CRDCDH-2099 PBAC - Display Submission Request Action buttons based on permissions

src/config/AuthPermissions.test.ts

@@ -1,13 +1,38 @@
 import { hasPermission } from "./AuthPermissions";
 
+const baseApplication: Application = {
+  _id: "",
+  status: "New",
+  createdAt: "",
+  updatedAt: "",
+  submittedDate: "",
+  history: [],
+  controlledAccess: false,
+  openAccess: false,
+  ORCID: "",
+  PI: "",
+  applicant: {
+    applicantID: "owner-123",
+    applicantName: "",
+    applicantEmail: "",
+  },
+  questionnaireData: null,
+  programName: "",
+  studyAbbreviation: "",
+  conditional: false,
+  pendingConditions: [],
+  programAbbreviation: "",
+  programDescription: "",
+};
+
 const createUser = (role: UserRole, permissions: AuthPermissions[] = []): User => ({
   role,
   permissions,
   notifications: [],
   _id: "user-1",
-  firstName: "",
-  lastName: "",
-  email: "",
+  firstName: "Alice",
+  lastName: "Smith",
+  email: "[email protected]",
   dataCommons: [],
   studies: [],
   IDP: "nih",
@@ -40,7 +65,7 @@ describe("Basic Permissions", () => {
     "User",
     "Invalid-role" as UserRole,
   ])(
-    "should deny a user to view the dashboard if they have permission, regardless of '%s' role",
+    "should deny a user to view the dashboard if they do not have permission, regardless of '%s' role",
     (role) => {
       const user = createUser(role, []);
       expect(hasPermission(user, "dashboard", "view")).toBe(false);
@@ -69,3 +94,63 @@ describe("Edge Cases", () => {
     expect(hasPermission(user, "invalid_resource" as never, "view" as never)).toBe(false);
   });
 });
+
+describe("submission_request:submit Permission", () => {
+  const validStatuses: ApplicationStatus[] = ["In Progress", "Inquired"];
+  const invalidStatuses: ApplicationStatus[] = [
+    "Approved",
+    "In Review",
+    "New",
+    "Rejected",
+    "Submitted",
+  ];
+
+  it.each(validStatuses)(
+    "should allow the form owner to submit if the status is '%s' without the permission",
+    (status) => {
+      const user = createUser("Submitter", []);
+
+      const application: Application = {
+        ...baseApplication,
+        status,
+        applicant: {
+          ...baseApplication.applicant,
+          applicantID: "user-1",
+        },
+      };
+
+      expect(hasPermission(user, "submission_request", "submit", application)).toBe(true);
+    }
+  );
+
+  it.each(validStatuses)(
+    "should allow a user with 'submission_request:submit' permission key if the status is '%s', even if not owner",
+    (status) => {
+      const user = createUser("Submitter", ["submission_request:submit"]);
+      const application: Application = { ...baseApplication, status };
+
+      expect(hasPermission(user, "submission_request", "submit", application)).toBe(true);
+    }
+  );
+
+  it("should deny submission if the user is not the owner AND lacks the 'submission_request:submit' permission key", () => {
+    const user = createUser("Submitter", []);
+    const application: Application = { ...baseApplication, status: "In Progress" };
+
+    expect(hasPermission(user, "submission_request", "submit", application)).toBe(false);
+  });
+
+  it.each(invalidStatuses)("should deny submission if the application status is '%s'", (status) => {
+    const user = createUser("Submitter", ["submission_request:submit"]);
+    const application: Application = { ...baseApplication, status };
+
+    expect(hasPermission(user, "submission_request", "submit", application)).toBe(false);
+  });
+
+  it("should return false if application is missing or undefined", () => {
+    const user = createUser("Submitter", ["submission_request:submit"]);
+
+    expect(hasPermission(user, "submission_request", "submit", undefined)).toBe(false);
+    expect(hasPermission(user, "submission_request", "submit", null)).toBe(false);
+  });
+});

src/config/AuthPermissions.ts

@@ -45,7 +45,21 @@ export const PERMISSION_MAP = {
   submission_request: {
     view: NO_CONDITIONS,
     create: NO_CONDITIONS,
-    submit: NO_CONDITIONS,
+    submit: (user, application) => {
+      const isFormOwner = application?.applicant?.applicantID === user?._id;
+      const hasPermissionKey = user?.permissions?.includes("submission_request:submit");
+      const submitStatuses: ApplicationStatus[] = ["In Progress", "Inquired"];
+
+      // Check for implicit permission as well as for the permission key
+      if (!isFormOwner && !hasPermissionKey) {
+        return false;
+      }
+      if (!submitStatuses?.includes(application?.status)) {
+        return false;
+      }
+
+      return true;
+    },
     review: NO_CONDITIONS,
   },
   dashboard: {

src/content/questionnaire/FormView.tsx

@@ -538,15 +538,8 @@ const FormView: FC<Props> = ({ section }: Props) => {
   };
 
   const handleSubmitForm = () => {
-    if (
-      !hasPermission(user, "submission_request", "submit", data) ||
-      (data?.status !== "In Progress" &&
-        (data?.status !== "Inquired" || user?.role !== "Federal Lead"))
-    ) {
-      Logger.error("Invalid request to submit Submission Request form.", {
-        userRole: user?.role,
-        submissionStatus: data?.status,
-      });
+    if (!hasPermission(user, "submission_request", "submit", data)) {
+      Logger.error("Invalid request to submit Submission Request form.");
       return;
     }
     setOpenSubmitDialog(true);
@@ -627,15 +620,6 @@ const FormView: FC<Props> = ({ section }: Props) => {
     };
   });
 
