OPS-5521: edit project form (#5540)

Author: weimiao67

backend/openapi.yml

@@ -3566,8 +3566,11 @@ paths:
       operationId: updateProject
       summary: Update an existing Project
       description: |
-        Update a Project by ID. The project_type field cannot be changed.
-        Only the fields provided in the request body will be updated.
+        Update a Project by ID. Only the fields provided in the request body
+        will be updated. Authorization is enforced per-project: only users
+        associated with the project (creator, team leaders, agreement team
+        members, COR/ACOR, division directors, portfolio team leaders) and
+        users with the BUDGET_TEAM or SYSTEM_OWNER roles may update a project.
       parameters:
         - $ref: "#/components/parameters/simulatedError"
         - in: path
@@ -3611,6 +3614,8 @@ paths:
           description: Bad Request - Invalid input or validation error
         "401":
           description: Unauthorized
+        "403":
+          description: Forbidden - User is not authorized to update this project
         "404":
           description: Not Found - Project does not exist
         "500":
@@ -6700,6 +6705,17 @@ components:
           type: string
           enum: [RESEARCH, ADMINISTRATIVE_AND_SUPPORT]
           example: RESEARCH
+        _meta:
+          type: object
+          description: |
+            Server-computed metadata for this project, scoped to the current user.
+          properties:
+            isEditable:
+              type: boolean
+              description: |
+                True when the current user is authorized to update this project
+                (see PATCH /projects/{id} for the authorization rules).
+              example: true
       required:
         - title
     ResearchProjects:
@@ -8272,6 +8288,17 @@ components:
           type: string
           format: date-time
           example: "2023-04-06T20:33:38.292475Z"
+        _meta:
+          type: object
+          description: |
+            Server-computed metadata for this project, scoped to the current user.
+          properties:
+            isEditable:
+              type: boolean
+              description: |
+                True when the current user is authorized to update this project
+                (see PATCH /projects/{id} for the authorization rules).
+              example: true
       required:
         - id
         - project_type

backend/ops_api/ops/resources/projects.py

@@ -1,4 +1,5 @@
 from flask import Response, current_app, request
+from flask_jwt_extended import get_current_user
 from typing_extensions import List
 
 from models import AdministrativeAndSupportProject, Project, ProjectType, ResearchProject
@@ -9,6 +10,7 @@
 from ops_api.ops.auth.decorators import is_authorized
 from ops_api.ops.base_views import BaseItemAPI, BaseListAPI
 from ops_api.ops.schemas.projects import (
+    MetaSchema,
     ProjectCreationRequestSchema,
     ProjectFundingRequestSchema,
     ProjectFundingResponseSchema,
@@ -22,6 +24,7 @@
 )
 from ops_api.ops.services.projects import ProjectsService
 from ops_api.ops.utils.events import OpsEventHandler
+from ops_api.ops.utils.projects_helpers import check_project_user_association
 from ops_api.ops.utils.response import make_response_with_headers
 
 
@@ -37,15 +40,18 @@ def get(self, id: int) -> Response:
         project = service.get(id)
         match project.project_type:
             case ProjectType.RESEARCH:
-                research_schema = ResearchProjectResponse()
-                serialized_project = research_schema.dump(project)
+                schema = ResearchProjectResponse(exclude=["_meta"])
             case ProjectType.ADMINISTRATIVE_AND_SUPPORT:
                 # No separate schema for admin project yet but there will be
-                admin_schema = ProjectResponse()
-                serialized_project = admin_schema.dump(project)
+                schema = ProjectResponse(exclude=["_meta"])
             case _:
-                general_schema = ProjectResponse()
-                serialized_project = general_schema.dump(project)
+                schema = ProjectResponse(exclude=["_meta"])
+        serialized_project = schema.dump(project)
+
+        current_user = get_current_user()
+        serialized_project["_meta"] = MetaSchema().dump(
+            {"isEditable": check_project_user_association(project, current_user)}
+        )
 
         return make_response_with_headers(serialized_project)
 

backend/ops_api/ops/schemas/projects.py

@@ -2,7 +2,7 @@
 from decimal import Decimal
 from typing import Optional
 
-from marshmallow import Schema, fields, pre_dump
+from marshmallow import EXCLUDE, Schema, fields, pre_dump
 
 from models import ProjectSortCondition, ProjectType
 from ops_api.ops.schemas.pagination import PaginationListSchema
@@ -25,6 +25,13 @@ class ProjectListGetRequestSchema(PaginationListSchema):
     sort_fiscal_year = fields.List(fields.Integer(), required=False, load_default=[])
 
