Dmp 5090 fix deactivate own account error (#2987)

Author: karen-hedges

src/integrationTest/java/uk/gov/hmcts/darts/audio/controller/AudioControllerGetAdminMediaVersionsByIdIntTest.java

@@ -17,6 +17,7 @@
 
 import java.time.Duration;
 import java.time.OffsetDateTime;
+import java.time.ZoneOffset;
 import java.time.format.DateTimeFormatter;
 
 import static org.junit.jupiter.params.provider.EnumSource.Mode.EXCLUDE;
@@ -62,9 +63,12 @@ void shouldReturn200_whenChronicleIdHasBothCurrentAndNonCurrentVersions() throws
 
         String expectedResponse = getContentsFromFile(
             "tests/audio/AudioControllerGetAdminMediaVersionsByIdIntTest/expectedResponseTypical.json")
-            .replace("<created_at_current>", currentMediaEntity.getCreatedDateTime().format(DateTimeFormatter.ISO_DATE_TIME))
-            .replace("<versioned_at_current_1>", versionedMediaEntity2.getCreatedDateTime().format(DateTimeFormatter.ISO_DATE_TIME))
-            .replace("<versioned_at_current_2>", versionedMediaEntity1.getCreatedDateTime().format(DateTimeFormatter.ISO_DATE_TIME));
+            .replace("<created_at_current>",
+                     currentMediaEntity.getCreatedDateTime().atZoneSameInstant(ZoneOffset.UTC).format(DateTimeFormatter.ISO_DATE_TIME))
+            .replace("<versioned_at_current_1>",
+                     versionedMediaEntity2.getCreatedDateTime().atZoneSameInstant(ZoneOffset.UTC).format(DateTimeFormatter.ISO_DATE_TIME))
+            .replace("<versioned_at_current_2>",
+                     versionedMediaEntity1.getCreatedDateTime().atZoneSameInstant(ZoneOffset.UTC).format(DateTimeFormatter.ISO_DATE_TIME));
         JSONAssert.assertEquals(expectedResponse, mvcResult.getResponse().getContentAsString(), JSONCompareMode.STRICT);
     }
 
@@ -86,9 +90,12 @@ void shouldReturn200_whenMediaIdPassedIsNotCurrent_shouldReturnTheCorrectCorrent
 
         String expectedResponse = getContentsFromFile(
             "tests/audio/AudioControllerGetAdminMediaVersionsByIdIntTest/expectedResponseTypical.json")
-            .replace("<created_at_current>", currentMediaEntity.getCreatedDateTime().format(DateTimeFormatter.ISO_DATE_TIME))
-            .replace("<versioned_at_current_1>", versionedMediaEntity2.getCreatedDateTime().format(DateTimeFormatter.ISO_DATE_TIME))
-            .replace("<versioned_at_current_2>", versionedMediaEntity1.getCreatedDateTime().format(DateTimeFormatter.ISO_DATE_TIME));
+            .replace("<created_at_current>", currentMediaEntity.getCreatedDateTime().atZoneSameInstant(ZoneOffset.UTC)
+                .format(DateTimeFormatter.ISO_DATE_TIME))
+            .replace("<versioned_at_current_1>", versionedMediaEntity2.getCreatedDateTime().atZoneSameInstant(ZoneOffset.UTC)
+                .format(DateTimeFormatter.ISO_DATE_TIME))
+            .replace("<versioned_at_current_2>", versionedMediaEntity1.getCreatedDateTime().atZoneSameInstant(ZoneOffset.UTC)
+                .format(DateTimeFormatter.ISO_DATE_TIME));
         JSONAssert.assertEquals(expectedResponse, mvcResult.getResponse().getContentAsString(), JSONCompareMode.STRICT);
     }
 
@@ -108,7 +115,8 @@ void shouldReturn200_whenChronicleIdHasOnlyCurrentAndNoVersions() throws Excepti
 
         String expectedResponse = getContentsFromFile(
             "tests/audio/AudioControllerGetAdminMediaVersionsByIdIntTest/expectedResponseNoVersions.json")
-            .replace("<created_at_current>", currentMediaEntity.getCreatedDateTime().format(DateTimeFormatter.ISO_DATE_TIME));
+            .replace("<created_at_current>", currentMediaEntity.getCreatedDateTime().atZoneSameInstant(ZoneOffset.UTC)
+                .format(DateTimeFormatter.ISO_DATE_TIME));
         JSONAssert.assertEquals(expectedResponse, mvcResult.getResponse().getContentAsString(), JSONCompareMode.STRICT);
     }
 

src/integrationTest/java/uk/gov/hmcts/darts/usermanagement/controller/PatchUserIntTest.java

