CRDCDH-2099 PBAC - Display Submission Request Action buttons based on permissions

src/config/AuthPermissions.ts

@@ -45,7 +45,21 @@ export const PERMISSION_MAP = {
   submission_request: {
     view: NO_CONDITIONS,
     create: NO_CONDITIONS,
-    submit: NO_CONDITIONS,
+    submit: (user, application) => {
+      const isFormOwner = application?.applicant?.applicantID === user?._id;
+      const hasPermissionKey = user?.permissions?.includes("submission_request:submit");
+      const submitStatuses: ApplicationStatus[] = ["In Progress", "Inquired"];
+
+      // Check for implicit permission as well as for the permission key
+      if (!isFormOwner && !hasPermissionKey) {
+        return false;
+      }
+      if (!submitStatuses?.includes(application?.status)) {
+        return false;
+      }
+
+      return true;
+    },
     review: NO_CONDITIONS,
   },
   dashboard: {

src/content/questionnaire/FormView.tsx

@@ -170,6 +170,7 @@ const FormView: FC<Props> = ({ section }: Props) => {
     ? `/submission/${data?.["_id"]}/${sectionKeys[sectionIndex + 1]}`
     : null;
   const isSectionD = activeSection === "D";
+  const isFormOwner = data?.applicant?.applicantID === user?._id;
   const formContentRef = useRef(null);
   const lastSectionRef = useRef(null);
   const hasReopenedFormRef = useRef(false);
@@ -538,13 +539,10 @@ const FormView: FC<Props> = ({ section }: Props) => {
   };
 
   const handleSubmitForm = () => {
-    if (
-      !hasPermission(user, "submission_request", "submit", data) ||
-      (data?.status !== "In Progress" &&
-        (data?.status !== "Inquired" || user?.role !== "Federal Lead"))
-    ) {
+    if (!hasPermission(user, "submission_request", "submit", data)) {
       Logger.error("Invalid request to submit Submission Request form.", {
-        userRole: user?.role,
+        isFormOwner,
+        hasPermission,
         submissionStatus: data?.status,
       });
       return;
@@ -627,15 +625,6 @@ const FormView: FC<Props> = ({ section }: Props) => {
     };
   });
 
-  useEffect(() => {
-    const formLoaded = status === FormStatus.LOADED && authStatus === AuthStatus.LOADED && data;
-    const invalidFormAuth = formMode === "Unauthorized" || authStatus === AuthStatus.ERROR || !user;
-
-    if (formLoaded && invalidFormAuth) {
-      navigate("/");
-    }
-  }, [formMode, navigate, status, authStatus, user, data]);
-
   useEffect(() => {
     const isComplete = isAllSectionsComplete();
     setAllSectionsComplete(isComplete);
@@ -730,8 +719,7 @@ const FormView: FC<Props> = ({ section }: Props) => {
               )}
 
               {activeSection === "REVIEW" &&
-                hasPermission(user, "submission_request", "submit") &&
-                ["In Progress", "Inquired"].includes(data?.status) && (
+                hasPermission(user, "submission_request", "submit", data) && (
                   <StyledExtendedLoadingButton
                     id="submission-form-submit-button"
                     variant="contained"

src/hooks/useFormMode.ts

@@ -1,7 +1,7 @@
 import { useEffect, useState } from "react";
 import { Status as AuthStatus, useAuthContext } from "../components/Contexts/AuthContext";
 import { Status as FormStatus, useFormContext } from "../components/Contexts/FormContext";
-import { FormMode, FormModes, getFormMode } from "../utils";
+import { FormMode, FormModes, getFormMode, Logger } from "../utils";
 
 const useFormMode = () => {
   const { user, status: authStatus } = useAuthContext();
@@ -15,10 +15,15 @@ const useFormMode = () => {
     }
 
     const updatedFormMode: FormMode = getFormMode(user, data);
+    if (updatedFormMode === FormModes.UNAUTHORIZED) {
+      Logger.error("useFormMode: User is unauthorized to view this Submission Request.", {
+        user,
+        data,
+      });
+    }
+
     setFormMode(updatedFormMode);
-    setReadOnlyInputs(
-      updatedFormMode === FormModes.VIEW_ONLY || updatedFormMode === FormModes.REVIEW
-    );
+    setReadOnlyInputs(updatedFormMode !== FormModes.EDIT);
   }, [user, data]);
 
   return { formMode, readOnlyInputs };

src/utils/formModeUtils.test.ts

@@ -297,10 +297,14 @@ describe("getFormMode tests based on provided requirements", () => {
         expect(utils.getFormMode(null, null)).toBe(utils.FormModes.UNAUTHORIZED);
       });
 
-      it("should set Unauthorized form if user does not have the required permissions", () => {
+      it("should set Unauthorized form if user does not have the required permissions and is not submission owner", () => {
         const user: User = { ...baseUser, role: undefined, permissions: [] };
+        const submission: Application = {
+          ...baseSubmission,
+          applicant: { ...baseSubmission.applicant, applicantID: "some-other-user" },
+        };
 
-        expect(utils.getFormMode(user, baseSubmission)).toBe(utils.FormModes.UNAUTHORIZED);
+        expect(utils.getFormMode(user, submission)).toBe(utils.FormModes.UNAUTHORIZED);
       });
 
       it("should set 'View Only' if form status is unknown or not defined", () => {

src/utils/formModeUtils.ts

@@ -23,14 +23,13 @@ export const getFormMode = (user: User, data: Application): FormMode => {
   if (!data) {
     return FormModes.UNAUTHORIZED;
   }
-  if (
-    !hasPermission(user, "submission_request", "view") &&
-    user?._id !== data.applicant?.applicantID
-  ) {
+  const isFormOwner = user?._id === data.applicant?.applicantID;
+  if (!hasPermission(user, "submission_request", "view") && !isFormOwner) {
     return FormModes.UNAUTHORIZED;
   }
 
   if (
+    !isFormOwner &&
     !hasPermission(user, "submission_request", "view") &&
     !hasPermission(user, "submission_request", "create") &&
     !hasPermission(user, "submission_request", "review")
@@ -45,7 +44,12 @@ export const getFormMode = (user: User, data: Application): FormMode => {
     return FormModes.REVIEW;
   }
 
-  if (hasPermission(user, "submission_request", "create") && EditStatuses.includes(data?.status)) {
+  // User is only allowed to edit their own Submission Request
+  if (
+    isFormOwner &&
+    hasPermission(user, "submission_request", "create") &&
+    EditStatuses.includes(data?.status)
+  ) {
     return FormModes.EDIT;
   }