Hiring staff jobs filter (#8505)

## Trello card URL


https://trello.com/c/F6AbcA2w/2567-update-filter-bar-for-la-mat-users-for-job-listing-management

## Changes in this PR:

This PR adds:

- ability for hiring staff to filter their jobs by job role
- changes link to publisher preferences page to a green button
- adds hint text to schools filter
- adds search functionality to filter options
- fixes potential security issue which could allow hiring staff at one
organisations to see another organisations jobs

## Screenshots of UI changes:

### Before

### After


## Checklists:

### Data & Schema Changes

If this PR modifies data structures or validations, check the following:

- [ ] Adds/removes model validations
- [ ] Adds/removes database fields
- [ ] Modifies Vacancy enumerables (phases, working patterns, job roles,
key stages, etc.)

<details>
<summary>If any of the above options has changed then the author must
check/resolve all of the following...</summary>

### Integration Impact

Does this change affect any of these integrations?
- [ ] DfE Analytics platform
- [ ] Legacy imports mappings
- [ ] DWP Find a Job export mappings
- [ ] Publisher ATS API (may require mapping updates or API versioning)

### User Experience & Data Integrity

Could this change impact:
- [ ] Existing subscription alerts (will legacy subscription search
filters break?)
- [ ] Legacy vacancy copying (will copied vacancies fail new
validations?)
- [ ] In-progress drafts for Vacancies or Job Applications
</details>

Author: KyleMacPherson

app/components/dashboard_component.rb

@@ -3,7 +3,7 @@ class DashboardComponent < ApplicationComponent
   include VacanciesHelper
 
   # rubocop:disable Metrics/ParameterLists
-  def initialize(organisation:, sort:, selected_type:, publisher_preference:, vacancies:, count:, vacancy_types:, filter_form:, selected_organisation_ids: [])
+  def initialize(organisation:, sort:, selected_type:, publisher_preference:, vacancies:, count:, vacancy_types:, filter_form:, selected_organisation_ids: [], selected_job_roles: [])
     # rubocop:enable Metrics/ParameterLists
     super(classes: [], html_attributes: {})
     @organisation = organisation
@@ -13,10 +13,12 @@ def initialize(organisation:, sort:, selected_type:, publisher_preference:, vaca
     @vacancy_types = vacancy_types
     @selected_type = selected_type
     @selected_organisation_ids = selected_organisation_ids
+    @selected_job_roles = selected_job_roles
     @filter_form = filter_form
 
     @vacancies = vacancies
     set_organisation_options if @organisation.school_group?
+    set_job_role_options
     @count = count
   end
 
@@ -25,7 +27,8 @@ def grid_column_class
   end
 
   def no_jobs_text
-    t("jobs.manage.#{selected_type}.no_jobs.#{@selected_organisation_ids.any? ? 'with' : 'no'}_filters")
+    has_filters = @selected_organisation_ids.any? || @selected_job_roles.any?
+    t("jobs.manage.#{selected_type}.no_jobs.#{has_filters ? 'with' : 'no'}_filters")
   end
 
   def view_applicants(vacancy, job_applications_count)
@@ -37,7 +40,7 @@ def view_applicants(vacancy, job_applications_count)
 
   private
 
-  attr_reader :publisher_preference, :organisation, :selected_type, :sort, :vacancies, :selected_organisation_ids
+  attr_reader :publisher_preference, :organisation, :selected_type, :sort, :vacancies, :selected_organisation_ids, :selected_job_roles
 
   def set_organisation_options
     schools = organisation.local_authority? ? publisher_preference.schools : organisation.schools
@@ -54,6 +57,18 @@ def set_organisation_options
     )
   end
 
+  def set_job_role_options
+    teaching_roles = Vacancy::TEACHING_JOB_ROLES.map do |role|
+      Option.new(id: role, name: role, label: I18n.t("helpers.label.publishers_job_listing_job_role_form.teaching_job_role_options.#{role}"))
+    end
+
+    support_roles = Vacancy::SUPPORT_JOB_ROLES.map do |role|
+      Option.new(id: role, name: role, label: I18n.t("helpers.label.publishers_job_listing_job_role_form.support_job_role_options.#{role}"))
+    end
+
+    @job_role_options = teaching_roles + support_roles
+  end
+
   def default_classes
     %w[dashboard-component]
   end