@@ -3,6 +3,7 @@
 import org.hamcrest.Matchers;
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.parallel.Isolated;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.boot.test.autoconfigure.web.servlet.AutoConfigureMockMvc;
 import org.springframework.test.context.bean.override.mockito.MockitoBean;
@@ -37,6 +38,7 @@
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
 
 @AutoConfigureMockMvc
+@Isolated
 class PatchUserIntTest extends IntegrationBase {
 
     private static final String ORIGINAL_USERNAME = "James Smith";
@@ -73,7 +75,7 @@ void setUp() {
     }
 
     @Test
-    void patchUserShouldSucceedWhenProvidedWithValidValueForSubsetOfAllowableFields() throws Exception {
+    void patchUser_ShouldSucceed_WhenProvidedWithValidValueForSubsetOfAllowableFields() throws Exception {
         UserAccountEntity user = superAdminUserStub.givenSystemAdminIsAuthorised(userIdentity);
 
         UserAccountEntity existingAccount = createEnabledUserAccountEntity(user);
@@ -121,7 +123,7 @@ void patchUserShouldSucceedWhenProvidedWithValidValueForSubsetOfAllowableFields(
     }
 
     @Test
-    void patchUserShouldSucceedWhenProvidedWithValidValuesForAllAllowableFields() throws Exception {
+    void patchUser_ShouldSucceed_WhenProvidedWithValidValuesForAllAllowableFields() throws Exception {
         UserAccountEntity user = superAdminUserStub.givenSystemAdminIsAuthorised(userIdentity);
 
         UserAccountEntity existingAccount = createEnabledUserAccountEntity(user);
@@ -168,7 +170,7 @@ void patchUserShouldSucceedWhenProvidedWithValidValuesForAllAllowableFields() th
 
     // Regression test to cover bug DMP-2459
     @Test
-    void patchUserShouldSucceedWhenAnExistingDescriptionIsRemoved() throws Exception {
+    void patchUser_ShouldSucceed_WhenAnExistingDescriptionIsRemoved() throws Exception {
         UserAccountEntity user = superAdminUserStub.givenSystemAdminIsAuthorised(userIdentity);
 
         UserAccountEntity existingAccount = createEnabledUserAccountEntity(user);
@@ -215,7 +217,7 @@ void patchUserShouldSucceedWhenAnExistingDescriptionIsRemoved() throws Exception
     }
 
     @Test
-    void patchUserShouldFailIfChangeWithInvalidDataIsAttempted() throws Exception {
+    void patchUser_ShouldFail_IfChangeWithInvalidDataIsAttempted() throws Exception {
         UserAccountEntity user = superAdminUserStub.givenSystemAdminIsAuthorised(userIdentity);
 
         UserAccountEntity existingAccount = createEnabledUserAccountEntity(user);
@@ -234,7 +236,7 @@ void patchUserShouldFailIfChangeWithInvalidDataIsAttempted() throws Exception {
     }
 
     @Test
-    void patchUserShouldFailIfProvidedUserIdDoesNotExistInDB() throws Exception {
+    void patchUser_ShouldFail_IfProvidedUserIdDoesNotExistInDB() throws Exception {
         superAdminUserStub.givenUserIsAuthorised(userIdentity);
 
         MockHttpServletRequestBuilder request = buildRequest(818_231)
@@ -249,7 +251,7 @@ void patchUserShouldFailIfProvidedUserIdDoesNotExistInDB() throws Exception {
     }
 
     @Test
-    void patchUserShouldSucceedAndClearSecurityGroupsWhenAccountGetsDisabledAndNoSecurityGroupsAreExplicitlyProvided() throws Exception {
+    void patchUser_ShouldSucceedAndClearSecurityGroups_WhenAccountGetsDisabledAndNoSecurityGroupsAreExplicitlyProvided() throws Exception {
         UserAccountEntity user = superAdminUserStub.givenSystemAdminIsAuthorised(userIdentity);
 
         UserAccountEntity existingAccount = createEnabledUserAccountEntity(user);
@@ -283,7 +285,37 @@ void patchUserShouldSucceedAndClearSecurityGroupsWhenAccountGetsDisabledAndNoSec
     }
 
