@ministryofjustice/hmpps-prison-permissions-lib 1.1.2 → 2.0.1

package/CHANGELOG.md

@@ -2,6 +2,19 @@
 
 Please use this to capture reasoning behind changes:
 
+# 2.0.1
+Fixes incorrect usage of `previousPrisonId` and `previousPrisonLeavingDate` when checking contacts read permissions. These are only used in the context of transfers, not releases. The correct ones now in use are `lastPrisonId` and `releaseDate`.
+
+# 2.0.0
+Replaced contacts read permissions check with one that handles released prisoners differently. Checks for current prisoners are unaffected.
+
+To be permitted to read contacts for released prisoners:
+- the user's roles must include `InactiveBookings` and one or both of the following: `ContactsAdministrator, ContactsAuthoriser`
+- the prisoner must have been released within the last 3 years (`PermissionCheckStatus.EXCEEDS_TIME_RESTRICTION`)
+- the previous prison of the prisoner must match the user's caseload
+
+These changes were requested by the contacts team after noticing the 'External Contacts' widget was not showing on the prisoner profiles of released prisoners. This was due to a caseload mismatch, as the assigned caseload for released prisoners is 'OUT'.
+
 ## 1.1.2
 
 Moved `@ministryofjustice/hmpps-npm-script-allowlist` to be a `dev` dependency as it’s used when working on this package

package/dist/contractTests/contactsUi/scenarios/contactsReadCheckScenarios.d.ts

@@ -0,0 +1,4 @@
+import { TestScenarios } from '../../../testUtils/TestScenario';
+export declare const deniedContactsReadScenarios: TestScenarios;
+export declare const grantedContactsReadScenarios: TestScenarios;
+export declare const contactsReadCheckScenarios: TestScenarios;

package/dist/contractTests/prisonerProfile/scenarios/shared/contactsReadCheckScenarios.d.ts

@@ -0,0 +1,4 @@
+import { TestScenarios } from '../../../../testUtils/TestScenario';
+export declare const deniedContactsReadScenarios: TestScenarios;
+export declare const grantedContactsReadScenarios: TestScenarios;
+export declare const contactsReadCheckScenarios: TestScenarios;

package/dist/data/hmppsPrisonerSearch/interfaces/Prisoner.d.ts

@@ -5,4 +5,6 @@ export default interface Prisoner {
     supportingPrisonId?: string;
     previousPrisonId?: string;
     previousPrisonLeavingDate?: string;
+    lastPrisonId?: string;
+    releaseDate?: string;
 }

package/dist/index.cjs

@@ -11,6 +11,7 @@ exports.PermissionCheckStatus = void 0;
     PermissionCheckStatus["RESTRICTED_PATIENT"] = "RESTRICTED_PATIENT";
     PermissionCheckStatus["PRISONER_IS_RELEASED"] = "PRISONER_IS_RELEASED";
     PermissionCheckStatus["PRISONER_IS_TRANSFERRING"] = "PRISONER_IS_TRANSFERRING";
+    PermissionCheckStatus["EXCEEDS_TIME_RESTRICTION"] = "EXCEEDS_TIME_RESTRICTION";
     PermissionCheckStatus["ROLE_NOT_PRESENT"] = "ROLE_NOT_PRESENT";
     PermissionCheckStatus["NOT_PRISON_USER"] = "NOT_PRISON_USER";
     PermissionCheckStatus["OK"] = "OK";
@@ -119,6 +120,11 @@ const isReleased = (prisoner) => {
 const isTransferring = (prisoner) => {
     return !!prisoner?.prisonId && ['TRN'].includes(prisoner.prisonId);
 };
+const wasReleasedWithinThreeYears = (prisoner) => {
+    return (isReleased(prisoner) &&
+        !!prisoner.releaseDate &&
+        Date.parse(prisoner.releaseDate) > Date.now() - 3 * 365 * 24 * 60 * 60 * 1000);
+};
 function userHasSomeRolesFrom(rolesToCheck, user) {
     return (rolesToCheck.length === 0 ||
         rolesToCheck.map(normaliseRoleText).some(role => user.userRoles.map(normaliseRoleText).includes(role)));
@@ -745,6 +751,21 @@ const inUsersCaseLoadAndUserHasSomeRolesFrom = (roles) => matchBaseCheckAnd({
 
 const inUsersCaseLoadAndUserHasRole = (role) => inUsersCaseLoadAndUserHasSomeRolesFrom([role]);
 
+const contactsReadCheck = matchBaseCheckAnd({
+    overridingCondition: (user, prisoner) => {
+        if (isReleased(prisoner)) {
+            if (!userHasSomeRolesFrom([exports.Role.ContactsAdministrator, exports.Role.ContactsAuthoriser], user))
+                return exports.PermissionCheckStatus.ROLE_NOT_PRESENT;
+            if (!wasReleasedWithinThreeYears(prisoner))
+                return exports.PermissionCheckStatus.EXCEEDS_TIME_RESTRICTION;
+            if (!isInUsersCaseLoad(prisoner.lastPrisonId, user))
+                return exports.PermissionCheckStatus.NOT_IN_CASELOAD;
+            return exports.PermissionCheckStatus.OK;
+        }
+        return isInUsersCaseLoad(prisoner.prisonId, user) ? exports.PermissionCheckStatus.OK : exports.PermissionCheckStatus.NOT_IN_CASELOAD;
+    },
+});
+
 function personalRelationshipsCheck(context) {
     const check = checkWith(context);
     return {
@@ -754,7 +775,7 @@ function personalRelationshipsCheck(context) {
         ...check(exports.PersonalRelationshipsPermission.edit_domestic_status, prisonerProfileEditCheck),
         ...check(exports.PersonalRelationshipsPermission.read_emergency_contacts, baseCheck),
         ...check(exports.PersonalRelationshipsPermission.edit_emergency_contacts, prisonerProfileSensitiveEditCheck),
-        ...check(exports.PersonalRelationshipsPermission.read_contacts, inUsersCaseLoad),
+        ...check(exports.PersonalRelationshipsPermission.read_contacts, contactsReadCheck),
         ...check(exports.PersonalRelationshipsPermission.edit_contacts, inUsersCaseLoadAndUserHasSomeRolesFrom([exports.Role.ContactsAdministrator, exports.Role.ContactsAuthoriser])),
         ...check(exports.PersonalRelationshipsPermission.edit_contact_restrictions, inUsersCaseLoadAndUserHasRole(exports.Role.ContactsAuthoriser)),
         ...check(exports.PersonalRelationshipsPermission.edit_contact_visit_approval, inUsersCaseLoadAndUserHasRole(exports.Role.ContactsAuthoriser)),