Protect staff name & phone fields in FMS front-end.

fixes mysociety/societyworks#2133
mysociety · Feb 17, 2022 · 280e493 · 280e493
1 parent 976ebeb
commit 280e493
Show file tree

Hide file tree

Showing 6 changed files with 311 additions and 8 deletions.
diff --git a/.cypress/cypress/fixtures/peterborough.xml b/.cypress/cypress/fixtures/peterborough.xml
diff --git a/.cypress/cypress/integration/staff.js b/.cypress/cypress/integration/staff.js
@@ -43,4 +43,52 @@ describe('Staff user tests', function() {
  cy.get('[name=detail]').should('have.value', 'A Graffiti (offensive) problem has been found by Borsetshire County Council');
  cy.cleanUpXHR();
  });
+
+ it('does not let staff update their name, phone or email address whilst reporting or updating', function() {
+ // (Lest CS staff forget to select 'report as another user' and type the reporter's details into their own account.)
+ cy.server();
+ cy.route('**mapserver/peterborough*highways*', 'fixture:peterborough.xml').as('ptboro-roads-layer');
+
+ // log in
+ cy.visit('http://peterborough.localhost:3001/auth');
+ cy.get('[name=username]').type('[email protected]');
+ cy.contains('Sign in with a password').click();
+ cy.get('[name=password_sign_in]').type('password');
+ cy.get('[name=sign_in_by_password]').last().click();
+
+ // Peterborough, in front of town hall
+ cy.visit('http://peterborough.localhost:3001/report/new?latitude=52.571475&longitude=-0.241525');
+ cy.wait('@ptboro-roads-layer');
+ // pick category: with check to avoid race condition
+ // but doesn't always work, so have added {force:true} as well
+ cy.get('input[value="General fly tipping"]').should('be.visible').click({force:true});
+ cy.nextPageReporting();
+
+ // hazardous waste question
+ cy.get('#form_hazardous').select('No');
+ cy.nextPageReporting();
+
+ // photos page
+ cy.get('div[aria-label="Tips for perfect photos"] + button').click();
+ cy.get('#form_title').type('fly tipped sofa');
+ cy.get('#form_detail').type('looks like a chesterfield');
+ cy.nextPageReporting();
+
+ // about you page
+ cy.get('[name=username]').should('be.disabled'); // (already protected)
+ cy.get('[name=phone]').should('be.disabled');
+ cy.get('[name=name]').should('have.attr', 'readonly');
+ cy.get('#map_sidebar').parents('form').submit();
+
+ // now check update page
+ cy.get('h1 > a').click();
+ cy.get('textarea#form_update').type('this is an update');
+ cy.get('button.js-reporting-page--next').click();
+
+ // update about you
+ cy.get('[name=username]').should('be.disabled'); // (already protected)
+ cy.get('[name=name]').should('have.attr', 'readonly');
+ cy.get('input[name=submit_register]').click();
+ });
+
 });
diff --git a/bin/fixmystreet.com/fixture b/bin/fixmystreet.com/fixture
@@ -24,6 +24,8 @@ use FixMyStreet::PhotoStorage;
 use FixMyStreet::DB::Factories;
 use Getopt::Long::Descriptive;
 
+our $bodies;
+
 my ($opt, $usage) = describe_options(
  '%c %o',
  [ 'area-id=i', "MapIt area ID to create body for", { required => 1 } ],
@@ -99,7 +101,6 @@ for my $cat ('Dropped Kerbs', 'Skips') {
 }
 
 if ($opt->test_fixtures) {
- my $bodies;
 
  my $params = {
  name => 'National Highways',
@@ -444,6 +445,8 @@ foreach (
  ] },
  { name => 'Wizard of Oz', email_verified => 1, email => '[email protected]', is_superuser => 't' },
  { name => "Norma User", email_verified => 1, email => '[email protected]' },
+ # Body-specific Users
+ { name => 'Peter Burra', email_verified => 1, email => '[email protected]', body => $bodies->{2566}, permissions => $perms_cs },
 ) {
  $users{$_->{email}} = FixMyStreet::DB::Factory::User->find_or_create($_);
  my $perms = $_->{permissions} ? " (" . join(', ', @{$_->{permissions} || []}) . ")" : "";

