Merge pull request #8066 from espoon-voltti/staff-no-decision-edit

terolaakso-reaktor · web-flow · commit 9b8931e6881e · 2025-11-07T16:15:31.000+02:00
Poista muiden päätösten muokkausoikeus henkilökunnalta
diff --git a/frontend/src/employee-frontend/components/child-information/ChildDocuments.tsx b/frontend/src/employee-frontend/components/child-information/ChildDocuments.tsx
@@ -13,6 +13,7 @@ import DateRange from 'lib-common/date-range'
 import { boolean, openEndedLocalDateRange } from 'lib-common/form/fields'
 import { object, oneOf, required, validated } from 'lib-common/form/form'
 import { useForm, useFormFields } from 'lib-common/form/hooks'
+import type { Action } from 'lib-common/generated/action'
 import type {
   ChildDocumentSummary,
   ChildDocumentSummaryWithPermittedActions,
@@ -157,13 +158,11 @@ const DecisionValidityModal = React.memo(function DecisionValidityModal({
   onClose,
   document,
   childId,
-  permittedActions: _permittedActions,
   onSuccess
 }: {
   onClose: () => void
   document: ChildDocumentSummary
   childId: ChildId
-  permittedActions: string[]
   onSuccess: () => void
 }) {
   const { i18n, lang } = useTranslation()
@@ -220,7 +219,7 @@ const DecisionValidityCell = React.memo(function DecisionValidityCell({
 }: {
   document: ChildDocumentSummary
   childId: ChildId
-  permittedActions: string[]
+  permittedActions: Action.ChildDocument[]
 }) {
   const { i18n } = useTranslation()
   const [modalOpen, setModalOpen] = useState(false)
@@ -248,7 +247,6 @@ const DecisionValidityCell = React.memo(function DecisionValidityCell({
           onClose={() => setModalOpen(false)}
           document={document}
           childId={childId}
-          permittedActions={permittedActions}
           onSuccess={() => setModalOpen(false)}
         />
       )}
diff --git a/service/src/integrationTest/kotlin/fi/espoo/evaka/document/childdocument/ChildDocumentControllerIntegrationTest.kt b/service/src/integrationTest/kotlin/fi/espoo/evaka/document/childdocument/ChildDocumentControllerIntegrationTest.kt
@@ -27,19 +27,23 @@ import fi.espoo.evaka.shared.ChildDocumentDecisionId
 import fi.espoo.evaka.shared.ChildDocumentId
 import fi.espoo.evaka.shared.DocumentTemplateId
 import fi.espoo.evaka.shared.EmployeeId
+import fi.espoo.evaka.shared.PlacementId
 import fi.espoo.evaka.shared.async.AsyncJob
 import fi.espoo.evaka.shared.async.AsyncJobRunner
 import fi.espoo.evaka.shared.auth.AuthenticatedUser
 import fi.espoo.evaka.shared.auth.UserRole
 import fi.espoo.evaka.shared.auth.insertDaycareAclRow
 import fi.espoo.evaka.shared.dev.DevDaycare
+import fi.espoo.evaka.shared.dev.DevDaycareGroup
+import fi.espoo.evaka.shared.dev.DevDaycareGroupPlacement
 import fi.espoo.evaka.shared.dev.DevDocumentTemplate
 import fi.espoo.evaka.shared.dev.DevEmployee
 import fi.espoo.evaka.shared.dev.DevPerson
 import fi.espoo.evaka.shared.dev.DevPersonType
 import fi.espoo.evaka.shared.dev.DevPlacement
 import fi.espoo.evaka.shared.dev.DevSfiMessageEvent
 import fi.espoo.evaka.shared.dev.insert
+import fi.espoo.evaka.shared.dev.insertEmployeeToDaycareGroupAcl
 import fi.espoo.evaka.shared.domain.BadRequest
 import fi.espoo.evaka.shared.domain.Conflict
 import fi.espoo.evaka.shared.domain.DateRange
@@ -77,6 +81,7 @@ class ChildDocumentControllerIntegrationTest : FullApplicationTest(resetDbBefore
     lateinit var areaId: AreaId
     val employeeUser = DevEmployee(roles = setOf(UserRole.ADMIN))
     lateinit var unitSupervisorUser: AuthenticatedUser.Employee
+    lateinit var placementId: PlacementId
 
     final val clock = MockEvakaClock(2022, 1, 1, 15, 0)
 
