TD-4880- Prevent administrators from viewing Activity Delegates for self assessments in a category that doesn't match their own through URL manipulation.

ABSinhaa · kevwhitt-hee · commit 65d36c94c776 · 2024-11-13T09:23:44.000Z
diff --git a/DigitalLearningSolutions.Data/DataServices/CourseDataService.cs b/DigitalLearningSolutions.Data/DataServices/CourseDataService.cs
@@ -136,7 +136,8 @@ int EnrolOnActivitySelfAssessment(int selfAssessmentId, int candidateId, int sup
 
         public IEnumerable<CourseStatistics> GetDelegateCourseStatisticsAtCentre(string searchString, int centreId, int? categoryId, bool allCentreCourses, bool? hideInLearnerPortal, string isActive, string categoryName, string courseTopic, string hasAdminFields);
 
-        public IEnumerable<DelegateAssessmentStatistics> GetDelegateAssessmentStatisticsAtCentre(string searchString, int centreId, string categoryName, string isActive);
+        public IEnumerable<DelegateAssessmentStatistics> GetDelegateAssessmentStatisticsAtCentre(string searchString, int centreId, string categoryName, string isActive, int? categoryId);
+
         bool IsSelfEnrollmentAllowed(int customisationId);
         Customisation? GetCourse(int customisationId);
     }
@@ -541,9 +542,7 @@ LEFT OUTER JOIN UserCentreDetails AS UCD ON
                         new { candidateAssessmentId, enrolmentMethodId, completeByDateDynamic }
                     );
             }
-
             if (candidateAssessmentId > 1 && supervisorDelegateId !=0)
-
             {
                 string sqlQuery = $@"
                 BEGIN TRANSACTION
@@ -1976,7 +1975,7 @@ AND ap.DefaultContentTypeID <> 4
             return courseStatistics;
         }
 
-        public IEnumerable<DelegateAssessmentStatistics> GetDelegateAssessmentStatisticsAtCentre(string searchString, int centreId, string categoryName, string isActive)
+        public IEnumerable<DelegateAssessmentStatistics> GetDelegateAssessmentStatisticsAtCentre(string searchString, int centreId, string categoryName, string isActive, int? categoryId)
         {
             string assessmentStatisticsSelectQuery = $@"SELECT
                         sa.Name AS Name,
@@ -2006,11 +2005,12 @@ from CentreSelfAssessments AS csa
                         WHERE csa.CentreID= @centreId
                                 AND sa.[Name] LIKE '%' + @searchString + '%'
 		                        AND ((@categoryName = 'Any') OR (cc.CategoryName = @categoryName))
+                                AND (ISNULL(@categoryId, 0) = 0 OR sa.CategoryID = @categoryId)
 		                        AND ((@isActive = 'Any') OR (@isActive = 'true' AND  sa.ArchivedDate IS NULL) OR (@isActive = 'false' AND sa.ArchivedDate IS NOT NULL))
                                 ";
 
             IEnumerable<DelegateAssessmentStatistics> delegateAssessmentStatistics = connection.Query<DelegateAssessmentStatistics>(assessmentStatisticsSelectQuery,
-                new { searchString, centreId, categoryName, isActive }, commandTimeout: 3000);
+                new { searchString, centreId, categoryName, isActive, categoryId }, commandTimeout: 3000);
             return delegateAssessmentStatistics;
         }
 
diff --git a/DigitalLearningSolutions.Data/DataServices/SelfAssessmentDataService/SelfAssessmentDataService.cs b/DigitalLearningSolutions.Data/DataServices/SelfAssessmentDataService/SelfAssessmentDataService.cs
@@ -172,6 +172,7 @@ int GetSelfAssessmentActivityDelegatesExportCount(string searchString, string so
         bool IsUnsupervisedSelfAssessment(int selfAssessmentId);
         bool IsCentreSelfAssessment(int selfAssessmentId, int centreId);
         bool HasMinimumOptionalCompetencies(int selfAssessmentId, int delegateUserId);
+        int GetSelfAssessmentCategoryId(int selfAssessmentId);
     }
 
