From 7e5d5ec518e7a80f607f9b43bf7285137605ee2f Mon Sep 17 00:00:00 2001
From: adamwhitingnhs <adam.whiting3@nhs.net>
Date: Tue, 6 Jan 2026 14:33:18 +0000
Subject: [PATCH] [PRMP-1184] Adjust DocumentStatus endpoint auth

---
 ..._george_is_bsol_gp_clinical_workflow.cy.js | 133 ++++++++++++++++++
 lambdas/services/authoriser_service.py        |   4 +-
 .../unit/services/test_authoriser_service.py  |   4 +-
 3 files changed, 135 insertions(+), 6 deletions(-)
 create mode 100644 app/cypress/e2e/1-ndr-smoke-tests/gp_user_workflows/upload_lloyd_george_is_bsol_gp_clinical_workflow.cy.js

diff --git a/app/cypress/e2e/1-ndr-smoke-tests/gp_user_workflows/upload_lloyd_george_is_bsol_gp_clinical_workflow.cy.js b/app/cypress/e2e/1-ndr-smoke-tests/gp_user_workflows/upload_lloyd_george_is_bsol_gp_clinical_workflow.cy.js
new file mode 100644
index 000000000..6b77b3ed4
--- /dev/null
+++ b/app/cypress/e2e/1-ndr-smoke-tests/gp_user_workflows/upload_lloyd_george_is_bsol_gp_clinical_workflow.cy.js
@@ -0,0 +1,133 @@
+import { pdsPatients } from '../../../support/patients';
+import { Roles } from '../../../support/roles';
+
+const workspace = Cypress.env('WORKSPACE');
+
+const baseUrl = Cypress.config('baseUrl');
+
+const uploadedFilePathNames = [
+  'cypress/fixtures/lg-files/zenia_lees/1of3_Lloyd_George_Record_[Zenia Ellisa LEES]_[9730153930]_[20-03-1929].pdf',
+  'cypress/fixtures/lg-files/zenia_lees/2of3_Lloyd_George_Record_[Zenia Ellisa LEES]_[9730153930]_[20-03-1929].pdf',
+  'cypress/fixtures/lg-files/zenia_lees/3of3_Lloyd_George_Record_[Zenia Ellisa LEES]_[9730153930]_[20-03-1929].pdf',
+];
+const uploadedFileNames = [
+  '1of3_Lloyd_George_Record_[Zenia Ellisa LEES]_[9730153930]_[20-03-1929].pdf',
+  '2of3_Lloyd_George_Record_[Zenia Ellisa LEES]_[9730153930]_[20-03-1929].pdf',
+  '3of3_Lloyd_George_Record_[Zenia Ellisa LEES]_[9730153930]_[20-03-1929].pdf',
+];
+
+const bucketName = `${workspace}-lloyd-george-store`;
+const referenceTableName = `${workspace}_LloydGeorgeReferenceMetadata`;
+const stitchTableName = `${workspace}_LloydGeorgeStitchJobMetadata`;
+
+const patientVerifyUrl = '/patient/verify';
+const lloydGeorgeRecordUrl = '/patient/lloyd-george-record';
+const selectOrderUrl = '/patient/document-upload/select-order';
+const confirmationUrl = '/patient/document-upload/confirmation';
+
+const activePatient = pdsPatients.activeNoUpload;
+
+describe('GP Workflow: Upload Lloyd George record', () => {
+  context('Upload a Lloyd George document', () => {
+    beforeEach(() => {
+      //delete any records present for the active patient
+      cy.deleteItemsBySecondaryKeyFromDynamoDb(
+        referenceTableName,
+        'NhsNumberIndex',
+        'NhsNumber',
+        activePatient.toString(),
+      );
+      cy.deleteItemsBySecondaryKeyFromDynamoDb(
+        stitchTableName,
+        'NhsNumberIndex',
+        'NhsNumber',
+        activePatient.toString()
+      );
+      uploadedFileNames.forEach((file) => {
+        cy.deleteFileFromS3(bucketName, file);
+      });
+    });
+
+    afterEach(() => {
+      //clean up any records present for the active patient
+      cy.deleteItemsBySecondaryKeyFromDynamoDb(
+        referenceTableName,
+        'NhsNumberIndex',
+        'NhsNumber',
+        activePatient.toString(),
+      );
+      cy.deleteItemsBySecondaryKeyFromDynamoDb(
+        stitchTableName,
+        'NhsNumberIndex',
+        'NhsNumber',
+        activePatient.toString()
+      );
+      uploadedFileNames.forEach((file) => {
+        cy.deleteFileFromS3(bucketName, file);
+      });
+    });
+
+    it(
+      '[Smoke] GP Clinical can upload multiple files and then view a Lloyd George record for an active patient with no record',
+      { tags: 'smoke', defaultCommandTimeout: 20000 },
+      () => {
+        cy.smokeLogin(Roles.SMOKE_GP_CLINICAL);
+
+        cy.navigateToPatientSearchPage();
+
+        cy.get('#nhs-number-input').should('exist');
+        cy.get('#nhs-number-input').click();
+        cy.get('#nhs-number-input').type(activePatient);
+        cy.getByTestId('search-submit-btn').should('exist');
+        cy.getByTestId('search-submit-btn').click();
+
+        cy.url({ timeout: 15000 }).should('contain', patientVerifyUrl);
+
+        cy.get('#verify-submit').should('exist');
+        cy.get('#verify-submit').click();
+
+        cy.url().should('contain', lloydGeorgeRecordUrl);
+        cy.getByTestId('no-records-title').should(
+          'include.text',
+          'This patient does not have a Lloyd George record',
+        );
+        cy.getByTestId('upload-patient-record-button').should('exist');
+        cy.getByTestId('upload-patient-record-button').click();
+        uploadedFilePathNames.forEach((file) => {
+          cy.getByTestId('button-input').selectFile(file, { force: true });
+          var index = uploadedFilePathNames.indexOf(file);
+          cy.get('#selected-documents-table').should('contain', uploadedFileNames[index]);
+        });
+        cy.get('#continue-button').click();
+
+        cy.url().should('contain', selectOrderUrl);
+        cy.get('#selected-documents-table').should('exist');
+        uploadedFileNames.forEach((name) => {
+          cy.get('#selected-documents-table').should('contain', name);
+        });
+        cy.getByTestId('form-submit-button').click();
+
+        cy.url().should('contain', confirmationUrl);
+        uploadedFileNames.forEach((name) => {
+          cy.get('#selected-documents-table').should('contain', name);
+        });
+        cy.getByTestId('confirm-button').click();
+
+        cy.getByTestId('upload-complete-page', { timeout: 25000 }).should('exist');
+
+        cy.getByTestId('upload-complete-card').should('be.visible');
+
+        cy.getByTestId('home-btn').eq(1).click();
+
+        cy.navigateToPatientSearchPage();
+
+        cy.get('#nhs-number-input').type(activePatient);
+        cy.get('#search-submit').click();
+        cy.wait(5000)
+
+        cy.get('.patient-results-form').submit();
+
+        cy.get("#pdf-viewer", { timeout: 20000 }).should('exist');
+      });
+  });
+});
diff --git a/lambdas/services/authoriser_service.py b/lambdas/services/authoriser_service.py
index 11fe330a0..9b2b2ee40 100644
--- a/lambdas/services/authoriser_service.py
+++ b/lambdas/services/authoriser_service.py
@@ -121,9 +121,7 @@ def deny_access_policy(self, path, user_role, nhs_number: str = None):
                 deny_resource = False
 
