfileMock::TOKEN } }
@@ -23,6 +24,16 @@
     }
   end
 
+  it 'creates the school owner safeguarding flag' do
+    put("/api/schools/#{school.id}/students/#{student_id}", headers:, params:)
+    expect(ProfileApiClient).to have_received(:create_safeguarding_flag).with(token: UserProfileMock::TOKEN, flag: ProfileApiClient::SAFEGUARDING_FLAGS[:owner])
+  end
+
+  it 'does not create the school teacher safeguarding flag' do
+    put("/api/schools/#{school.id}/students/#{student_id}", headers:, params:)
+    expect(ProfileApiClient).not_to have_received(:create_safeguarding_flag).with(token: UserProfileMock::TOKEN, flag: ProfileApiClient::SAFEGUARDING_FLAGS[:teacher])
+  end
+
   it 'responds 204 No Content' do
     put("/api/schools/#{school.id}/students/#{student_id}", headers:, params:)
     expect(response).to have_http_status(:no_content)
@@ -36,6 +47,22 @@
     expect(response).to have_http_status(:no_content)
   end
 
+  it 'does not create the school owner safeguarding flag when the user is a school teacher' do
+    teacher = create(:teacher, school:)
+    authenticated_in_hydra_as(teacher)
+
+    put("/api/schools/#{school.id}/students/#{student_id}", headers:, params:)
+    expect(ProfileApiClient).not_to have_received(:create_safeguarding_flag).with(token: UserProfileMock::TOKEN, flag: ProfileApiClient::SAFEGUARDING_FLAGS[:owner])
+  end
+
+  it 'creates the school teacher safeguarding flag when the user is a school teacher' do
+    teacher = create(:teacher, school:)
+    authenticated_in_hydra_as(teacher)
+
+    put("/api/schools/#{school.id}/students/#{student_id}", headers:, params:)
+    expect(ProfileApiClient).to have_received(:create_safeguarding_flag).with(token: UserProfileMock::TOKEN, flag: ProfileApiClient::SAFEGUARDING_FLAGS[:teacher])
+  end
+
   it 'responds 401 Unauthorized when no token is given' do
     put("/api/schools/#{school.id}/students/#{student_id}", params:)
     expect(response).to have_http_status(:unauthorized)

spec/support/profile_api_mock.rb

@@ -38,4 +38,8 @@ def stub_profile_api_update_school_student
   def stub_profile_api_delete_school_student
     allow(ProfileApiClient).to receive(:delete_school_student)
   end
+
+  def stub_profile_api_create_safeguarding_flag
+    allow(ProfileApiClient).to receive(:create_safeguarding_flag)
+  end
 end