     public partial class SelfAssessmentDataService : ISelfAssessmentDataService
@@ -760,5 +761,13 @@ INNER JOIN SelfAssessments AS SA
                         new { selfAssessmentId, delegateUserId }
                     );
         }
+
+        public int GetSelfAssessmentCategoryId(int selfAssessmentId)
+        {
+            return connection.ExecuteScalar<int>(
+                @"SELECT CategoryID FROM SelfAssessments WHERE ID = @selfAssessmentId",
+                new { selfAssessmentId }
+            );
+        }
     }
 }
diff --git a/DigitalLearningSolutions.Web.Tests/Controllers/TrackingSystem/Delegates/CourseDelegatesControllerTests.cs b/DigitalLearningSolutions.Web.Tests/Controllers/TrackingSystem/Delegates/CourseDelegatesControllerTests.cs
@@ -23,6 +23,7 @@
     public class CourseDelegatesControllerTests
     {
         private const int UserCentreId = 3;
+        private const int selfAssessmentId = 3;
         private ActivityDelegatesController controller = null!;
         private ICourseDelegatesDownloadFileService courseDelegatesDownloadFileService = null!;
         private ICourseDelegatesService courseDelegatesService = null!;
@@ -123,7 +124,7 @@ public void CourseDelegates_Index_returns_Not_Found_when_service_returns_null()
                 );
 
             // When
-            var result = controller.Index(2);
+            var result = controller.Index(2, selfAssessmentId);
 
             // Then
             result.Should().BeNotFoundResult();
@@ -207,7 +208,7 @@ public void Index_should_default_to_Active_filter()
                 );
 
             // When
-            var result = courseDelegatesController.Index(customisationId);
+            var result = courseDelegatesController.Index(customisationId, selfAssessmentId);
 
             // Then
             using (new AssertionScope())
diff --git a/DigitalLearningSolutions.Web.Tests/Controllers/TrackingSystem/Delegates/DelegateCoursesControllerTests.cs b/DigitalLearningSolutions.Web.Tests/Controllers/TrackingSystem/Delegates/DelegateCoursesControllerTests.cs
@@ -99,7 +99,9 @@ public void Index_calls_expected_methods_and_returns_view()
                 var delegateCourses = Builder<CourseStatisticsWithAdminFieldResponseCounts>.CreateListOfSize(5).Build();
                 A.CallTo(() => courseService.GetDelegateCourses(string.Empty, 1, 1, true, true, string.Empty, string.Empty, string.Empty, string.Empty)).Returns(delegateCourses);
 
-                A.CallTo(() => courseService.GetDelegateAssessments(A<string>._, A<int>._, A<string>._, A<string>._)).MustHaveHappened();
+
+                var delegateSelfAssessments = Builder<DelegateAssessmentStatistics>.CreateListOfSize(5).Build();
+                A.CallTo(() => courseService.GetDelegateAssessments(A<string>._, A<int>._, A<string>._, A<string>._, A<int>._)).Returns(delegateSelfAssessments);
                 A.CallTo(
                     () => paginateService.Paginate(A<IEnumerable<CourseStatistics>>._,
                          A<int>._,
diff --git a/DigitalLearningSolutions.Web.Tests/Services/CourseServiceTests.cs b/DigitalLearningSolutions.Web.Tests/Services/CourseServiceTests.cs
@@ -982,15 +982,15 @@ public void GetDelegateAssessments_GetDelegateAssessments_ShouldBeInvokedAndRetu
         {
             // Given
             var delegateAssessments = Builder<DelegateAssessmentStatistics>.CreateListOfSize(5).Build();
-            A.CallTo(() => courseDataService.GetDelegateAssessmentStatisticsAtCentre(string.Empty, 1, string.Empty, string.Empty)).Returns(delegateAssessments);
+            A.CallTo(() => courseDataService.GetDelegateAssessmentStatisticsAtCentre(string.Empty, 1, string.Empty, string.Empty, 1)).Returns(delegateAssessments);
 
             // When
-            var result = courseService.GetDelegateAssessments(string.Empty, 1, string.Empty, string.Empty);
+            var result = courseService.GetDelegateAssessments(string.Empty, 1, string.Empty, string.Empty, 1);
 