@@ -209,14 +214,15 @@ class ChildDocumentControllerIntegrationTest : FullApplicationTest(resetDbBefore
             tx.insert(testChild_1, DevPersonType.CHILD)
             tx.insert(testAdult_1, DevPersonType.ADULT)
             tx.insertGuardian(testAdult_1.id, testChild_1.id)
-            tx.insert(
-                DevPlacement(
-                    childId = testChild_1.id,
-                    unitId = testDaycare.id,
-                    startDate = clock.today(),
-                    endDate = clock.today().plusDays(5),
+            placementId =
+                tx.insert(
+                    DevPlacement(
+                        childId = testChild_1.id,
+                        unitId = testDaycare.id,
+                        startDate = clock.today(),
+                        endDate = clock.today().plusDays(5),
+                    )
                 )
-            )
             tx.insert(devTemplatePed)
             tx.insert(devTemplatePedagogicalReport)
             tx.insert(devTemplateHojks)
@@ -1252,6 +1258,84 @@ class ChildDocumentControllerIntegrationTest : FullApplicationTest(resetDbBefore
         )
     }
 
+    @Test
+    fun `employee with STAFF permission can edit ordinary document but not decision document`() {
+        val groupId =
+            db.transaction { tx ->
+                val id = tx.insert(DevDaycareGroup(daycareId = testDaycare.id))
+                tx.insert(
+                    DevDaycareGroupPlacement(
+                        daycarePlacementId = placementId,
+                        daycareGroupId = id,
+                        startDate = clock.today(),
+                        endDate = clock.today().plusDays(10),
+                    )
+                )
+                id
+            }
+
+        val staffEmployee = DevEmployee()
+        val staffUser =
+            db.transaction { tx ->
+                val staffId = tx.insert(staffEmployee)
+                tx.insertDaycareAclRow(testDaycare.id, staffId, UserRole.STAFF)
+                tx.insertEmployeeToDaycareGroupAcl(groupId, staffId)
+                AuthenticatedUser.Employee(staffId, setOf(UserRole.STAFF))
+            }
+
+        // Create an ordinary child document (PEDAGOGICAL_ASSESSMENT)
+        val ordinaryDocumentId =
+            controller.createDocument(
+                dbInstance(),
+                employeeUser.user,
+                clock,
+                ChildDocumentCreateRequest(testChild_1.id, templateIdPed),
+            )
+
+        // Create a decision document (OTHER_DECISION)
+        val decisionDocumentId =
+            controller.createDocument(
+                dbInstance(),
+                employeeUser.user,
+                clock,
+                ChildDocumentCreateRequest(testChild_1.id, templateIdAssistanceDecision),
+            )
+
+        // Staff employee should be able to update the ordinary document
+        val laterClock = MockEvakaClock(clock.now().plusMinutes(6))
+        val ordinaryContent =
+            DocumentContent(answers = listOf(AnsweredQuestion.TextAnswer("q1", "staff edit")))
+        updateDocumentContent(
+            ordinaryDocumentId,
+            ordinaryContent,
+            now = laterClock,
+            user = staffUser,
+        )
+
+        // Verify the update succeeded
+        assertEquals(
+            ordinaryContent,
+            controller
+                .getDocument(dbInstance(), staffUser, laterClock, ordinaryDocumentId)
+                .data
+                .content,
+        )
+
+        // Staff employee should NOT be able to update the decision document
+        val decisionContent =
+            DocumentContent(
+                answers = listOf(AnsweredQuestion.TextAnswer("q1", "staff edit decision"))
+            )
+        assertThrows<Forbidden> {
+            updateDocumentContent(
+                decisionDocumentId,
+                decisionContent,
+                now = laterClock,
+                user = staffUser,
+            )
+        }
+    }
+
     private fun getDocument(id: ChildDocumentId) =
         controller.getDocument(dbInstance(), employeeUser.user, clock, id).data
 
