From ffb19f11632ab2d692c7721cb92e8fb6d2b6bb4f Mon Sep 17 00:00:00 2001
From: Paul McPhee <paul.mcphee@digital.justice.gov.uk>
Date: Tue, 3 Dec 2024 16:50:15 +0000
Subject: [PATCH] MAN-192: Add endpoint to check user access for list of crns

---
 .../hmpps/LaoCaseloadIntegrationTest.kt       | 43 ++++++++++++++++++-
 .../api/controller/UserAccessController.kt    | 12 ++++--
 2 files changed, 51 insertions(+), 4 deletions(-)

diff --git a/projects/manage-supervision-and-delius/src/integrationTest/kotlin/uk/gov/justice/digital/hmpps/LaoCaseloadIntegrationTest.kt b/projects/manage-supervision-and-delius/src/integrationTest/kotlin/uk/gov/justice/digital/hmpps/LaoCaseloadIntegrationTest.kt
index beaf388719..019035815d 100644
--- a/projects/manage-supervision-and-delius/src/integrationTest/kotlin/uk/gov/justice/digital/hmpps/LaoCaseloadIntegrationTest.kt
+++ b/projects/manage-supervision-and-delius/src/integrationTest/kotlin/uk/gov/justice/digital/hmpps/LaoCaseloadIntegrationTest.kt
@@ -9,14 +9,18 @@ import org.springframework.boot.test.autoconfigure.web.servlet.AutoConfigureMock
 import org.springframework.boot.test.context.SpringBootTest
 import org.springframework.boot.test.context.SpringBootTest.WebEnvironment.RANDOM_PORT
 import org.springframework.test.web.servlet.MockMvc
+import org.springframework.test.web.servlet.request.MockMvcRequestBuilders
 import org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get
 import org.springframework.test.web.servlet.result.MockMvcResultMatchers.status
 import uk.gov.justice.digital.hmpps.api.model.user.StaffCaseload
 import uk.gov.justice.digital.hmpps.data.generator.ContactGenerator.LIMITED_ACCESS_USER
 import uk.gov.justice.digital.hmpps.data.generator.personalDetails.PersonDetailsGenerator.EXCLUSION
+import uk.gov.justice.digital.hmpps.data.generator.personalDetails.PersonDetailsGenerator.PERSONAL_DETAILS
 import uk.gov.justice.digital.hmpps.data.generator.personalDetails.PersonDetailsGenerator.RESTRICTION
 import uk.gov.justice.digital.hmpps.data.generator.personalDetails.PersonDetailsGenerator.RESTRICTION_EXCLUSION
+import uk.gov.justice.digital.hmpps.service.UserAccess
 import uk.gov.justice.digital.hmpps.test.MockMvcExtensions.contentAsJson
+import uk.gov.justice.digital.hmpps.test.MockMvcExtensions.withJson
 import uk.gov.justice.digital.hmpps.test.MockMvcExtensions.withToken
 
 @AutoConfigureMockMvc
@@ -27,7 +31,6 @@ internal class LaoCaseloadIntegrationTest {
 
     @Test
     fun `all caseload activity for an lao user`() {
-
         val person = LIMITED_ACCESS_USER
         val res = mockMvc
             .perform(get("/caseload/user/${person.username}").withToken())
@@ -65,4 +68,42 @@ internal class LaoCaseloadIntegrationTest {
         assertThat(caseload[3].limitedAccess, equalTo(false))
         assertNotEquals(caseload[3].caseName, null)
     }
+
+    @Test
+    fun `check lao access for a user with list of crns`() {
+        val person = LIMITED_ACCESS_USER
+        val crns = listOf(RESTRICTION_EXCLUSION.crn, EXCLUSION.crn, RESTRICTION.crn, PERSONAL_DETAILS.crn)
+        val res = mockMvc
+            .perform(
+                MockMvcRequestBuilders.post("/user/${person.username}/access").withToken()
+                    .withJson(crns)
+            )
+            .andExpect(status().isOk)
+            .andReturn().response.contentAsJson<UserAccess>()
+
+        val userAccess = res.access.sortedBy { it.crn }
+
+        assertThat(userAccess[0].userExcluded, equalTo(true))
+        assertThat(userAccess[0].userRestricted, equalTo(true))
+
+        assertThat(userAccess[1].userExcluded, equalTo(true))
+        assertThat(userAccess[1].userRestricted, equalTo(false))
+
+        assertThat(userAccess[2].userExcluded, equalTo(false))
+        assertThat(userAccess[2].userRestricted, equalTo(true))
+
+        assertThat(userAccess[3].userExcluded, equalTo(false))
+        assertThat(userAccess[3].userRestricted, equalTo(false))
+    }
+
+    @Test
+    fun `check lao access returns 400 when no crns are provided`() {
+        val person = LIMITED_ACCESS_USER
+        mockMvc
+            .perform(
+                MockMvcRequestBuilders.post("/user/${person.username}/access").withToken()
+                    .withJson(emptyList<String>())
+            )
+            .andExpect(status().isBadRequest)
+    }
 }
diff --git a/projects/manage-supervision-and-delius/src/main/kotlin/uk/gov/justice/digital/hmpps/api/controller/UserAccessController.kt b/projects/manage-supervision-and-delius/src/main/kotlin/uk/gov/justice/digital/hmpps/api/controller/UserAccessController.kt
index 3978f62ff5..707c27de01 100644
--- a/projects/manage-supervision-and-delius/src/main/kotlin/uk/gov/justice/digital/hmpps/api/controller/UserAccessController.kt
+++ b/projects/manage-supervision-and-delius/src/main/kotlin/uk/gov/justice/digital/hmpps/api/controller/UserAccessController.kt
@@ -1,10 +1,9 @@
 package uk.gov.justice.digital.hmpps.api.controller
 
 import io.swagger.v3.oas.annotations.tags.Tag
+import jakarta.validation.constraints.Size
 import org.springframework.security.access.prepost.PreAuthorize
-import org.springframework.web.bind.annotation.GetMapping
-import org.springframework.web.bind.annotation.PathVariable
-import org.springframework.web.bind.annotation.RestController
+import org.springframework.web.bind.annotation.*
 import uk.gov.justice.digital.hmpps.service.UserAccessService
 
 @RestController
@@ -14,4 +13,11 @@ class UserAccessController(private val userAccessService: UserAccessService) {
     @GetMapping("/user/{username}/access/{crn}")
     fun checkAccess(@PathVariable username: String, @PathVariable crn: String) =
         userAccessService.caseAccessFor(username, crn)
+
+    @PostMapping("/user/{username}/access")
+    fun checkUserAccess(
+        @PathVariable username: String,
+        @Size(min = 1, max = 500, message = "Please provide between 1 and 500 crns")
+        @RequestBody crns: List<String>
+    ) = userAccessService.userAccessFor(username, crns)
 }
\ No newline at end of file