             // Then
             using (new AssertionScope())
             {
-                A.CallTo(() => courseDataService.GetDelegateAssessmentStatisticsAtCentre(string.Empty, 1, string.Empty, string.Empty))
+                A.CallTo(() => courseDataService.GetDelegateAssessmentStatisticsAtCentre(string.Empty, 1, string.Empty, string.Empty, 1))
                     .MustHaveHappenedOnceExactly();
                 result.Count().Should().BeGreaterOrEqualTo(0);
             }
diff --git a/DigitalLearningSolutions.Web/Controllers/TrackingSystem/Delegates/ActivityDelegatesController.cs b/DigitalLearningSolutions.Web/Controllers/TrackingSystem/Delegates/ActivityDelegatesController.cs
@@ -131,6 +131,12 @@ public IActionResult Index(
 
             var centreId = User.GetCentreIdKnownNotNull();
             var adminCategoryId = User.GetAdminCategoryId();
+            var selfAssessmentCategoryId = selfAssessmentService.GetSelfAssessmentCategoryId((int)selfAssessmentId);
+
+            if (adminCategoryId > 0 && adminCategoryId != selfAssessmentCategoryId)
+            {
+                return RedirectToAction("StatusCode", "LearningSolutions", new { code = 403 });
+            }
 
             bool? isDelegateActive, isProgressLocked, removed, hasCompleted, submitted, signedOff;
             isDelegateActive = isProgressLocked = removed = hasCompleted = submitted = signedOff = null;
diff --git a/DigitalLearningSolutions.Web/Controllers/TrackingSystem/Delegates/DelegateCoursesController.cs b/DigitalLearningSolutions.Web/Controllers/TrackingSystem/Delegates/DelegateCoursesController.cs
@@ -156,13 +156,13 @@ public IActionResult Index(
             {
                 delegateActivities = courseService.GetDelegateCourses(searchString, centreId, categoryId, true, null, isActive, categoryName, courseTopic, hasAdminFields).ToList();
                 if (courseTopic == "Any" && hasAdminFields == "Any")
-                    delegateAssessments = courseService.GetDelegateAssessments(searchString, centreId, categoryName, isActive);
+                    delegateAssessments = courseService.GetDelegateAssessments(searchString, centreId, categoryName, isActive, categoryId);
             }
 
             if (isCourse == "true")
                 delegateActivities = courseService.GetDelegateCourses(searchString ?? string.Empty, centreId, categoryId, true, null, isActive, categoryName, courseTopic, hasAdminFields).ToList();
             if (isSelfAssessment == "true" && courseTopic == "Any" && hasAdminFields == "Any")
-                delegateAssessments = courseService.GetDelegateAssessments(searchString, centreId, categoryName, isActive);
+                delegateAssessments = courseService.GetDelegateAssessments(searchString, centreId, categoryName, isActive, categoryId);
 
             delegateAssessments = UpdateCompletedCount(delegateAssessments);
 
diff --git a/DigitalLearningSolutions.Web/Services/CourseDelegatesDownloadFileService.cs b/DigitalLearningSolutions.Web/Services/CourseDelegatesDownloadFileService.cs
@@ -227,12 +227,12 @@ string sortDirection
             {
                 courses = GetCoursesToExport(centreId, adminCategoryId, searchString, sortBy, filterString, sortDirection);
                 if (courseTopic == "Any" && hasAdminFields == "Any")
-                    selfAssessments = courseService.GetDelegateAssessments(searchString, centreId, categoryName, isActive);
+                    selfAssessments = courseService.GetDelegateAssessments(searchString, centreId, categoryName, isActive, adminCategoryId);
             }
             if (isCourse == "true")
                 courses = GetCoursesToExport(centreId, adminCategoryId, searchString, sortBy, filterString, sortDirection);
             if (isSelfAssessment == "true" && courseTopic == "Any" && hasAdminFields == "Any")
-                selfAssessments = courseService.GetDelegateAssessments(searchString, centreId, categoryName, isActive);
+                selfAssessments = courseService.GetDelegateAssessments(searchString, centreId, categoryName, isActive, adminCategoryId);
 
             if (selfAssessments.Any())
             {
diff --git a/DigitalLearningSolutions.Web/Services/CourseService.cs b/DigitalLearningSolutions.Web/Services/CourseService.cs
@@ -120,7 +120,7 @@ int diagCompletionThreshold
            string isActive, string categoryName, string courseTopic, string hasAdminFields);
 
