From f46e879784b5d1bdd4f3f457fd076621fd1d3c74 Mon Sep 17 00:00:00 2001
From: Steve Laing <steve.laing@gmail.com>
Date: Thu, 11 Apr 2024 09:56:47 +0100
Subject: [PATCH] Restrict certificates route to Grover middleware

Grover turns the html output of the certificates#show action into a PDF response, but we don't want to expose HTML format as a valid response.
So limit the route to Grover middleware requests.
---
 Gemfile.lock                                         |  3 +--
 .../qualifications/certificates_controller.rb        |  4 ++++
 app/views/qualifications/certificates/_npq.html.erb  | 12 ++++++++++++
 config/routes/aytq.rb                                |  4 +++-
 4 files changed, 20 insertions(+), 3 deletions(-)
 create mode 100644 app/views/qualifications/certificates/_npq.html.erb

diff --git a/Gemfile.lock b/Gemfile.lock
index 8c4e5ce2..13f31243 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -151,11 +151,10 @@ GEM
     cgi (0.4.1)
     childprocess (5.0.0)
     coderay (1.1.3)
-    concurrent-ruby (1.3.4)
-    concurrent-ruby (1.3.3)
     combine_pdf (1.0.26)
       matrix
       ruby-rc4 (>= 0.1.5)
+    concurrent-ruby (1.3.4)
     connection_pool (2.4.1)
     console1984 (0.2.1)
       irb (~> 1.13)
diff --git a/app/controllers/qualifications/certificates_controller.rb b/app/controllers/qualifications/certificates_controller.rb
index b812a389..aba4842c 100644
--- a/app/controllers/qualifications/certificates_controller.rb
+++ b/app/controllers/qualifications/certificates_controller.rb
@@ -31,6 +31,10 @@ def render_certificate?
         teacher.passed_induction?
       when :qts
         teacher.qts_awarded?
+      when :eyts
+        teacher.eyts_awarded?
+      when :npq
+        teacher.npq.present
       else
         qualification.awarded_at.present?
       end
diff --git a/app/views/qualifications/certificates/_npq.html.erb b/app/views/qualifications/certificates/_npq.html.erb
new file mode 100644
index 00000000..097f2edc
--- /dev/null
+++ b/app/views/qualifications/certificates/_npq.html.erb
@@ -0,0 +1,12 @@
+<img src="/qts-certificate.jpg" class="header-image" alt="Department for Education" />
+
+<div class="content">
+
+  <p class="text">This is to certify that: <strong><%= teacher.name %></strong></p>
+  <p>&#160;</p>
+  <p class="text">has been awarded the</p>
+  <p>&#160;</p>
+  <h2 class="heading"> <strong><%= qualification.name %></strong></h2>
+  <p>&#160;</p>
+  <p class="text">Any potential employer can independently confirm your teacher status online at:<br/>https://teacherservices.education.gov.uk</p>
+</div>
diff --git a/config/routes/aytq.rb b/config/routes/aytq.rb
index 65da0187..c5db669e 100644
--- a/config/routes/aytq.rb
+++ b/config/routes/aytq.rb
@@ -16,7 +16,9 @@
 
   resource :start, only: [:show]
 
-  resources :certificates, only: [:show]
+  resources :certificates, only: [:show],
+    constraints: ->(req) { req.env["Rack-Middleware-Grover"] == "true" }
+
   resource :identity_user, only: [:show]
   resource :one_login_user, only: [:show], path: "one-login-user" do
     resources :name_changes,