-  useEffect(() => {
-    const formLoaded = status === FormStatus.LOADED && authStatus === AuthStatus.LOADED && data;
-    const invalidFormAuth = formMode === "Unauthorized" || authStatus === AuthStatus.ERROR || !user;
-
-    if (formLoaded && invalidFormAuth) {
-      navigate("/");
-    }
-  }, [formMode, navigate, status, authStatus, user, data]);
-
   useEffect(() => {
     const isComplete = isAllSectionsComplete();
     setAllSectionsComplete(isComplete);
@@ -730,8 +714,7 @@ const FormView: FC<Props> = ({ section }: Props) => {
               )}
 
               {activeSection === "REVIEW" &&
-                hasPermission(user, "submission_request", "submit") &&
-                ["In Progress", "Inquired"].includes(data?.status) && (
+                hasPermission(user, "submission_request", "submit", data) && (
                   <StyledExtendedLoadingButton
                     id="submission-form-submit-button"
                     variant="contained"

src/hooks/useFormMode.ts

@@ -1,7 +1,7 @@
 import { useEffect, useState } from "react";
 import { Status as AuthStatus, useAuthContext } from "../components/Contexts/AuthContext";
 import { Status as FormStatus, useFormContext } from "../components/Contexts/FormContext";
-import { FormMode, FormModes, getFormMode } from "../utils";
+import { FormMode, FormModes, getFormMode, Logger } from "../utils";
 
 const useFormMode = () => {
   const { user, status: authStatus } = useAuthContext();
@@ -15,10 +15,15 @@ const useFormMode = () => {
     }
 
     const updatedFormMode: FormMode = getFormMode(user, data);
+    if (updatedFormMode === FormModes.UNAUTHORIZED) {
+      Logger.error("useFormMode: User is unauthorized to view this Submission Request.", {
+        user,
+        data,
+      });
+    }
+
     setFormMode(updatedFormMode);
-    setReadOnlyInputs(
-      updatedFormMode === FormModes.VIEW_ONLY || updatedFormMode === FormModes.REVIEW
-    );
+    setReadOnlyInputs(updatedFormMode !== FormModes.EDIT);
   }, [user, data]);
 
   return { formMode, readOnlyInputs };

src/utils/formModeUtils.test.ts

@@ -297,10 +297,14 @@ describe("getFormMode tests based on provided requirements", () => {
         expect(utils.getFormMode(null, null)).toBe(utils.FormModes.UNAUTHORIZED);
       });
 
-      it("should set Unauthorized form if user does not have the required permissions", () => {
+      it("should set Unauthorized form if user does not have the required permissions and is not submission owner", () => {
         const user: User = { ...baseUser, role: undefined, permissions: [] };
+        const submission: Application = {
+          ...baseSubmission,
+          applicant: { ...baseSubmission.applicant, applicantID: "some-other-user" },
+        };
 
-        expect(utils.getFormMode(user, baseSubmission)).toBe(utils.FormModes.UNAUTHORIZED);
+        expect(utils.getFormMode(user, submission)).toBe(utils.FormModes.UNAUTHORIZED);
       });
 
       it("should set 'View Only' if form status is unknown or not defined", () => {

src/utils/formModeUtils.ts

@@ -23,14 +23,13 @@ export const getFormMode = (user: User, data: Application): FormMode => {
   if (!data) {
     return FormModes.UNAUTHORIZED;
   }
-  if (
-    !hasPermission(user, "submission_request", "view") &&
-    user?._id !== data.applicant?.applicantID
-  ) {
+  const isFormOwner = user?._id === data.applicant?.applicantID;
+  if (!hasPermission(user, "submission_request", "view") && !isFormOwner) {
     return FormModes.UNAUTHORIZED;
   }
 
   if (
+    !isFormOwner &&
     !hasPermission(user, "submission_request", "view") &&
     !hasPermission(user, "submission_request", "create") &&
     !hasPermission(user, "submission_request", "review")
@@ -45,7 +44,12 @@ export const getFormMode = (user: User, data: Application): FormMode => {
     return FormModes.REVIEW;
   }
 
-  if (hasPermission(user, "submission_request", "create") && EditStatuses.includes(data?.status)) {
+  // User is only allowed to edit their own Submission Request
+  if (
+    isFormOwner &&
+    hasPermission(user, "submission_request", "create") &&
+    EditStatuses.includes(data?.status)
+  ) {
     return FormModes.EDIT;
   }