         public IEnumerable<CourseStatisticsWithAdminFieldResponseCounts> GetDelegateCourses(string searchString, int centreId, int? categoryId, bool allCentreCourses, bool? hideInLearnerPortal, string isActive, string categoryName, string courseTopic, string hasAdminFields);
-        public IEnumerable<DelegateAssessmentStatistics> GetDelegateAssessments(string searchString, int centreId, string categoryName, string isActive);
+        public IEnumerable<DelegateAssessmentStatistics> GetDelegateAssessments(string searchString, int centreId, string categoryName, string isActive, int? categoryId);
         IEnumerable<AvailableCourse> GetAvailableCourses(int delegateId, int? centreId, int categoryId);
         bool IsCourseCompleted(int candidateId, int customisationId);
         bool IsCourseCompleted(int candidateId, int customisationId, int progressID);
@@ -563,9 +563,9 @@ public IEnumerable<CourseStatisticsWithAdminFieldResponseCounts> GetDelegateCour
             );
         }
 
-        public IEnumerable<DelegateAssessmentStatistics> GetDelegateAssessments(string searchString, int centreId, string categoryName, string isActive)
+        public IEnumerable<DelegateAssessmentStatistics> GetDelegateAssessments(string searchString, int centreId, string categoryName, string isActive, int? categoryId)
         {
-            return courseDataService.GetDelegateAssessmentStatisticsAtCentre(searchString, centreId, categoryName, isActive);
+            return courseDataService.GetDelegateAssessmentStatisticsAtCentre(searchString, centreId, categoryName, isActive, categoryId);
         }
 
         public IEnumerable<AvailableCourse> GetAvailableCourses(int delegateId, int? centreId, int categoryId)
diff --git a/DigitalLearningSolutions.Web/Services/SelfAssessmentService.cs b/DigitalLearningSolutions.Web/Services/SelfAssessmentService.cs
@@ -149,6 +149,7 @@ public int GetSelfAssessmentActivityDelegatesExportCount(string searchString, st
         IEnumerable<CandidateAssessment> GetCandidateAssessments(int delegateUserId, int selfAssessmentId);
         bool IsCentreSelfAssessment(int selfAssessmentId, int centreId);
         bool HasMinimumOptionalCompetencies(int selfAssessmentId, int delegateUserId);
+        public int GetSelfAssessmentCategoryId(int selfAssessmentId);
 
     }
 
@@ -557,5 +558,10 @@ public bool HasMinimumOptionalCompetencies(int selfAssessmentId, int delegateUse
         {
             return selfAssessmentDataService.HasMinimumOptionalCompetencies(selfAssessmentId, delegateUserId);
         }
+
+        public int GetSelfAssessmentCategoryId(int selfAssessmentId)
+        {
+            return selfAssessmentDataService.GetSelfAssessmentCategoryId(selfAssessmentId);
+        }
     }
 }