 
+class MetaSchema(Schema):
+    class Meta:
+        unknown = EXCLUDE
+
+    isEditable = fields.Bool(load_default=False, dump_default=False)
+
+
 class TeamLeaders(Schema):
     id: int = fields.Int(required=True)
     full_name: Optional[str] = fields.String()
@@ -112,6 +119,7 @@ class ProjectResponse(Schema):
     division_directors: Optional[list[IdNamePair]] = fields.List(fields.Nested(IdNamePair), dump_default=[])
     project_officers: Optional[list[IdNamePair]] = fields.List(fields.Nested(IdNamePair), dump_default=[])
     alternate_project_officers: Optional[list[IdNamePair]] = fields.List(fields.Nested(IdNamePair), dump_default=[])
+    _meta = fields.Nested(MetaSchema, required=True)
 
     @pre_dump
     def extract_metadata(self, data, **kwargs):

backend/ops_api/ops/services/projects.py

@@ -425,7 +425,27 @@ def get(self, id: int) -> Project:
             The Project instance
         """
 
-        project = self.db_session.get(Project, id)
+        # Eager-load the relationships traversed by the response serializer
+        # (project_metadata) and by check_project_user_association, to avoid N+1 queries.
+        stmt = (
+            select(Project)
+            .where(Project.id == id)
+            .options(
+                selectinload(Project.team_leaders),
+                selectinload(Project.agreements).selectinload(Agreement.team_members),
+                selectinload(Project.agreements)
+                .selectinload(Agreement.budget_line_items)
+                .selectinload(BudgetLineItem.can)
+                .selectinload(CAN.portfolio)
+                .selectinload(Portfolio.division),
+                selectinload(Project.agreements)
+                .selectinload(Agreement.budget_line_items)
+                .selectinload(BudgetLineItem.can)
+                .selectinload(CAN.portfolio)
+                .selectinload(Portfolio.team_leaders),
+            )
+        )
+        project = self.db_session.scalar(stmt)
         if not project:
             raise ResourceNotFoundError("Project", id)
         return project

backend/ops_api/tests/ops/project/test_project_authorization.py

@@ -500,3 +500,31 @@ def test_patch_project_no_perms_returns_403(self, no_perms_auth_client, loaded_d
         data = {"title": "Should Not Update"}
         response = no_perms_auth_client.patch(url_for("api.projects-item", id=unassociated_project.id), json=data)
         assert response.status_code == 403
+
+
+class TestGetProjectMetaIsEditable:
+    """GET /projects/<id> returns _meta.isEditable matching the backend authorization rules."""
+
+    def test_get_project_unassociated_user_is_not_editable(
+        self, basic_user_auth_client, loaded_db, unassociated_project
+    ):
+        response = basic_user_auth_client.get(url_for("api.projects-item", id=unassociated_project.id))
+        assert response.status_code == 200
+        assert response.json["_meta"]["isEditable"] is False
+
+    def test_get_project_creator_is_editable(self, basic_user_auth_client, loaded_db, project_created_by_basic_user):
+        response = basic_user_auth_client.get(url_for("api.projects-item", id=project_created_by_basic_user.id))
+        assert response.status_code == 200
+        assert response.json["_meta"]["isEditable"] is True
+
+    def test_get_project_team_leader_is_editable(
+        self, basic_user_auth_client, loaded_db, project_with_basic_user_team_leader
+    ):
+        response = basic_user_auth_client.get(url_for("api.projects-item", id=project_with_basic_user_team_leader.id))
+        assert response.status_code == 200
+        assert response.json["_meta"]["isEditable"] is True
+
+    def test_get_project_budget_team_is_editable(self, budget_team_auth_client, loaded_db, unassociated_project):
+        response = budget_team_auth_client.get(url_for("api.projects-item", id=unassociated_project.id))
+        assert response.status_code == 200
+        assert response.json["_meta"]["isEditable"] is True

frontend/cypress/e2e/projectDetails.cy.js

@@ -1,18 +1,18 @@
 /// <reference types="cypress" />
 import { terminalLog, testLogin } from "./utils";
 
