Merge pull request #1175 from NHSDigital/12341-administrative-users-start-button

Guard start appointment button by permission

Author: malcolmbaig

manage_breast_screening/assets/js/check-in.test.js

@@ -114,6 +114,26 @@ describe('Check in', () => {
     expect(startAppointmentContainer).not.toHaveAttribute('hidden')
   })
 
+  it('succeeds when start-appointment container is absent (admin user)', async () => {
+    // Simulate admin user's page — no start-appointment container in DOM
+    startAppointmentContainer.remove()
+
+    jest.mocked(fetch).mockResolvedValue(
+      /** @type {Response} */ ({
+        ok: true,
+        status: 200
+      })
+    )
+
+    createAll(CheckIn)
+
+    await user.click(button)
+
+    expect(console.error).not.toHaveBeenCalled()
+    expect(currentStatus).toHaveAttribute('hidden')
+    expect(checkedInStatus).not.toHaveAttribute('hidden')
+  })
+
   it('does not change the DOM if the request fails', async () => {
     jest.mocked(fetch).mockResolvedValue(
       /** @type {Response} */ ({

manage_breast_screening/core/jinja2/components/start-appointment/template.jinja

@@ -2,11 +2,13 @@
   {{ raise('start_appointment_url is required') }}
 {% endif %}
 
-<div data-module="app-start-appointment" data-appointment-id="{{ presented_appointment.pk }}" {% if presented_appointment.can_be_checked_in or not presented_appointment.can_be_started_by(user) %}hidden{% endif %}>
+{% if user.has_perm('mammograms.do_mammogram_appointment') %}
+<div data-module="app-start-appointment" data-appointment-id="{{ presented_appointment.pk }}" {% if presented_appointment.can_be_checked_in %}hidden{% endif %}>
   <form action="{{ start_appointment_url }}" method="post" novalidate>
     <p>
       <button class="app-button app-button--link">Start appointment<span class="nhsuk-u-visually-hidden"> {{ presented_appointment.participant.full_name }}</span></button>
     </p>
     {{ csrf_input }}
   </form>
 </div>
+{% endif %}

manage_breast_screening/core/tests/jinja2/test_start_appointment.py

@@ -0,0 +1,62 @@
+from unittest.mock import MagicMock
+
+import pytest
+
+
+@pytest.fixture
+def template(jinja_env):
+    return jinja_env.get_template("components/start-appointment/template.jinja")
+
+
+@pytest.fixture
+def presented_appointment():
+    mock = MagicMock()
+    mock.pk = "abc-123"
+    mock.participant.full_name = "Jane Smith"
+    mock.can_be_checked_in = False
+    return mock
+
+
+def render(template, user_has_perm, presented_appointment):
+    user = MagicMock()
+    user.has_perm.return_value = user_has_perm
+    return template.render(
+        {
+            "user": user,
+            "presented_appointment": presented_appointment,
+            "start_appointment_url": "/mammograms/abc-123/start-appointment/",
+            "csrf_input": "",
+        }
+    )
+
+
+def test_renders_start_button_for_clinical_user(template, presented_appointment):
+    html = render(
+        template, user_has_perm=True, presented_appointment=presented_appointment
+    )
+    assert 'data-module="app-start-appointment"' in html
+
+
+def test_does_not_render_start_button_for_admin_user(template, presented_appointment):
+    html = render(
+        template, user_has_perm=False, presented_appointment=presented_appointment
+    )
+    assert 'data-module="app-start-appointment"' not in html
+
+
+def test_renders_button_hidden_before_checkin(template, presented_appointment):
+    presented_appointment.can_be_checked_in = True
+    html = render(
+        template, user_has_perm=True, presented_appointment=presented_appointment
+    )
+    assert 'data-module="app-start-appointment"' in html
+    assert 'data-appointment-id="abc-123" hidden' in html
+
+
+def test_renders_button_visible_after_checkin(template, presented_appointment):
+    presented_appointment.can_be_checked_in = False
+    html = render(
+        template, user_has_perm=True, presented_appointment=presented_appointment
+    )
+    assert 'data-module="app-start-appointment"' in html
+    assert 'data-appointment-id="abc-123" hidden' not in html