From 95ec4c99a69cb4dc023a04f82af7cde4d46ab3a8 Mon Sep 17 00:00:00 2001 From: Ludo Tolhurst-Cleaver Date: Tue, 11 Jan 2022 10:24:20 +0000 Subject: [PATCH] Protect staff name/phone fields in front end. --- .cypress/cypress/integration/staff.js | 50 +++++++++++++------ CHANGELOG.md | 1 + docs/_includes/admin-tasks-content.md | 8 +++ .../base/report/new/form_user_loggedin.html | 2 +- .../report/update/form_user_loggedin.html | 2 +- web/cobrands/fixmystreet/staff.js | 12 +++-- 6 files changed, 54 insertions(+), 21 deletions(-) diff --git a/.cypress/cypress/integration/staff.js b/.cypress/cypress/integration/staff.js index 995a29bb238..1edb185dcec 100644 --- a/.cypress/cypress/integration/staff.js +++ b/.cypress/cypress/integration/staff.js @@ -3,7 +3,7 @@ Cypress.Commands.add('cleanUpXHR', function() { }); describe('Staff user tests', function() { - it('report as defaults to body', function() { + beforeEach(function() { cy.server(); cy.route('/report/new/ajax*').as('report-ajax'); cy.request({ @@ -18,29 +18,47 @@ describe('Staff user tests', function() { cy.get('[name=pc]').parents('form').submit(); cy.url().should('include', '/around'); cy.get('#map_box').click(240, 249); + cy.wait('@report-ajax'); + }); + + it('report as defaults to body', function() { cy.get('[name=form_as]').should('have.value', 'body'); cy.cleanUpXHR(); }); it('report title and detail are correctly prefilled', function() { - cy.server(); - cy.route('/report/new/ajax*').as('report-ajax'); - cy.request({ - method: 'POST', - url: '/auth?r=/', - form: true, - body: { username: 'cs_full@example.org', password_sign_in: 'password' } - }); - cy.visit('/'); - cy.contains('Go'); - cy.get('[name=pc]').type(Cypress.env('postcode')); - cy.get('[name=pc]').parents('form').submit(); - cy.url().should('include', '/around'); - cy.get('#map_box').click(240, 249); - cy.wait('@report-ajax'); cy.pickCategory('Graffiti (offensive)'); cy.get('[name=title]').should('have.value', 'A Graffiti (offensive) problem has been found'); cy.get('[name=detail]').should('have.value', 'A Graffiti (offensive) problem has been found by Borsetshire County Council'); cy.cleanUpXHR(); }); + + it('does not let staff update their name, phone or email address whilst reporting or updating', function() { + // Lest CS staff forget to select 'report as another user' and type the reporter's details over their own. + + cy.pickCategory('Flytipping'); + // Skip through to about you page + cy.nextPageReporting(); + cy.nextPageReporting(); + cy.nextPageReporting(); + + // about you page + cy.get('#form_as').select('myself'); + cy.get('[name=username]').should('be.disabled'); // (already protected) + cy.get('[name=phone]').should('be.disabled'); + cy.get('[name=name]').should('have.attr', 'readonly'); + cy.get('#map_sidebar').parents('form').submit(); + + // now check update page (going via 'Your account') + // (clicking on h1 conf link leaves staff fields still locked, so test passes in error) + cy.visit('/my'); + cy.get('#js-reports-list li:first-child').click(); + + // update about you + cy.get('#form_update').type("this is an update"); + cy.get('button.js-reporting-page--next').click(); + cy.get('[name=username]').should('be.disabled'); // (already protected) + cy.get('[name=name]').should('have.attr', 'readonly'); + cy.get('input[name=submit_register]').click(); + }); }); diff --git a/CHANGELOG.md b/CHANGELOG.md index d9ba7c762f5..74cb8759e23 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,6 +7,7 @@ - Map page pagination links now styled as links rather than buttons. #3727 - Include username in inactive email. - Update document title on client-side new report page transition. + - Disable staff phone and name fields to avoid accidental overwriting. - Bugfixes: - Add ID attributes to change password form inputs. - Fix link deactivation for privacy policy link on privacy policy page. #3704 diff --git a/docs/_includes/admin-tasks-content.md b/docs/_includes/admin-tasks-content.md index a63a46adaeb..8afa148465d 