app/components/dashboard_component/dashboard_component.html.slim

@@ -30,26 +30,43 @@
     - if @organisation.school_group?
       .govuk-grid-column-one-third-at-desktop class="govuk-!-margin-bottom-4"
         - if @organisation.local_authority?
-          = govuk_link_to t("jobs.dashboard.add_or_remove_schools"), edit_publishers_publisher_preference_path(@publisher_preference), class: "govuk-link--no-visited-state"
+          = govuk_button_link_to t("jobs.dashboard.add_or_remove_schools"), edit_publishers_publisher_preference_path(@publisher_preference)
 
         div class="govuk-!-margin-top-2"
           = form_for @filter_form, as: "", url: organisation_jobs_with_type_path(type: @selected_type), method: :get, html: { data: { controller: "form", "hide-submit": true } } do |f|
             = filters(submit_button: f.govuk_submit(t("buttons.apply_filters")),
-                      filters: { total_count: @selected_organisation_ids.size },
+                      filters: { total_count: @selected_organisation_ids.size + @selected_job_roles.size },
                       clear_filters_link: { text: t("shared.filter_group.clear_all_filters"), url: organisation_jobs_with_type_path(type: @selected_type) },
                       options: { remove_filter_links: true },
                       html_attributes: { tabindex: "-1" }) do |filters_component|
-                        - if @selected_organisation_ids.any?
+                        - if @selected_organisation_ids.any? || @selected_job_roles.any?
                           - filters_component.with_remove_filter_links do |rb|
-                            - rb.with_group(key: "organisation_ids",
-                                       selected: @selected_organisation_ids,
-                                       options: @organisation_options,
-                                       value_method: :id,
-                                       selected_method: :name,
-                                       remove_filter_link: { url_helper: :organisation_jobs_with_type_path, params: { "type" => @selected_type, "organisation_ids" => @selected_organisation_ids } })
+                            - if @selected_organisation_ids.any?
+                              - rb.with_group(key: "organisation_ids",
+                                         selected: @selected_organisation_ids,
+                                         options: @organisation_options,
+                                         value_method: :id,
+                                         selected_method: :name,
+                                         remove_filter_link: { url_helper: :organisation_jobs_with_type_path, params: { "type" => @selected_type, "organisation_ids" => @selected_organisation_ids, "job_roles" => @selected_job_roles } })
+                            - if @selected_job_roles.any?
+                              - rb.with_group(key: "job_roles",
+                                         selected: @selected_job_roles,
+                                         options: @job_role_options,
+                                         value_method: :id,
+                                         selected_method: :label,
+                                         remove_filter_link: { url_helper: :organisation_jobs_with_type_path, params: { "type" => @selected_type, "organisation_ids" => @selected_organisation_ids, "job_roles" => @selected_job_roles } })
 
                         - filters_component.with_group key: "locations",
-                          component: f.govuk_collection_check_boxes(:organisation_ids, @organisation_options, :id, :label, small: true, legend: { text: "Locations", tag: "h2" }, hint: nil, form_group: { data: { action: "change->form#submitListener" } })
+                          component: searchable_collection(collection: f.govuk_collection_check_boxes(:organisation_ids, @organisation_options, :id, :label, small: true, legend: { text: "Locations", tag: "h2" }, hint: (@organisation.local_authority? ? { text: t("jobs.dashboard.location_filter_hint") } : nil), form_group: { data: { action: "change->form#submitListener" } }),
+                            collection_count: @organisation_options.count,
+                            options: { scrollable: true },
+                            text: { aria_label: "Locations", placeholder: t("helpers.hint.publishers_vacancy_filter_form.organisation_ids_placeholder") })
+
+                        - filters_component.with_group key: "job_roles",
+                          component: searchable_collection(collection: f.govuk_collection_check_boxes(:job_roles, @job_role_options, :id, :label, small: true, legend: { text: "Job roles", tag: "h2" }, hint: nil, form_group: { data: { action: "change->form#submitListener" } }),
+                            collection_count: @job_role_options.count,
+                            options: { scrollable: true },
+                            text: { aria_label: "Job roles", placeholder: t("helpers.hint.publishers_vacancy_filter_form.job_roles_placeholder") })
 
         .help-guide--desktop class="govuk-!-margin-top-4"
           h2.govuk-heading-m = t("jobs.dashboard.how_to_accept_job_applications_guide.title")

app/controllers/publishers/vacancies_controller.rb

@@ -27,33 +27,20 @@ def show
       awaiting_feedback: :awaiting_feedback_recently_expired,
     }.freeze
 