diff --git a/t/Mock/MapIt.pm b/t/Mock/MapIt.pm
@@ -68,10 +68,11 @@ my @PLACES = (
  [ 'GU51 4AE', 51.279456, -0.846216, 2333, 'Hart District Council', 'DIS', 2227, 'Hampshire County Council', 'CTY' ],
  [ 'WS1 4NH', 52.563074, -1.991032, 2535, 'Sandwell Borough Council', 'MTD' ],
  [ 'PO30 5XJ', 50.71086, -1.29573, 2636, 'Isle of Wight Council', 'UTA' ],
- [ 'PE1 1HF', 52.57146, -0.24201, 2566, 'Peterborough City Council', 'UTA' ],
- [ '?', 52.571903, -0.242007, 2566, 'Peterborough City Council', 'UTA' ],
- [ '?', 52.570792, -0.241841, 2566, 'Peterborough City Council', 'UTA' ],
- [ 'PE1 3NA', 52.599211, -0.255387, 2566, 'Peterborough City Council', 'UTA' ],
+ [ 'PE1 1HF', 52.57146, -0.24201, 2566, 'Peterborough City Council', 'UTA' ], # inside town hall
+ [ '?', 52.571903, -0.242007, 2566, 'Peterborough City Council', 'UTA' ], # inside town hall
+ [ '?', 52.570792, -0.241841, 2566, 'Peterborough City Council', 'UTA' ], # inside building nr. town hall
+ [ 'PE1 1HF', 52.571475, -0.241525, 2566, 'Peterborough City Council', 'UTA' ],# OUTSIDE town hall, on street
+ [ 'PE1 3NA', 52.599211, -0.255387, 2566, 'Peterborough City Council', 'UTA' ],# inside house on Pope Way
  [ 'OX28 4DS', 51.784721, -1.494453 ],
  [ 'E14 2DN', 51.508536, '0.000001' ],
  [ '?', 52.51093, -1.86514, 11809, 'West Midlands', 'EUR' ],

diff --git a/templates/web/base/report/new/form_user_loggedin.html b/templates/web/base/report/new/form_user_loggedin.html
@@ -18,7 +18,7 @@
 [% BLOCK form_as %]
  <label for="form_as">[% loc('Report as') %]</label>
  <select id="form_as" class="form-control js-contribute-as" name="form_as">
- <option value="myself" [% c.user.from_body AND ( c.user.has_body_permission_to('planned_reports') || c.user.has_body_permission_to('default_to_body') ) ? '' : 'selected' %]>[% loc('Yourself') %]</option>
+ <option value="myself" [% c.user.from_body AND ( c.user.has_body_permission_to('planned_reports') || c.user.has_body_permission_to('default_to_body') ) ? '' : 'selected' %]>[% loc('Yourself') %] [% IF c.user.name %]([% c.user.name %])[% END %]</option>
  [% IF js || can_contribute_as_anonymous_user %]
  <option value="anonymous_user">[% loc('Anonymous user') %]</option>
  [% END %]

diff --git a/web/cobrands/fixmystreet/staff.js b/web/cobrands/fixmystreet/staff.js
@@ -102,13 +102,17 @@ fixmystreet.staff_set_up = {
  var $phoneInput = $('input[name=phone]');
  var $showNameCheckbox = $('input[name=may_show_name]');
  var $addAlertCheckbox = $('#form_add_alert');
+ var $extraTitle = $('select#form_fms_extra_title');
  if (val === 'myself') {
  $emailInput.val($emailInput.prop('defaultValue')).prop('disabled', true);
  $emailOptionalLabel.addClass('hidden');
- $nameInput.val($nameInput.prop('defaultValue')).prop('disabled', false);
- $phoneInput.val($phoneInput.prop('defaultValue')).prop('disabled', false);
+ $nameInput.val($nameInput.prop('defaultValue')).prop('readonly', true);
+ $phoneInput.val($phoneInput.prop('defaultValue')).prop('disabled', true);
  $showNameCheckbox.prop('checked', false).prop('disabled', false);
  $addAlertCheckbox.prop('checked', true).prop('disabled', false);
+ if ($extraTitle) {
+ $extraTitle.prop('disabled', true);
+ }
  } else if (val === 'another_user') {
  $emailInput.val('').prop('disabled', false);
  if (!$phoneInput.length) {