100644 --- a/docs/_includes/admin-tasks-content.md +++ b/docs/_includes/admin-tasks-content.md @@ -165,6 +165,14 @@ citizen’s experience](/pro-manual/citizens-experience/)'. Those with the appro the report-making interface, labeled ‘Report As’. Select either the council, ‘yourself’, ‘anonymous’ or ‘another user’. +In order to reduce confusion for customer service staff, the email, +name and phone number fields in the reporting and update pages are +disabled for staff users. This avoids accidental overwriting of their +own details with those of e.g. citizens making reports over the +telephone in case staff forget to switch the ‘Report As’ control to +‘another user’. + + If a user has the ‘Default to creating reports/update as the council’ permission then the dropdown will default to reporting as the council. Staff with the ’Markup problem details’ permission will also default to diff --git a/templates/web/base/report/new/form_user_loggedin.html b/templates/web/base/report/new/form_user_loggedin.html index b831836d597..6502a415c2b 100644 --- a/templates/web/base/report/new/form_user_loggedin.html +++ b/templates/web/base/report/new/form_user_loggedin.html @@ -18,7 +18,7 @@ [% BLOCK form_as %] - + [% IF can_contribute_as_another_user %] [% END %] diff --git a/web/cobrands/fixmystreet/staff.js b/web/cobrands/fixmystreet/staff.js index 808c4d4c028..3bfa0c71d5f 100644 --- a/web/cobrands/fixmystreet/staff.js +++ b/web/cobrands/fixmystreet/staff.js @@ -102,13 +102,15 @@ fixmystreet.staff_set_up = { var $phoneInput = $('input[name=phone]'); var $showNameCheckbox = $('input[name=may_show_name]'); var $addAlertCheckbox = $('#form_add_alert'); + var $extraTitle = $('select#form_fms_extra_title'); // May not be present if (val === 'myself') { $emailInput.val($emailInput.prop('defaultValue')).prop('disabled', true); $emailOptionalLabel.addClass('hidden'); - $nameInput.val($nameInput.prop('defaultValue')).prop('disabled', false); - $phoneInput.val($phoneInput.prop('defaultValue')).prop('disabled', false); + $nameInput.val($nameInput.prop('defaultValue')).prop('disabled', false).prop('readonly', true); + $phoneInput.val($phoneInput.prop('defaultValue')).prop('disabled', true); $showNameCheckbox.prop('checked', false).prop('disabled', false); $addAlertCheckbox.prop('checked', true).prop('disabled', false); + $extraTitle.prop('disabled', true); } else if (val === 'another_user') { $emailInput.val('').prop('disabled', false); if (!$phoneInput.length) { @@ -119,10 +121,11 @@ fixmystreet.staff_set_up = { $emailOptionalLabel.removeClass('hidden'); $emailInput.removeClass('required'); } - $nameInput.val('').prop('disabled', false); + $nameInput.val('').prop('disabled', false).prop('readonly', false); $phoneInput.val('').prop('disabled', false); $showNameCheckbox.prop('checked', false).prop('disabled', true); $addAlertCheckbox.prop('checked', true).prop('disabled', false); + $extraTitle.prop('disabled', false); } else if (val === 'anonymous_user') { $emailInput.val('-').prop('disabled', true); $emailOptionalLabel.addClass('hidden'); @@ -130,6 +133,7 @@ fixmystreet.staff_set_up = { $phoneInput.val('-').prop('disabled', true); $showNameCheckbox.prop('checked', false).prop('disabled', true); $addAlertCheckbox.prop('checked', false).prop('disabled', true); + $extraTitle.prop('disabled', true); } else if (val === 'body') { $emailInput.val('-').prop('disabled', true); $emailOptionalLabel.addClass('hidden'); @@ -137,6 +141,7 @@ fixmystreet.staff_set_up = { $phoneInput.val('-').prop('disabled', true); $showNameCheckbox.prop('checked', true).prop('disabled', true); $addAlertCheckbox.prop('checked', false).prop('disabled', true); + $extraTitle.prop('disabled', true); } }); $('.js-contribute-as').trigger('change'); @@ -454,6 +459,7 @@ $(function() { }); $(fixmystreet).on('display:report', function() { + fixmystreet.staff_set_up.contribute_as(); fixmystreet.staff_set_up.moderation(); fixmystreet.staff_set_up.response_templates(); if ($("#report_inspect_form").length) {