-beforeEach(() => {
-    testLogin("system-owner");
-    cy.visit("/projects/1000");
-    cy.get("h1", { timeout: 10000 }).should("be.visible");
-});
-
 afterEach(() => {
     cy.injectAxe();
     cy.checkA11y(null, null, terminalLog);
 });
 
 describe("Project Details Page", () => {
+    beforeEach(() => {
+        testLogin("system-owner");
+        cy.visit("/projects/1000");
+        cy.get("h1", { timeout: 10000 }).should("be.visible");
+    });
+
     it("loads the seeded project details and disabled tab tooltips", () => {
         cy.url().should("include", "/projects/1000");
         cy.get("h1").should("contain", "Human Services Interoperability Support");
@@ -41,4 +41,72 @@ describe("Project Details Page", () => {
         cy.get("[data-cy='alternate-project-officers-tag']").should("contain", "Dave Director");
         cy.get("[data-cy='project-team-members-tag']").should("contain", "Amelia Popham");
     });
+
+    it("enters edit mode and displays the form", () => {
+        cy.get("[data-cy='project-details-edit-button']").click();
+        cy.contains("h2", "Edit Project").should("be.visible");
+        cy.get("input[name='title']").should("be.visible");
+        cy.get("input[name='short_title']").should("be.visible");
+        cy.get("textarea[name='description']").should("be.visible");
+        cy.get("[data-cy='save-btn']").should("be.visible");
+        cy.get("[data-cy='cancel-button']").should("be.visible");
+    });
+
+    it("edits project details and saves successfully", () => {
+        const originalShortTitle = "HSS";
+        const updatedShortTitle = `HSS-${Date.now()}`;
+        cy.intercept("PATCH", "**/api/v1/projects/1000").as("patchProject");
+
+        cy.get("[data-cy='project-details-edit-button']").click();
+        cy.get("input[name='short_title']").clear().type(updatedShortTitle);
+        cy.get("[data-cy='save-btn']").click();
+
+        cy.wait("@patchProject").then((interception) => {
+            expect(interception.response.statusCode).to.equal(200);
+            expect(interception.response.body.id).to.equal(1000);
+        });
+        cy.contains("Project Updated").should("be.visible");
+        cy.get("[data-cy='project-nickname-tag']").should("contain", updatedShortTitle);
+
+        // Restore the seeded short_title so later tests (and the seeded fixture assertions
+        // above) keep passing when the spec reruns against the same database.
+        cy.get("[data-cy='project-details-edit-button']").click();
+        cy.get("input[name='short_title']").clear().type(originalShortTitle);
+        cy.get("[data-cy='save-btn']").click();
+        cy.wait("@patchProject").its("response.statusCode").should("equal", 200);
+    });
+
+    it("shows an error alert when the save request fails", () => {
+        cy.intercept("PATCH", "**/api/v1/projects/1000", { statusCode: 500, body: { error: "boom" } }).as(
+            "patchProjectError"
+        );
+        cy.get("[data-cy='project-details-edit-button']").click();
+        cy.get("input[name='short_title']").clear().type("Will Not Save");
+        cy.get("[data-cy='save-btn']").click();
+        cy.wait("@patchProjectError");
+        cy.contains("Error Updating Project").should("be.visible");
+    });
+
+    it("shows confirmation modal on cancel during edit", () => {
+        cy.get("[data-cy='project-details-edit-button']").click();
+        cy.get("[data-cy='cancel-button']").click();
+        cy.contains("Are you sure you want to cancel editing").should("be.visible");
+    });
+});
+
+describe("Project Details Page — unauthorized user", () => {
+    beforeEach(() => {
+        testLogin("basic");
+        cy.visit("/projects/1000");
+        cy.get("h1", { timeout: 10000 }).should("be.visible");
+    });
+
+    it("disables the edit button when the user does not have permission", () => {
+        cy.get("[data-cy='project-details-edit-button']").should("have.attr", "aria-disabled", "true");
+        cy.get("[data-cy='project-details-edit-button']").should(
+            "have.attr",
+            "aria-label",
+            "You do not have permission to edit this project"
+        );
+    });
 });

frontend/src/api/opsAPI.js

@@ -668,6 +668,15 @@ export const opsApi = createApi({
             }),
             invalidatesTags: ["ResearchProjects"]
         }),
+        updateProject: builder.mutation({
+            query: ({ id, data }) => ({
+                url: `/projects/${id}`,
+                method: "PATCH",
+                headers: { "Content-Type": "application/json" },
+                body: data
+            }),
+            invalidatesTags: ["ResearchProjects"]
+        }),
         updateBudgetLineItemStatus: builder.mutation({
             query: ({ id, status }) => ({
                 url: `/budget-line-items/${id}`,
@@ -1248,6 +1257,7 @@ export const {
     useGetResearchProjectsQuery,
     useGetResearchProjectsByPortfolioQuery,
     useAddResearchProjectsMutation,
+    useUpdateProjectMutation,
     useUpdateBudgetLineItemStatusMutation,
     useGetAgreementTypesQuery,
     useGetProductServiceCodesQuery,