Remove out of office permissions from ordinary employees

terolaakso · terolaakso · commit 92f2dd3cf678 · 2025-01-08T11:52:29.000+02:00
diff --git a/service/src/integrationTest/kotlin/fi/espoo/evaka/outofoffice/OutOfOfficeIntegrationTest.kt b/service/src/integrationTest/kotlin/fi/espoo/evaka/outofoffice/OutOfOfficeIntegrationTest.kt
@@ -14,11 +14,13 @@ import fi.espoo.evaka.shared.dev.DevDaycare
 import fi.espoo.evaka.shared.dev.DevEmployee
 import fi.espoo.evaka.shared.dev.insert
 import fi.espoo.evaka.shared.domain.FiniteDateRange
+import fi.espoo.evaka.shared.domain.Forbidden
 import fi.espoo.evaka.shared.domain.RealEvakaClock
 import java.util.*
 import kotlin.test.Test
 import kotlin.test.assertEquals
 import org.junit.jupiter.api.BeforeEach
+import org.junit.jupiter.api.assertThrows
 import org.springframework.beans.factory.annotation.Autowired
 
 class OutOfOfficeIntegrationTest : FullApplicationTest(resetDbBeforeEach = true) {
@@ -91,4 +93,45 @@ class OutOfOfficeIntegrationTest : FullApplicationTest(resetDbBeforeEach = true)
             outOfOfficeController.getOutOfOfficePeriods(dbInstance(), employee, clock)
         assertEquals(0, deletedPeriods.size)
     }
+
+    @Test
+    fun `ordinary employees cannot see or create out of office periods`() {
+        val ordinaryEmployee =
+            AuthenticatedUser.Employee(
+                id = EmployeeId(UUID.randomUUID()),
+                roles = setOf(UserRole.STAFF),
+            )
+
+        db.transaction { tx ->
+            tx.insert(DevEmployee(id = ordinaryEmployee.id))
+            tx.insertDaycareAclRow(
+                daycareId = daycare.id,
+                employeeId = ordinaryEmployee.id,
+                UserRole.STAFF,
+            )
+        }
+
+        val period =
+            OutOfOfficePeriodUpsert(
+                id = null,
+                period =
+                    FiniteDateRange(
+                        start = clock.today().plusDays(1),
+                        end = clock.today().plusDays(2),
+                    ),
+            )
+
+        assertThrows<Forbidden> {
+            outOfOfficeController.getOutOfOfficePeriods(dbInstance(), ordinaryEmployee, clock)
+        }
+
+        assertThrows<Forbidden> {
+            outOfOfficeController.upsertOutOfOfficePeriod(
+                dbInstance(),
+                ordinaryEmployee,
+                clock,
+                period,
+            )
+        }
+    }
 }
diff --git a/service/src/main/kotlin/fi/espoo/evaka/shared/security/Action.kt b/service/src/main/kotlin/fi/espoo/evaka/shared/security/Action.kt
@@ -1444,16 +1444,8 @@ sealed interface Action {
             IsMobile(false).isAssociatedWithEmployee(),
             IsEmployee.isInSameUnitWithEmployee(),
         ),
-        READ_OUT_OF_OFFICE(
-            HasGlobalRole(ADMIN),
-            HasUnitRole(UNIT_SUPERVISOR).inAnyUnit(),
-            IsEmployee.self(),
-        ),
-        UPDATE_OUT_OF_OFFICE(
-            HasGlobalRole(ADMIN),
-            HasUnitRole(UNIT_SUPERVISOR).inAnyUnit(),
-            IsEmployee.self(),
-        );
+        READ_OUT_OF_OFFICE(HasGlobalRole(ADMIN), HasUnitRole(UNIT_SUPERVISOR).inAnyUnit()),
+        UPDATE_OUT_OF_OFFICE(HasGlobalRole(ADMIN), HasUnitRole(UNIT_SUPERVISOR).inAnyUnit());
 
         override fun toString(): String = "${javaClass.name}.$name"
     }