             case "/DocumentStatus":
-                deny_resource = (
-                    not patient_access_is_allowed or is_user_gp_clinical or is_user_pcse
-                )
+                deny_resource = not patient_access_is_allowed
 
             case path if re.match(r"^/DocumentReview/[^/]+/[^/]+/Status$", path):
                 deny_resource = False
diff --git a/lambdas/tests/unit/services/test_authoriser_service.py b/lambdas/tests/unit/services/test_authoriser_service.py
index f3e636ac0..e5b6514c7 100644
--- a/lambdas/tests/unit/services/test_authoriser_service.py
+++ b/lambdas/tests/unit/services/test_authoriser_service.py
@@ -74,10 +74,8 @@ def mocked_decode_method(auth_token: str, *_args, **_kwargs):
     [
         "/DocumentManifest",
         "/DocumentDelete",
-        "/DocumentStatus",
         "/UploadState",
         "/VirusScan",
-
     ],
 )
 def test_deny_access_policy_returns_true_for_gp_clinical_on_paths(
@@ -92,7 +90,7 @@ def test_deny_access_policy_returns_true_for_gp_clinical_on_paths(
     assert actual == expected
 
 
-@pytest.mark.parametrize("test_path", ["/DocumentManifest", "/DocumentDelete", "Any"])
+@pytest.mark.parametrize("test_path", ["/DocumentManifest", "/DocumentDelete", "/DocumentStatus", "Any"])
 def test_deny_access_policy_returns_true_for_nhs_number_not_in_allowed(
     test_path,
     mock_auth_service: AuthoriserService,