-  # rubocop:disable Metrics/AbcSize
   def index
     @selected_type = (params[:type] || :live).to_sym
     @sort = Publishers::VacancySort.new(current_organisation, @selected_type).update(sort_by: params[:sort_by])
-    scope = if @selected_type == :draft
-              DraftVacancy.kept.where.not(job_title: nil)
-            else
-              PublishedVacancy.kept.public_send(VACANCY_TYPES.fetch(@selected_type))
-            end
-
-    accessible_org_ids = current_publisher.accessible_organisations(current_organisation).map(&:id)
 
-    # Apply organisation filter from URL params if present, otherwise show all accessible
-    @selected_organisation_ids = params[:organisation_ids]&.reject(&:blank?) || []
-    org_ids_to_filter = @selected_organisation_ids.any? ? @selected_organisation_ids : accessible_org_ids
-
-    vacancies = scope
-                  .in_organisation_ids(org_ids_to_filter)
-                  .order(@sort.by => @sort.order)
+    vacancies = apply_vacancy_filters
 
     @pagy, @vacancies = pagy(vacancies)
     @count = vacancies.count
-
     @vacancy_types = VACANCY_TYPES.keys
-    @filter_form = Publishers::VacancyFilterForm.new(organisation_ids: @selected_organisation_ids)
+    @filter_form = Publishers::VacancyFilterForm.new(
+      organisation_ids: @selected_organisation_ids,
+      job_roles: @selected_job_roles,
+    )
   end
-  # rubocop:enable Metrics/AbcSize
 
   # We don't save anything here - just redirect to the show page
   def save_and_finish_later
@@ -119,6 +106,30 @@ def show_application_feature_reminder_page?
     ).none?
   end
 
+  def apply_vacancy_filters
+    scope = if @selected_type == :draft
+              DraftVacancy.kept.where.not(job_title: nil)
+            else
+              PublishedVacancy.kept.public_send(VACANCY_TYPES.fetch(@selected_type))
+            end
+
+    accessible_org_ids = current_publisher.accessible_organisations(current_organisation).map(&:id)
+
+    # Only allow filtering by organisations the user has access to
+    requested_org_ids = params[:organisation_ids]&.reject(&:blank?) || []
+    @selected_organisation_ids = requested_org_ids & accessible_org_ids.map(&:to_s)
+    org_ids_to_filter = @selected_organisation_ids.any? ? @selected_organisation_ids : accessible_org_ids
+
+    vacancies = scope
+                  .in_organisation_ids(org_ids_to_filter)
+                  .order(@sort.by => @sort.order)
+
+    @selected_job_roles = params[:job_roles]&.reject(&:blank?) || []
+    vacancies = vacancies.with_any_of_job_roles(@selected_job_roles) if @selected_job_roles.any?
+
+    vacancies
+  end
+
   def set_publisher_preference
     if current_organisation.local_authority? # Local Authorities publisher need to set their preference for the local authority
       @publisher_preference = PublisherPreference.find_by(publisher: current_publisher, organisation: current_organisation)
@@ -151,5 +162,6 @@ def redirect_to_show_publisher_profile_incomplete
 
   def strip_empty_checkbox_params
     params[:organisation_ids]&.reject!(&:blank?)
+    params[:job_roles]&.reject!(&:blank?)
   end
 end

app/form_models/publishers/vacancy_filter_form.rb

@@ -1,15 +1,17 @@
 class Publishers::VacancyFilterForm
   include ActiveModel::Model
 
-  attr_accessor :organisation_ids
+  attr_accessor :organisation_ids, :job_roles
 
-  def initialize(params = {})
-    @organisation_ids = params[:organisation_ids] || []
+  def initialize(organisation_ids: [], job_roles: [])
+    @organisation_ids = organisation_ids
+    @job_roles = job_roles
   end
 
   def to_hash
     {
       organisation_ids: @organisation_ids,
+      job_roles: @job_roles,
     }.compact_blank!
   end
 end

app/views/publishers/vacancies/index.html.slim

@@ -10,6 +10,7 @@
             vacancies: @vacancies, count: @count,
             vacancy_types: @vacancy_types,
             selected_organisation_ids: @selected_organisation_ids,
+            selected_job_roles: @selected_job_roles,
             filter_form: @filter_form)
 
