Bug fix - govn add products (bcgov#3606)

Jxio · web-flow · commit bc8f34da8dca · 2026-02-11T13:55:29.000-08:00
diff --git a/auth-api/src/auth_api/services/products.py b/auth-api/src/auth_api/services/products.py
@@ -199,6 +199,7 @@ def create_product_subscription(
 
         subscriptions_list = subscription_data.get("subscriptions")
         for subscription in subscriptions_list:
+            auto_approve_current = auto_approve
             product_code = subscription.get("productCode")
             if ProductSubscriptionModel.find_by_org_id_product_code(org_id, product_code):
                 raise BusinessException(Error.PRODUCT_SUBSCRIPTION_EXISTS, None)
@@ -209,10 +210,10 @@ def create_product_subscription(
                     check_auth(system_required=True, org_id=org_id)
                 previously_approved, inactive_sub = Product._is_previously_approved(org_id, product_code)
                 if previously_approved:
-                    auto_approve = True
+                    auto_approve_current = True
 
                 subscription_status = Product.find_subscription_status(
-                    org, product_model, auto_approve, staff_review_for_create_org
+                    org, product_model, auto_approve_current, staff_review_for_create_org
                 )
                 product_subscription = Product._subscribe_and_publish_activity(
                     SubscriptionRequest(
@@ -403,7 +404,7 @@ def _create_review_task(review_task: ProductReviewTask):
     def find_subscription_status(org, product_model, auto_approve=False, staff_review_for_create_org=False):
         """Return the subscriptions status based on org type."""
         skip_review = org.access_type in GOV_ORG_TYPES and staff_review_for_create_org # prevent create second task when it's already added a staff review when creating org
-        if product_model.need_review and auto_approve is False:
+        if (product_model.need_review or org.access_type in GOV_ORG_TYPES) and not auto_approve:
             return (
                 ProductSubscriptionStatus.ACTIVE.value
                 if skip_review
diff --git a/auth-api/tests/unit/api/test_org.py b/auth-api/tests/unit/api/test_org.py
@@ -672,6 +672,111 @@ def test_create_govn_org_with_products_single_staff_review_task(client, jwt, ses
     )
 
 
+def test_govn_org_add_product_pending_staff_review(
+    client, jwt, session, keycloak_mock, monkeypatch
+):  # pylint:disable=unused-argument
+    """Assert adding a product to a GOVN org via POST /orgs/{id}/products results in PENDING_STAFF_REVIEW."""
+    patch_pay_account_post(monkeypatch)
+    headers = factory_auth_header(jwt=jwt, claims=TestJwtClaims.public_user_role)
+    client.post("/api/v1/users", headers=headers, content_type="application/json")
+
+    govn_org_payload = {
+        "name": "test govn add product",
+        "accessType": AccessType.GOVN.value,
+        "typeCode": OrgType.PREMIUM.value,
+        "mailingAddress": TestOrgInfo.get_mailing_address(),
+        "paymentInfo": {"paymentMethod": PaymentMethod.DIRECT_PAY.value},
+    }
+    rv = client.post(
+        "/api/v1/orgs",
+        data=json.dumps(govn_org_payload),
+        headers=headers,
+        content_type="application/json",
+    )
+    assert rv.status_code == HTTPStatus.CREATED
+    org_id = rv.json["id"]
+
+    product_code = ProductCode.BUSINESS_SEARCH.value
+    rv_products = client.post(
+        f"/api/v1/orgs/{org_id}/products",
+        data=json.dumps({"subscriptions": [{"productCode": product_code}]}),
+        headers=headers,
+        content_type="application/json",
+    )
+    assert rv_products.status_code == HTTPStatus.CREATED
+    subscriptions = rv_products.json.get("subscriptions", [])
+    product = next((p for p in subscriptions if p.get("code") == product_code), None)
+    assert product is not None, f"Product {product_code} should appear in response"
+    assert product["subscriptionStatus"] == ProductSubscriptionStatus.PENDING_STAFF_REVIEW.value, (
+        "GOVN org adding product should require staff review"
+    )
+
+
+@pytest.mark.parametrize(
+    "product_code,expected_status,use_factory_org,claims_attr,assert_no_product_task",
+    [
+        (ProductCode.NDS.value, ProductSubscriptionStatus.ACTIVE.value, True, "system_role", True),
+        (ProductCode.VS.value, ProductSubscriptionStatus.PENDING_STAFF_REVIEW.value, False, "public_user_role", False),
+    ],
+)
+def test_post_org_products_skip_auth_system_vs_org_admin(
+    client, jwt, session, keycloak_mock, monkeypatch,
+    product_code, expected_status, use_factory_org, claims_attr, assert_no_product_task,
+):  # pylint:disable=unused-argument
+    """Assert POST /orgs/{id}/products: SYSTEM vs org admin (non-GOVN/GOVM); focus on PENDING_STAFF_REVIEW for org admin."""
+    headers = factory_auth_header(jwt=jwt, claims=getattr(TestJwtClaims, claims_attr))
+
+    if use_factory_org:
+        regular_org = factory_org_model(org_info={"name": "regular org for system", "accessType": AccessType.REGULAR.value})
+        org_id = regular_org.id
+    else:
+        patch_pay_account_post(monkeypatch)
+        client.post("/api/v1/users", headers=headers, content_type="application/json")
+        rv = client.post(
+            "/api/v1/orgs",
+            data=json.dumps({
+                "name": "regular org for org admin",
+                "accessType": AccessType.REGULAR.value,
+                "typeCode": OrgType.PREMIUM.value,
+                "mailingAddress": TestOrgInfo.get_mailing_address(),
+                "paymentInfo": {"paymentMethod": PaymentMethod.DIRECT_PAY.value},
+            }),
+            headers=headers,
+            content_type="application/json",
+        )
+        assert rv.status_code == HTTPStatus.CREATED
+        org_id = rv.json["id"]
+
+    rv_products = client.post(
+        f"/api/v1/orgs/{org_id}/products",
+        data=json.dumps({"subscriptions": [{"productCode": product_code}]}),
+        headers=headers,
+        content_type="application/json",
+    )
+    assert rv_products.status_code == HTTPStatus.CREATED
+    subs = rv_products.json.get("subscriptions", [])
+    product = next((p for p in subs if p.get("code") == product_code), None)
+    if assert_no_product_task:
+        # NDS is hidden: POST response may not include it; use GET ?include_hidden=true to verify (as in prod workflow)
+        get_headers = factory_auth_header(jwt=jwt, claims=TestJwtClaims.staff_view_accounts_role)
+        rv_get = client.get(
+            f"/api/v1/orgs/{org_id}/products?include_hidden=true",
+            headers=get_headers,
+        )
+        assert rv_get.status_code == HTTPStatus.OK
+        subs = json.loads(rv_get.data)
+        product = next((p for p in subs if p.get("code") == product_code), None)
+    assert product is not None
+    assert product["subscriptionStatus"] == expected_status
+
+    if assert_no_product_task:
+        product_tasks = [
+            t for t in TaskService.fetch_tasks(TaskSearch(status=[TaskStatus.OPEN.value], page=1, limit=100))["tasks"]
+            if t.get("relationship_type") == TaskRelationshipType.PRODUCT.value and t.get("account_id") == org_id
+        ]
+        assert len(product_tasks) == 0, "SYSTEM adding product should not create a product review task"
+
+
 def test_add_org_invalid_returns_400(client, jwt, session):  # pylint:disable=unused-argument
     """Assert that POSTing an invalid org returns a 400."""
     headers = factory_auth_header(jwt, claims=TestJwtClaims.public_user_role)