     @Test
-    void patchUserShouldSucceedWhenAccountGetsEnabled() throws Exception {
+    void patchUser_ShouldFail_WhenAccountGetsDeactivatedBySameUser() throws Exception {
+        UserAccountEntity user = superAdminUserStub.givenSystemAdminIsAuthorised(userIdentity);
+
+        Integer userId = user.getId();
+
+        MockHttpServletRequestBuilder request = buildRequest(userId)
+            .content("""
+                         {
+                           "active": false
+                         }
+                         """);
+        mockMvc.perform(request)
+            .andExpect(status().is4xxClientError())
+            .andExpect(jsonPath("$.type").value("AUTHORISATION_115"))
+            .andExpect(jsonPath("$.title").value("User is not authorised to modify own account"))
+            .andExpect(jsonPath("$.status").value(403));
+
+        transactionTemplate.execute(status -> {
+            UserAccountEntity latestUserAccountEntity = dartsDatabase.getUserAccountRepository()
+                .findById(userId)
+                .orElseThrow();
+
+            assertEquals(true, latestUserAccountEntity.isActive());
+            assertThat(getSecurityGroupIds(latestUserAccountEntity).size(), greaterThan(0));
+
+            return null;
+        });
+    }
+
+    @Test
+    void patchUser_ShouldSucceed_WhenAccountGetsEnabled() throws Exception {
         UserAccountEntity user = superAdminUserStub.givenUserIsAuthorised(userIdentity);
 
         UserAccountEntity existingAccount = createDisabledUserAccountEntity(user);
@@ -317,7 +349,7 @@ void patchUserShouldSucceedWhenAccountGetsEnabled() throws Exception {
     }
 
     @Test
-    void patchUserShouldSucceedWhenSecurityGroupsAreUpdated() throws Exception {
+    void patchUser_ShouldSucceed_WhenSecurityGroupsAreUpdated() throws Exception {
         UserAccountEntity user = superAdminUserStub.givenSystemAdminIsAuthorised(userIdentity);
 
         UserAccountEntity existingAccount = createEnabledUserAccountEntity(user);
@@ -361,7 +393,7 @@ void patchUserShouldSucceedWhenSecurityGroupsAreUpdated() throws Exception {
     }
 
     @Test
-    void patchUserShouldSucceedIfEmailAddressChangeDifferent() throws Exception {
+    void patchUser_ShouldSucceed_IfEmailAddressChangeDifferent() throws Exception {
         UserAccountEntity user = superAdminUserStub.givenSystemAdminIsAuthorised(userIdentity);
 
         UserAccountEntity existingAccount = createEnabledUserAccountEntity(user);
@@ -382,7 +414,7 @@ void patchUserShouldSucceedIfEmailAddressChangeDifferent() throws Exception {
     }
 
     @Test
-    void patchUserSameEmailShouldBeOkAndDataShouldRemainUnchanged() throws Exception {
+    void patchUser_ShouldRemainUnchanged_SameEmailShouldBeOkAndData() throws Exception {
         UserAccountEntity user = superAdminUserStub.givenSystemAdminIsAuthorised(userIdentity);
 
         UserAccountEntity existingAccount = createEnabledUserAccountEntity(user);
@@ -401,7 +433,7 @@ void patchUserSameEmailShouldBeOkAndDataShouldRemainUnchanged() throws Exception
     }
 
     @Test
-    void patchUserDuplicateEmailShouldFail() throws Exception {
+    void patchUser_DuplicateEmailShouldFail() throws Exception {
         UserAccountEntity user = superAdminUserStub.givenSystemAdminIsAuthorised(userIdentity);
 
         createEnabledUserAccountEntity(user);
@@ -440,7 +472,7 @@ void patchUserShouldFailIfUserIsNotAuthorised() throws Exception {
     }
 
     @Test
-    void patchUserShouldFailIfProvidedUserIsASystemUser() throws Exception {
+    void patchUser_ShouldFailIfProvidedUserIsASystemUser() throws Exception {
         superAdminUserStub.givenSystemAdminIsAuthorised(userIdentity);
 
         UserAccountEntity userAccountEntity = accountStub.getSystemUserAccountEntity();

src/integrationTest/java/uk/gov/hmcts/darts/usermanagement/controller/SecurityGroupControllerIntTest.java

@@ -1,6 +1,7 @@
 package uk.gov.hmcts.darts.usermanagement.controller;
 
 import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.parallel.Isolated;
 import org.skyscreamer.jsonassert.JSONAssert;
 import org.skyscreamer.jsonassert.JSONCompareMode;
 import org.springframework.beans.factory.annotation.Autowired;
@@ -25,6 +26,7 @@
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
 
 @AutoConfigureMockMvc
+@Isolated
 class SecurityGroupControllerIntTest extends IntegrationBase {
 
     public static final String TEST_COURTHOUSE_NAME = "SWANSEA";

src/integrationTest/java/uk/gov/hmcts/darts/usermanagement/controller/UserControllerIntTest.java

