npm - @ministryofjustice/hmpps-prison-permissions-lib - Versions diffs - 0.2.1 → 0.3.0 - Mend

@ministryofjustice/hmpps-prison-permissions-lib 0.2.1 → 0.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (19) hide show

package/CHANGELOG.md CHANGED Viewed

@@ -2,6 +2,36 @@
 Please use this to capture reasoning behind changes:
+## 0.3.0
+Official release for updates to the Case Notes and Religion permissions.
+**Case Notes Permissions:**
+Previously if a user had both the `POM` and `GLOBAL_SEARCH` roles they would be able read/write case notes any prisoner. The case notes permissions have now been updated so that users with both the `POM` and `GLOBAL_SEARCH` roles will only be able to read/write a prisoner's case notes if the prisoner has been in the users establishment within the last 30 days.
+The permissions check requires additional data to be passed in via the `Prisoner` which now expects the `previousPrisonId` and `previousPrisonLeavingDate` fields to be present. This data has been added to the prisoner search API so clients using the permissions library will need to ensure the following fields are present in the `Prisoner` interface.
+```
+export default interface Prisoner {
+  prisonerNumber: string
+  prisonId?: string
+  restrictedPatient: boolean
+  supportingPrisonId?: string
+  previousPrisonId?: string
+  previousPrisonLeavingDate?: string
+}
+```
+**Religion and Belief Permissions:**
+The permissions check for `PersonProtectedCharacteristicsPermission.read_religion_and_belief` updated to only allow read access to a
+prisoner's religion data to users who are part of the prisoner's caseload.
+## 0.3.0-alpha.1
+Alpha release to test changes to the case notes and religion permissions.
 ## 0.2.0
 Incident response. We are introducing an additional role enabling staff to upload photos via DPS.