diff --git a/service/src/main/kotlin/fi/espoo/evaka/shared/security/Action.kt b/service/src/main/kotlin/fi/espoo/evaka/shared/security/Action.kt
@@ -2384,32 +2384,39 @@ sealed interface Action {
             HasGlobalRole(ADMIN),
             HasUnitRole(UNIT_SUPERVISOR, SPECIAL_EDUCATION_TEACHER)
                 .inPlacementUnitOfChildOfChildDocument(editable = true),
-            HasGroupRole(STAFF).inPlacementGroupOfChildOfChildDocument(editable = true),
+            HasGroupRole(STAFF)
+                .inPlacementGroupOfChildOfChildDocument(editable = true, denyForDecisions = true),
         ),
         PUBLISH(
             HasGlobalRole(ADMIN),
             HasUnitRole(UNIT_SUPERVISOR, SPECIAL_EDUCATION_TEACHER)
                 .inPlacementUnitOfChildOfChildDocument(publishable = true),
-            HasGroupRole(STAFF).inPlacementGroupOfChildOfChildDocument(publishable = true),
+            HasGroupRole(STAFF)
+                .inPlacementGroupOfChildOfChildDocument(publishable = true, denyForDecisions = true),
         ),
         NEXT_STATUS(
             HasGlobalRole(ADMIN),
             HasUnitRole(UNIT_SUPERVISOR, SPECIAL_EDUCATION_TEACHER)
                 .inPlacementUnitOfChildOfChildDocument(),
-            HasGroupRole(STAFF).inPlacementGroupOfChildOfChildDocument(),
+            HasGroupRole(STAFF).inPlacementGroupOfChildOfChildDocument(denyForDecisions = true),
         ),
         PREV_STATUS(
             HasGlobalRole(ADMIN),
             HasUnitRole(UNIT_SUPERVISOR, SPECIAL_EDUCATION_TEACHER)
                 .inPlacementUnitOfChildOfChildDocument(canGoToPrevStatus = true),
-            HasGroupRole(STAFF).inPlacementGroupOfChildOfChildDocument(canGoToPrevStatus = true),
+            HasGroupRole(STAFF)
+                .inPlacementGroupOfChildOfChildDocument(
+                    canGoToPrevStatus = true,
+                    denyForDecisions = true,
+                ),
             IsEmployee.andIsDecisionMakerForChildDocumentDecision(),
         ),
         DELETE(
             HasGlobalRole(ADMIN),
             HasUnitRole(UNIT_SUPERVISOR, SPECIAL_EDUCATION_TEACHER)
                 .inPlacementUnitOfChildOfChildDocument(deletable = true),
-            HasGroupRole(STAFF).inPlacementGroupOfChildOfChildDocument(deletable = true),
+            HasGroupRole(STAFF)
+                .inPlacementGroupOfChildOfChildDocument(deletable = true, denyForDecisions = true),
         ),
         PROPOSE_DECISION(
             HasGlobalRole(ADMIN),
diff --git a/service/src/main/kotlin/fi/espoo/evaka/shared/security/actionrule/HasGroupRole.kt b/service/src/main/kotlin/fi/espoo/evaka/shared/security/actionrule/HasGroupRole.kt
@@ -174,8 +174,11 @@ WHERE employee_id = ${bind(user.id)}
         deletable: Boolean = false,
         publishable: Boolean = false,
         canGoToPrevStatus: Boolean = false,
-    ) =
-        rule<ChildDocumentId> { user, now ->
+        denyForDecisions: Boolean = false,
+    ): DatabaseActionRule.Scoped<ChildDocumentId, HasGroupRole> {
+        val denyDecisionSql =
+            if (denyForDecisions) " AND child_document.type <> 'OTHER_DECISION' " else ""
+        return rule { user, now ->
             sql(
                 """
 SELECT child_document.id AS id, role, enabled_pilot_features AS unit_features, provider_type AS unit_provider_type
@@ -187,10 +190,12 @@ ${if (editable) "AND status = ANY(${bind(DocumentStatus.entries.filter { it.empl
 ${if (deletable) "AND status = 'DRAFT' AND published_at IS NULL" else ""}
 ${if (publishable) "AND status <> 'COMPLETED'" else ""}
 ${if (canGoToPrevStatus) "AND child_document.type = 'CITIZEN_BASIC' AND child_document.content -> 'answers' = '[]'::jsonb AND child_document.status <> 'COMPLETED'" else ""}
+$denyDecisionSql
             """
                     .trimIndent()
             )
         }
+    }
 
     fun inPlacementGroupOfDuplicateChildOfHojksChildDocument() =
         rule<ChildDocumentId> { user, now ->