@@ -88,15 +88,12 @@ void testDeactivateModifyWithSuperAdmin() throws Exception {
         UserAccountEntity userAccountEntity = UserAccountTestData.minimalUserAccount();
         userAccountEntity = userAccountRepository.save(userAccountEntity);
 
-
         Optional<SecurityGroupEntity> groupEntity
             = securityGroupRepository.findByGroupNameIgnoreCase(SecurityGroupEnum.SUPER_ADMIN.getName());
 
-
         userAccountEntity.getSecurityGroupEntities().add(groupEntity.get());
         userAccountEntity = dartsDatabaseStub.save(userAccountEntity);
 
-
         HearingEntity hearingEntity = dartsDatabase.givenTheDatabaseContainsCourtCaseWithHearingAndCourthouseWithRoom(
             SOME_CASE_ID,
             SOME_COURTHOUSE,
@@ -325,7 +322,7 @@ void testActivateModifyUserWithSuperAdminAndFailWithNoFullNameAndNoEmailAddress(
         // add user to the super admin group
         Optional<SecurityGroupEntity> groupEntity
             = securityGroupRepository.findByGroupNameIgnoreCase(SecurityGroupEnum.SUPER_ADMIN.getName());
-        
+
         userAccountEntity.getSecurityGroupEntities().add(groupEntity.get());
         userAccountEntity = dartsDatabaseStub.save(userAccountEntity);
 

src/main/java/uk/gov/hmcts/darts/authorisation/exception/AuthorisationError.java

@@ -85,6 +85,11 @@ public enum AuthorisationError implements DartsApiError {
         AuthorisationErrorCode.USER_NOT_AUTHORISED_TO_ACTIVATE_USER.getValue(),
         HttpStatus.FORBIDDEN,
         AuthorisationTitleErrors.USER_NOT_AUTHORISED_TO_ACTIVATE_USER.getValue()
+    ),
+    USER_NOT_AUTHORISED_TO_MODIFY_OWN_ACCOUNT(
+        AuthorisationErrorCode.USER_NOT_AUTHORISED_TO_MODIFY_OWN_ACCOUNT.getValue(),
+        HttpStatus.FORBIDDEN,
+        AuthorisationTitleErrors.USER_NOT_AUTHORISED_TO_MODIFY_OWN_ACCOUNT.getValue()
     );
 
     private static final String ERROR_TYPE_PREFIX = "AUTHORISATION";

src/main/java/uk/gov/hmcts/darts/common/entity/CaseRetentionEntity.java

@@ -23,10 +23,8 @@
 @Table(name = CaseRetentionEntity.TABLE_NAME)
 @Getter
 @Setter
-public class CaseRetentionEntity extends CreatedModifiedBaseEntity
-    implements HasIntegerId {
-
-
+public class CaseRetentionEntity extends CreatedModifiedBaseEntity implements HasIntegerId {
+    
     public static final String ID = "car_id";
     public static final String TABLE_NAME = "case_retention";
 

src/main/java/uk/gov/hmcts/darts/usermanagement/service/impl/UserManagementServiceImpl.java

@@ -29,6 +29,7 @@
 import uk.gov.hmcts.darts.usermanagement.service.validation.UserAccountExistsValidator;
 import uk.gov.hmcts.darts.usermanagement.service.validation.UserTypeValidator;
 import uk.gov.hmcts.darts.usermanagement.validator.AuthorisedUserPermissionsValidator;
+import uk.gov.hmcts.darts.usermanagement.validator.NotSameUserValidator;
 import uk.gov.hmcts.darts.usermanagement.validator.UserActivateValidator;
 import uk.gov.hmcts.darts.usermanagement.validator.UserDeactivateNotLastInSuperAdminGroupValidator;
 import uk.gov.hmcts.darts.util.DataUtil;
@@ -65,6 +66,7 @@ public class UserManagementServiceImpl implements UserManagementService {
     private final TranscriptionService transcriptionService;
     private final AuditApi auditApi;
     private final UserActivateValidator authoriseValidator;
+    private final NotSameUserValidator notSameUserValidator;
 
     @Override
     @Transactional
@@ -102,8 +104,10 @@ public UserWithIdAndTimestamps modifyUser(Integer userId, UserPatch userPatch) {
         userAccountExistsValidator.validate(userId);
         userTypeValidator.validate(userId);
         userActivationPermissionsValidator.validate(userPatch);
-        userNotLastSuperAdminValidator.validate(new IdRequest<>(userPatch, userId));
-        authoriseValidator.validate(new IdRequest<>(userPatch, userId));
+        IdRequest<UserPatch, Integer> request = new IdRequest<>(userPatch, userId);
+        userNotLastSuperAdminValidator.validate(request);
+        authoriseValidator.validate(request);
+        notSameUserValidator.validate(request);
 
         var userAccountEntity = userAccountRepository.findById(userId)
             .orElseThrow(() -> new NoSuchElementException("No value present"));

src/main/java/uk/gov/hmcts/darts/usermanagement/validator/NotSameUserValidator.java