package/README.md CHANGED Viewed

@@ -149,6 +149,8 @@ setupNunjucksPermissions(njkEnv)
 {% endif %}
 ```
+To mock permissions in your tests, follow [these instructions](readme/mocking.md).
 ## For library developers:
 1. [Publishing to NPM](readme/publishing.md)

package/dist/contractTests/prisonerProfile/scenarios/domains/person/caseNotes/CaseNotesReadAndEditScenarios.d.ts CHANGED Viewed

@@ -1,2 +1,6 @@
 import { TestScenarios } from '../../../../../../testUtils/TestScenario';
+export declare const deniedCaseNotesReadAndEditScenarios: TestScenarios;
+export declare const grantedCaseNotesReadAndEditAfterTransferScenarios: TestScenarios;
+export declare const grantedCaseNotesReadAndEditTransferringPrisonerScenarios: TestScenarios;
+export declare const grantedCaseNotesReadAndEditScenarios: TestScenarios;
 export declare const caseNotesReadAndEditScenarios: TestScenarios;

package/dist/contractTests/prisonerProfile/scenarios/domains/person/caseNotes/SensitiveCaseNotesBaseScenarios.d.ts ADDED Viewed

@@ -0,0 +1,3 @@
+import { TestScenarios } from '../../../../../../testUtils/TestScenario';
+import { Role } from '../../../../../../types/internal/user/Role';
+export declare function deniedSensitiveCaseNotesBaseScenarios(allPermissiveRoles: Role[]): TestScenarios;

package/dist/contractTests/prisonerProfile/scenarios/domains/person/caseNotes/SensitiveCaseNotesDeleteScenarios.d.ts CHANGED Viewed

@@ -1 +1,2 @@
-export declare const sensitiveCaseNotesDeleteScenarios: import("../../../../../../testUtils/TestScenario").TestScenarios;
+import { TestScenarios } from '../../../../../../testUtils/TestScenario';
+export declare const sensitiveCaseNotesDeleteScenarios: TestScenarios;

package/dist/data/hmppsPrisonerSearch/interfaces/Prisoner.d.ts CHANGED Viewed

@@ -3,4 +3,6 @@ export default interface Prisoner {
     prisonId?: string;
     restrictedPatient: boolean;
     supportingPrisonId?: string;
+    previousPrisonId?: string;
+    previousPrisonLeavingDate?: string;
 }

package/dist/index.cjs CHANGED Viewed

@@ -521,6 +521,14 @@ exports.CaseNotesPermission = void 0;
     CaseNotesPermission["edit_sensitive"] = "prisoner:case-notes:sensitive:edit";
 })(exports.CaseNotesPermission || (exports.CaseNotesPermission = {}));
+function daysToMilliseconds(days) {
+    return days * 24 * 60 * 60 * 1000;
+}
+function isDateWithinBounds(dateToCheckInMs, upperDateBoundInMs, lowerDateBoundInMs) {
+    return dateToCheckInMs <= upperDateBoundInMs && lowerDateBoundInMs <= dateToCheckInMs;
+}
+const caseNotesAccessPeriodPostTransferInMs = daysToMilliseconds(30);
 function caseNotesReadAndEditCheck(permission, request) {
     const baseCheckPassed = request.baseCheckStatus === exports.PermissionCheckStatus.OK;
     const caseNotesCheckStatus = checkCaseNotesAccess(request);
@@ -530,6 +538,13 @@ function caseNotesReadAndEditCheck(permission, request) {
         logDeniedPermissionCheck(permission, request, caseNotesCheckStatus);
     return check;
 }
+function checkTimeBasedAccessToCaseNotesPostTransfer(user, prisoner, timePeriodForAccessPostTransferInMilliseconds) {
+    if (!isInUsersCaseLoad(prisoner.previousPrisonId, user) || !prisoner.previousPrisonLeavingDate)
+        return false;
+    const previousPrisonLeavingDate = Date.parse(prisoner.previousPrisonLeavingDate);
+    const today = Date.now();
+    return isDateWithinBounds(previousPrisonLeavingDate, today, today - timePeriodForAccessPostTransferInMilliseconds);
+}
 function checkCaseNotesAccess(request) {
     const { user, prisoner } = request;
     // Restricted patients follows the base check rules:
@@ -547,10 +562,13 @@ function checkCaseNotesAccess(request) {
     // Case notes are accessible if the prisoner's prison is in the user's caseload:
     if (isInUsersCaseLoad(prisoner.prisonId, user))
         return exports.PermissionCheckStatus.OK;
-    // Case notes for prisoners outside the user's caseload are only accessible with both Global Search and POM roles:
-    return userHasAllRoles([exports.Role.GlobalSearch, exports.Role.PomUser], user)
+    if (!userHasAllRoles([exports.Role.GlobalSearch, exports.Role.PomUser], user))
+        return exports.PermissionCheckStatus.ROLE_NOT_PRESENT;
+    // Case notes for prisoners outside the user's caseload are only accessible with both Global Search and POM roles if the prisoner
+    // was previously in one of the users caseloads in the 30 days:
+    return checkTimeBasedAccessToCaseNotesPostTransfer(user, prisoner, caseNotesAccessPeriodPostTransferInMs)
         ? exports.PermissionCheckStatus.OK
-        : exports.PermissionCheckStatus.ROLE_NOT_PRESENT;
+        : exports.PermissionCheckStatus.NOT_PERMITTED;
 }
 const permission$7 = exports.CaseNotesPermission.read;
@@ -558,10 +576,10 @@ function caseNotesReadCheck(request) {
     return caseNotesReadAndEditCheck(permission$7, request);
 }
-function baseCheckAndUserHasSomeRolesFrom(roles, permission, request) {
-    const { user, baseCheckStatus } = request;
-    const baseCheckPassed = baseCheckStatus === exports.PermissionCheckStatus.OK;
-    const check = baseCheckPassed && userHasSomeRolesFrom(roles, user);
+function caseNotesReadAndEditCheckAndUserHasRolesFrom(roles, permission, request) {
+    const { user } = request;
+    const baseCaseNotesCheckPassed = caseNotesReadAndEditCheck(permission, request);
+    const check = baseCaseNotesCheckPassed && userHasSomeRolesFrom(roles, user);
     if (!check)
         logDeniedPermissionCheck(permission, request, exports.PermissionCheckStatus.ROLE_NOT_PRESENT);
     return check;
@@ -569,17 +587,17 @@ function baseCheckAndUserHasSomeRolesFrom(roles, permission, request) {
 const permission$6 = exports.CaseNotesPermission.read_sensitive;
 function sensitiveCaseNotesReadCheck(request) {
-    return baseCheckAndUserHasSomeRolesFrom([exports.Role.PomUser, exports.Role.ViewSensitiveCaseNotes, exports.Role.AddSensitiveCaseNotes], permission$6, request);
+    return caseNotesReadAndEditCheckAndUserHasRolesFrom([exports.Role.PomUser, exports.Role.ViewSensitiveCaseNotes, exports.Role.AddSensitiveCaseNotes], permission$6, request);
 }
 const permission$5 = exports.CaseNotesPermission.delete_sensitive;
 function sensitiveCaseNotesDeleteCheck(request) {
-    return baseCheckAndUserHasRole(exports.Role.DeleteSensitiveCaseNotes, permission$5, request);
+    return caseNotesReadAndEditCheckAndUserHasRolesFrom([exports.Role.DeleteSensitiveCaseNotes], permission$5, request);
 }
 const permission$4 = exports.CaseNotesPermission.edit_sensitive;
 function sensitiveCaseNotesEditCheck(request) {
-    return baseCheckAndUserHasSomeRolesFrom([exports.Role.PomUser, exports.Role.AddSensitiveCaseNotes], permission$4, request);
+    return caseNotesReadAndEditCheckAndUserHasRolesFrom([exports.Role.PomUser, exports.Role.AddSensitiveCaseNotes], permission$4, request);
 }
 const permission$3 = exports.CaseNotesPermission.edit;
@@ -735,7 +753,7 @@ function personProtectedCharacteristicsCheck(request) {
     return {
         ...readCheck$3(exports.PersonProtectedCharacteristicsPermission.read_sexual_orientation, request),
         ...sensitiveEditCheck$1(exports.PersonProtectedCharacteristicsPermission.edit_sexual_orientation, request),
-        ...readCheck$3(exports.PersonProtectedCharacteristicsPermission.read_religion_and_belief, request),
+        [exports.PersonProtectedCharacteristicsPermission.read_religion_and_belief]: inUsersCaseLoad(exports.PersonProtectedCharacteristicsPermission.read_religion_and_belief, request),
         ...editCheck$3(exports.PersonProtectedCharacteristicsPermission.edit_religion_and_belief, request),
         ...readCheck$3(exports.PersonProtectedCharacteristicsPermission.read_ethnicity, request),
         ...sensitiveEditCheck$1(exports.PersonProtectedCharacteristicsPermission.edit_ethnicity, request),
@@ -850,6 +868,15 @@ function personCheck(request) {
     };
 }
+function baseCheckAndUserHasSomeRolesFrom(roles, permission, request) {
+    const { user, baseCheckStatus } = request;
+    const baseCheckPassed = baseCheckStatus === exports.PermissionCheckStatus.OK;
+    const check = baseCheckPassed && userHasSomeRolesFrom(roles, user);
+    if (!check)
+        logDeniedPermissionCheck(permission, request, exports.PermissionCheckStatus.ROLE_NOT_PRESENT);
+    return check;
+}
 exports.PathfinderPermission = void 0;
 (function (PathfinderPermission) {
     PathfinderPermission["read"] = "prisoner:pathfinder:read";