 = govuk_pagination(pagy: @pagy)

config/locales/forms.yml

@@ -257,6 +257,9 @@ en:
         edit_schools_html: "Can't see the school you are looking for? %{link}"
       publishers_job_listing_subjects_form:
         subjects_placeholder: Search
+      publishers_vacancy_filter_form:
+        organisation_ids_placeholder: Search locations
+        job_roles_placeholder: Search job roles
       publishers_job_listing_job_title_form:
         job_title:
           education_support: For example ‘Learning support assistant’

config/locales/jobs.yml

@@ -9,6 +9,7 @@ en:
 
     dashboard:
       add_or_remove_schools: Add or remove schools
+      location_filter_hint: You can add or remove schools that are in this list
       awaiting_feedback:
         tab_heading: Jobs awaiting feedback
         with_count: Awaiting feedback (%{count})

spec/components/dashboard_component_spec.rb

@@ -7,14 +7,16 @@
   let(:publisher_preference) { create(:publisher_preference, publisher: publisher, organisation: organisation) }
 
   let(:selected_organisation_ids) { [] }
-  let(:filter_form) { Publishers::VacancyFilterForm.new(organisation_ids: selected_organisation_ids) }
+  let(:selected_job_roles) { [] }
+  let(:filter_form) { Publishers::VacancyFilterForm.new(organisation_ids: selected_organisation_ids, job_roles: selected_job_roles) }
 
   subject do
     described_class.new(
       organisation: organisation, sort: sort, selected_type: selected_type,
       publisher_preference: publisher_preference, vacancies: vacancies,
       count: vacancies.count, vacancy_types: %i[live draft pending expired awaiting_feedback],
       selected_organisation_ids: selected_organisation_ids,
+      selected_job_roles: selected_job_roles,
       filter_form: filter_form
     )
   end

spec/form_models/publishers/vacancy_filter_form_spec.rb

@@ -7,20 +7,30 @@
       expect(form.organisation_ids).to eq(%w[123 456])
     end
 
+    it "sets job_roles from params" do
+      form = described_class.new(job_roles: %w[teacher headteacher])
+      expect(form.job_roles).to eq(%w[teacher headteacher])
+    end
+
     it "defaults organisation_ids to empty array when not provided" do
       form = described_class.new
       expect(form.organisation_ids).to eq([])
     end
+
+    it "defaults job_roles to empty array when not provided" do
+      form = described_class.new
+      expect(form.job_roles).to eq([])
+    end
   end
 
   describe "#to_hash" do
-    it "returns hash with organisation_ids" do
-      form = described_class.new(organisation_ids: %w[123 456])
-      expect(form.to_hash).to eq({ organisation_ids: %w[123 456] })
+    it "returns hash with both filters" do
+      form = described_class.new(organisation_ids: %w[123 456], job_roles: %w[teacher headteacher])
+      expect(form.to_hash).to eq({ organisation_ids: %w[123 456], job_roles: %w[teacher headteacher] })
     end
 
     it "removes blank values from hash" do
-      form = described_class.new(organisation_ids: [])
+      form = described_class.new(organisation_ids: [], job_roles: [])
       expect(form.to_hash).to eq({})
     end
   end

spec/system/publishers/publishers_can_filter_vacancies_in_their_dashboard_spec.rb

@@ -147,4 +147,38 @@
       expect(page).to_not have_content(school2_draft_vacancy.job_title)
     end
   end
+
+  context "when attempting to access unauthorised organisations via URL params" do
+    let(:organisation) { trust }
+    let(:unauthorised_school) { create(:school, name: "Unauthorised School") }
+    let!(:unauthorised_vacancy) { create(:vacancy, organisations: [unauthorised_school], job_title: "Unauthorised Job") }
+
+    scenario "it prevents access to vacancies from unauthorised organisations" do
+      visit organisation_jobs_with_type_path(organisation_ids: [school1.id, unauthorised_school.id])
+
+      # Should see the authorized school's vacancy
+      expect(page).to have_content(school1_vacancy.job_title)
+
+      # Should NOT see the unauthorised school's vacancy
+      expect(page).to_not have_content(unauthorised_vacancy.job_title)
+
+      expect(page).to have_css(".filters-component__remove-tags__tag", count: 1)
+      expect(page).to have_content("Happy Rainbows School")
+      expect(page).to_not have_content("Unauthorised School")
+    end
+  end
+
+  context "when filtering by job roles" do
+    let(:organisation) { trust }
+    let!(:teacher_vacancy) { create(:vacancy, job_roles: %w[teacher], organisations: [trust], job_title: "Teacher Position") }
+    let!(:headteacher_vacancy) { create(:vacancy, job_roles: %w[headteacher], organisations: [trust], job_title: "Headteacher Position") }
+
+    scenario "it filters vacancies by selected job role" do
+      visit organisation_jobs_with_type_path(job_roles: %w[teacher])
+
+      expect(page).to have_content(teacher_vacancy.job_title)
+      expect(page).to_not have_content(headteacher_vacancy.job_title)
+      expect(page).to have_css(".filters-component__remove-tags__tag", count: 1)
+    end
+  end
 end