Merge pull request #493 from DEFRA/fix/df-957-csat-scopes

fix/df-957: CSAT permissions fix

Author: jbarnsley10

package-lock.json

@@ -44,7 +44,7 @@
     "@aws-sdk/client-sqs": "^3.982.0",
     "@aws-sdk/s3-request-presigner": "^3.679.0",
     "@defra/forms-engine-plugin": "^4.4.0",
-    "@defra/forms-model": "^3.0.638",
+    "@defra/forms-model": "^3.0.642",
     "@defra/hapi-tracing": "^1.12.0",
     "@elastic/ecs-pino-format": "^1.5.0",
     "@hapi/boom": "^10.0.1",

package.json

@@ -102,19 +102,43 @@ export default [
    */
   ({
     method: 'POST',
-    path: '/feedback/{formId?}',
+    path: '/feedback',
     async handler(request) {
-      const { auth, params } = request
-      const { formId } = params
+      const { auth } = request
+
+      if (!auth.credentials.user) {
+        throw new Error('Missing user credential')
+      }
+      await generateFeedbackSubmissionsFileForAll(auth.credentials.user)
 
-      if (formId) {
-        await generateFeedbackSubmissionsFileForForm(formId)
-      } else {
-        if (!auth.credentials.user) {
-          throw new Error('Missing user credential')
+      return {
+        message: 'Generate feedback submissions file success'
+      }
+    },
+    options: {
+      tags: ['api'],
+      auth: {
+        scope: [`+${Scopes.FormsFeedbackAllForms}`]
+      },
+      response: {
+        status: {
+          200: generateFeedbackSubmissionsFileResponseSchema
         }
-        await generateFeedbackSubmissionsFileForAll(auth.credentials.user)
       }
+    }
+  }),
+
+  /**
+   * @satisfies {ServerRoute<GenerateFeedbackSubmissionsFile>}
+   */
+  ({
+    method: 'POST',
+    path: '/feedback/{formId}',
+    async handler(request) {
+      const { params } = request
+      const { formId } = params
+
+      await generateFeedbackSubmissionsFileForForm(formId)
 
       return {
         message: 'Generate feedback submissions file success'
@@ -128,7 +152,7 @@ export default [
       validate: {
         params: Joi.object()
           .keys({
-            formId: idSchema.optional()
+            formId: idSchema.required()
           })
           .label('generateFeedbackSubmissionsFileParams')
       },

src/routes/admin.js

@@ -166,15 +166,15 @@ describe('Admin route', () => {
       )
     })
 
-    test('Testing POST /feedback/{formId} route is successful with optional missing params', async () => {
+    test('Testing POST /feedback route is successful', async () => {
       jest.mocked(generateSubmissionsFile).mockResolvedValue({
         fileId: 'b93a5f08-e044-46f6-baec-0e5a5d8eaa53'
       })
 
       const response = await server.inject({
         method: 'POST',
         url: '/feedback',
-        auth: authAdmin
+        auth: authSuperadmin
       })
 
       expect(response.statusCode).toEqual(StatusCodes.OK)
@@ -208,7 +208,7 @@ describe('Admin route', () => {
       expect(response.statusCode).toEqual(StatusCodes.UNAUTHORIZED)
     })
 
-    test('Testing POST /feedback/{formId} route fails if user missing and optional missing param', async () => {
+    test('Testing POST /feedback route fails if user missing', async () => {
       const badAuth = structuredClone(authAdmin)
       // @ts-expect-error - forceably construct bad user object
       badAuth.credentials.user = undefined

src/routes/admin.test.js

@@ -24,6 +24,7 @@ export const authSuperadmin = {
       Scopes.UserDelete,
       Scopes.UserEdit,
       Scopes.FormsFeedback,
+      Scopes.FormsFeedbackAllForms,
       Scopes.FormsBackup,
       Scopes.ResetSaveAndExit,
       Scopes.DeadLetterQueues
@@ -54,7 +55,8 @@ export const authAdmin = {
       Scopes.UserCreate,
       Scopes.UserDelete,
       Scopes.UserEdit,
-      Scopes.FormsFeedback
+      Scopes.FormsFeedback,
+      Scopes.FormsFeedbackAllForms
     ]
   }
 }