Original file line number	Diff line number	Diff line change
`@@ -172,6 +172,7 @@ int GetSelfAssessmentActivityDelegatesExportCount(string searchString, string so`
`172`	`172`	`bool IsUnsupervisedSelfAssessment(int selfAssessmentId);`
`173`	`173`	`bool IsCentreSelfAssessment(int selfAssessmentId, int centreId);`
`174`	`174`	`bool HasMinimumOptionalCompetencies(int selfAssessmentId, int delegateUserId);`
	`175`	`+ int GetSelfAssessmentCategoryId(int selfAssessmentId);`
`175`	`176`	`}`
`176`	`177`
`177`	`178`	`public partial class SelfAssessmentDataService : ISelfAssessmentDataService`
`@@ -760,5 +761,13 @@ INNER JOIN SelfAssessments AS SA`
`760`	`761`	`new { selfAssessmentId, delegateUserId }`
`761`	`762`	`);`
`762`	`763`	`}`
	`764`	`+`
	`765`	`+ public int GetSelfAssessmentCategoryId(int selfAssessmentId)`
	`766`	`+ {`
	`767`	`+ return connection.ExecuteScalar<int>(`
	`768`	`+ @"SELECT CategoryID FROM SelfAssessments WHERE ID = @selfAssessmentId",`
	`769`	`+ new { selfAssessmentId }`
	`770`	`+ );`
	`771`	`+ }`
`763`	`772`	`}`
`764`	`773`	`}`
Original file line number	Diff line number	Diff line change
`@@ -982,15 +982,15 @@ public void GetDelegateAssessments_GetDelegateAssessments_ShouldBeInvokedAndRetu`
`982`	`982`	`{`
`983`	`983`	`// Given`
`984`	`984`	`var delegateAssessments = Builder<DelegateAssessmentStatistics>.CreateListOfSize(5).Build();`
`985`		`- A.CallTo(() => courseDataService.GetDelegateAssessmentStatisticsAtCentre(string.Empty, 1, string.Empty, string.Empty)).Returns(delegateAssessments);`
	`985`	`+ A.CallTo(() => courseDataService.GetDelegateAssessmentStatisticsAtCentre(string.Empty, 1, string.Empty, string.Empty, 1)).Returns(delegateAssessments);`
`986`	`986`
`987`	`987`	`// When`
`988`		`- var result = courseService.GetDelegateAssessments(string.Empty, 1, string.Empty, string.Empty);`
	`988`	`+ var result = courseService.GetDelegateAssessments(string.Empty, 1, string.Empty, string.Empty, 1);`
`989`	`989`
`990`	`990`	`// Then`
`991`	`991`	`using (new AssertionScope())`
`992`	`992`	`{`
`993`		`- A.CallTo(() => courseDataService.GetDelegateAssessmentStatisticsAtCentre(string.Empty, 1, string.Empty, string.Empty))`
	`993`	`+ A.CallTo(() => courseDataService.GetDelegateAssessmentStatisticsAtCentre(string.Empty, 1, string.Empty, string.Empty, 1))`
`994`	`994`	`.MustHaveHappenedOnceExactly();`
`995`	`995`	`result.Count().Should().BeGreaterOrEqualTo(0);`
`996`	`996`	`}`
Original file line number	Diff line number	Diff line change
`@@ -156,13 +156,13 @@ public IActionResult Index(`
`156`	`156`	`{`
`157`	`157`	`delegateActivities = courseService.GetDelegateCourses(searchString, centreId, categoryId, true, null, isActive, categoryName, courseTopic, hasAdminFields).ToList();`
`158`	`158`	`if (courseTopic == "Any" && hasAdminFields == "Any")`
`159`		`- delegateAssessments = courseService.GetDelegateAssessments(searchString, centreId, categoryName, isActive);`
	`159`	`+ delegateAssessments = courseService.GetDelegateAssessments(searchString, centreId, categoryName, isActive, categoryId);`
`160`	`160`	`}`
`161`	`161`
`162`	`162`	`if (isCourse == "true")`
`163`	`163`	`delegateActivities = courseService.GetDelegateCourses(searchString ?? string.Empty, centreId, categoryId, true, null, isActive, categoryName, courseTopic, hasAdminFields).ToList();`
`164`	`164`	`if (isSelfAssessment == "true" && courseTopic == "Any" && hasAdminFields == "Any")`
`165`		`- delegateAssessments = courseService.GetDelegateAssessments(searchString, centreId, categoryName, isActive);`
	`165`	`+ delegateAssessments = courseService.GetDelegateAssessments(searchString, centreId, categoryName, isActive, categoryId);`
`166`	`166`
`167`	`167`	`delegateAssessments = UpdateCompletedCount(delegateAssessments);`
`168`	`168`
Original file line number	Diff line number	Diff line change
`@@ -227,12 +227,12 @@ string sortDirection`
`227`	`227`	`{`
`228`	`228`	`courses = GetCoursesToExport(centreId, adminCategoryId, searchString, sortBy, filterString, sortDirection);`