@@ -0,0 +1,29 @@
+package uk.gov.hmcts.darts.usermanagement.validator;
+
+import lombok.RequiredArgsConstructor;
+import org.springframework.stereotype.Component;
+import uk.gov.hmcts.darts.authorisation.api.AuthorisationApi;
+import uk.gov.hmcts.darts.authorisation.exception.AuthorisationError;
+import uk.gov.hmcts.darts.common.component.validation.Validator;
+import uk.gov.hmcts.darts.common.exception.DartsApiException;
+import uk.gov.hmcts.darts.common.validation.IdRequest;
+import uk.gov.hmcts.darts.usermanagement.model.UserPatch;
+
+import static java.util.Objects.nonNull;
+
+@Component
+@RequiredArgsConstructor
+public class NotSameUserValidator implements Validator<IdRequest<UserPatch, Integer>> {
+
+    private final AuthorisationApi authorisationApi;
+
+    @Override
+    public void validate(IdRequest<UserPatch, Integer> userPatch) {
+        if (nonNull(userPatch.getPayload())) {
+            var currentUser = authorisationApi.getCurrentUser();
+            if (currentUser.getId().equals(userPatch.getId())) {
+                throw new DartsApiException(AuthorisationError.USER_NOT_AUTHORISED_TO_MODIFY_OWN_ACCOUNT);
+            }
+        }
+    }
+}

src/main/resources/openapi/common.yaml

@@ -145,10 +145,11 @@ components:
         - "AUTHORISATION_112"
         - "AUTHORISATION_113"
         - "AUTHORISATION_114"
+        - "AUTHORISATION_115"
       x-enum-varnames: [ USER_NOT_AUTHORISED_FOR_COURTHOUSE, BAD_REQUEST_CASE_ID, BAD_REQUEST_HEARING_ID, BAD_REQUEST_MEDIA_REQUEST_ID, BAD_REQUEST_MEDIA_ID,
                          BAD_REQUEST_TRANSCRIPTION_ID, USER_DETAILS_INVALID, BAD_REQUEST_ANY_ID, BAD_REQUEST_TRANSFORMED_MEDIA_ID,
                          USER_NOT_AUTHORISED_FOR_ENDPOINT, BAD_REQUEST_ANNOTATION_ID, USER_NOT_AUTHORISED_TO_USE_PAYLOAD_CONTENT, UNABLE_TO_DEACTIVATE_USER,
-                         USER_NOT_AUTHORISED_TO_ACTIVATE_USER, USER_NOT_ACTIVE ]
+                         USER_NOT_AUTHORISED_TO_ACTIVATE_USER, USER_NOT_ACTIVE, USER_NOT_AUTHORISED_TO_MODIFY_OWN_ACCOUNT ]
 
     AuthorisationTitleErrors:
       type: string
@@ -168,10 +169,11 @@ components:
         - "Failed to deactivate user"
         - "Failed to activate user. User not authorised"
         - "User is not active"
+        - "User is not authorised to modify own account"
       x-enum-varnames: [ USER_NOT_AUTHORISED_FOR_COURTHOUSE, BAD_REQUEST_CASE_ID, BAD_REQUEST_HEARING_ID, BAD_REQUEST_MEDIA_REQUEST_ID, BAD_REQUEST_MEDIA_ID,
                          BAD_REQUEST_TRANSCRIPTION_ID, USER_DETAILS_INVALID, BAD_REQUEST_ANY_ID, BAD_REQUEST_TRANSFORMED_MEDIA_ID,
                          USER_NOT_AUTHORISED_FOR_ENDPOINT, BAD_REQUEST_ANNOTATION_ID, USER_NOT_AUTHORISED_TO_USE_PAYLOAD_CONTENT, UNABLE_TO_DEACTIVATE_USER,
-                         USER_NOT_AUTHORISED_TO_ACTIVATE_USER, USER_NOT_ACTIVE ]
+                         USER_NOT_AUTHORISED_TO_ACTIVATE_USER, USER_NOT_ACTIVE, USER_NOT_AUTHORISED_TO_MODIFY_OWN_ACCOUNT ]
 
     AutomatedTaskErrorCode:
       type: string