`229`	`229`	`if (courseTopic == "Any" && hasAdminFields == "Any")`
`230`		`- selfAssessments = courseService.GetDelegateAssessments(searchString, centreId, categoryName, isActive);`
	`230`	`+ selfAssessments = courseService.GetDelegateAssessments(searchString, centreId, categoryName, isActive, adminCategoryId);`
`231`	`231`	`}`
`232`	`232`	`if (isCourse == "true")`
`233`	`233`	`courses = GetCoursesToExport(centreId, adminCategoryId, searchString, sortBy, filterString, sortDirection);`
`234`	`234`	`if (isSelfAssessment == "true" && courseTopic == "Any" && hasAdminFields == "Any")`
`235`		`- selfAssessments = courseService.GetDelegateAssessments(searchString, centreId, categoryName, isActive);`
	`235`	`+ selfAssessments = courseService.GetDelegateAssessments(searchString, centreId, categoryName, isActive, adminCategoryId);`
`236`	`236`
`237`	`237`	`if (selfAssessments.Any())`
`238`	`238`	`{`
Original file line number	Diff line number	Diff line change
`@@ -120,7 +120,7 @@ int diagCompletionThreshold`
`120`	`120`	`string isActive, string categoryName, string courseTopic, string hasAdminFields);`
`121`	`121`
`122`	`122`	`public IEnumerable<CourseStatisticsWithAdminFieldResponseCounts> GetDelegateCourses(string searchString, int centreId, int? categoryId, bool allCentreCourses, bool? hideInLearnerPortal, string isActive, string categoryName, string courseTopic, string hasAdminFields);`
`123`		`- public IEnumerable<DelegateAssessmentStatistics> GetDelegateAssessments(string searchString, int centreId, string categoryName, string isActive);`
	`123`	`+ public IEnumerable<DelegateAssessmentStatistics> GetDelegateAssessments(string searchString, int centreId, string categoryName, string isActive, int? categoryId);`
`124`	`124`	`IEnumerable<AvailableCourse> GetAvailableCourses(int delegateId, int? centreId, int categoryId);`
`125`	`125`	`bool IsCourseCompleted(int candidateId, int customisationId);`
`126`	`126`	`bool IsCourseCompleted(int candidateId, int customisationId, int progressID);`
`@@ -563,9 +563,9 @@ public IEnumerable<CourseStatisticsWithAdminFieldResponseCounts> GetDelegateCour`
`563`	`563`	`);`
`564`	`564`	`}`
`565`	`565`
`566`		`- public IEnumerable<DelegateAssessmentStatistics> GetDelegateAssessments(string searchString, int centreId, string categoryName, string isActive)`
	`566`	`+ public IEnumerable<DelegateAssessmentStatistics> GetDelegateAssessments(string searchString, int centreId, string categoryName, string isActive, int? categoryId)`
`567`	`567`	`{`
`568`		`- return courseDataService.GetDelegateAssessmentStatisticsAtCentre(searchString, centreId, categoryName, isActive);`
	`568`	`+ return courseDataService.GetDelegateAssessmentStatisticsAtCentre(searchString, centreId, categoryName, isActive, categoryId);`
`569`	`569`	`}`
`570`	`570`
`571`	`571`	`public IEnumerable<AvailableCourse> GetAvailableCourses(int delegateId, int? centreId, int categoryId)`
Original file line number	Diff line number	Diff line change
`@@ -149,6 +149,7 @@ public int GetSelfAssessmentActivityDelegatesExportCount(string searchString, st`
`149`	`149`	`IEnumerable<CandidateAssessment> GetCandidateAssessments(int delegateUserId, int selfAssessmentId);`
`150`	`150`	`bool IsCentreSelfAssessment(int selfAssessmentId, int centreId);`
`151`	`151`	`bool HasMinimumOptionalCompetencies(int selfAssessmentId, int delegateUserId);`
	`152`	`+ public int GetSelfAssessmentCategoryId(int selfAssessmentId);`
`152`	`153`
`153`	`154`	`}`
`154`	`155`
`@@ -557,5 +558,10 @@ public bool HasMinimumOptionalCompetencies(int selfAssessmentId, int delegateUse`
`557`	`558`	`{`
`558`	`559`	`return selfAssessmentDataService.HasMinimumOptionalCompetencies(selfAssessmentId, delegateUserId);`
`559`	`560`	`}`
	`561`	`+`
	`562`	`+ public int GetSelfAssessmentCategoryId(int selfAssessmentId)`
	`563`	`+ {`
	`564`	`+ return selfAssessmentDataService.GetSelfAssessmentCategoryId(selfAssessmentId);`
	`565`	`+ }`
`560`	`566`	`}`
`561`	`567`	`}`