Add named-user access limiting

Adds the "Limit access to named publishers" option to the access
limiting form. Publishers can now restrict access to a draft to a list
of email addresses, with the creating publisher always preserved on
the list.

`Edition::LimitedAccess` manages the list via the `named_accesses`
association with autosave: assigning `access_limited_named_users=`
builds and marks-for-destruction records eagerly so the persisted list
always matches the input. `EditionRules#access_limit_enforced?` and
`Admin::EditionFilter` are extended to enforce membership for the
`named_users` mode, and `DraftEditionUpdater` skips its
organisation-membership check for it.

Co-authored-by: Alex Newton <alex.newton@digital.cabinet-office.gov.uk>

Author: jamiestamp

app/controllers/admin/edition_access_limited_controller.rb

@@ -48,6 +48,7 @@ def edition_params
     .fetch(:edition, {})
     .permit(
       :access_limited,
+      :access_limited_named_users,
       :editorial_remark,
       {
         lead_organisation_ids: [],

app/controllers/admin/editions_controller.rb

@@ -222,6 +222,7 @@ def permitted_edition_attributes
       :scheduled_publication,
       :lock_version,
       :access_limited,
+      :access_limited_named_users,
       :alternative_format_provider_id,
       :opening_at,
       :closing_at,

app/models/concerns/edition/limited_access.rb

@@ -1,9 +1,22 @@
 module Edition::LimitedAccess
   extend ActiveSupport::Concern
 
+  class Trait < Edition::Traits::Trait
+    def process_associations_after_save(draft)
+      @edition.named_accesses.each do |na|
+        draft.named_accesses.create!(email: na.email)
+      end
+    end
+  end
+
   included do
     enum :access_limited, { disabled: 0, organisations: 1, named_users: 2 }
+    has_many :named_accesses, dependent: :destroy, inverse_of: :edition, autosave: true
     after_initialize :set_access_limited
+    before_save :destroy_named_accesses_unless_named_users
+    before_save :ensure_creator_in_named_accesses, if: :named_users?
+    validate :validate_named_users_emails, if: -> { named_users? }
+    add_trait Trait
   end
 
   module ClassMethods
@@ -38,4 +51,60 @@ def set_access_limited
   def accessible_to?(user)
     user.present? && Whitehall::Authority::Enforcer.new(user, self).can?(:see)
   end
+
+  def access_limited_named_users=(value)
+    @access_limited_named_users_input = value
+    new_emails = parse_named_user_emails(value).map(&:downcase).uniq
+
+    existing = active_named_accesses.index_by { |na| na.email.downcase }
+
+    existing.each do |email, na|
+      na.mark_for_destruction unless new_emails.include?(email)
+    end
+
+    new_emails.each do |email|
+      named_accesses.build(email:) unless existing.key?(email)
+    end
+  end
+
+  def access_limited_named_users
+    @access_limited_named_users_input || active_named_accesses.map(&:email).join(", ")
+  end
+
+private
+
+  def active_named_accesses
+    named_accesses.reject(&:marked_for_destruction?)
+  end
+
+  def parse_named_user_emails(value)
+    (value || "").split(/[\n,]/).map(&:strip).reject(&:blank?)
+  end
+
+  def validate_named_users_emails
+    if active_named_accesses.empty?
+      errors.add(:access_limited_named_users, "must include at least one email address")
+    end
+
+    active_named_accesses.select(&:new_record?).each do |na|
+      next if URI::MailTo::EMAIL_REGEXP.match?(na.email)
+
+      errors.add(:access_limited_named_users, "#{na.email} is not a valid email address")
+    end
+  end
+
+  def destroy_named_accesses_unless_named_users
+    return if named_users?
+
+    named_accesses.each(&:mark_for_destruction)
+  end
+
+  def ensure_creator_in_named_accesses
+    return if creator&.email.blank?
+
+    email = creator.email.downcase
+    return if active_named_accesses.any? { |na| na.email.casecmp?(email) }
+
+    named_accesses.build(email:)
+  end
 end

app/services/draft_edition_updater.rb

@@ -24,7 +24,7 @@ def verb
 private
 
   def should_check_current_user_will_retain_access?
-    @options[:current_user].present? && edition.access_limited?
+    @options[:current_user].present? && edition.organisations?
   end
 
   def access_limit_excludes_current_user?

app/views/admin/editions/_access_limiting_fields.html.erb

@@ -1,22 +1,41 @@
 <div class="govuk-!-margin-bottom-6">
-  <%= render "govuk_publishing_components/components/fieldset", {
-    legend_text: "Limit access",
-    heading_level: 3,
-    heading_size: "m",
-  } do %>
-    <%= form.hidden_field :access_limited, value: "disabled" %>
-
-    <%= render "govuk_publishing_components/components/checkboxes", {
+    <% named_users_value = edition.named_users? ? edition.access_limited_named_users.presence : nil %>
+    <% named_users_value ||= current_user.email %>
+    <% named_users_error = edition.errors[:access_limited_named_users].first %>
+    <%= render "govuk_publishing_components/components/radio", {
+      heading: "Limit access",
       name: "edition[access_limited]",
       id: "edition_access_limited",
-      error_items: errors_for(edition.errors, :access_limited),
       items: [
         {
-          label: "Limit access to publishers from organisations associated with this document before you publish",
-          value: "organisations",
-          checked: edition.access_limited?,
+          value: :disabled,
+          text: "No – This document should be available to all publishers",
+          bold: true,
+          checked: edition.disabled?,
+        },
+        {
+          value: :organisations,
+          text: "Limit access to publishers from organisations associated with this document",
+          bold: true,
+          checked: edition.organisations?,
+        },
+        {
+          value: :named_users,
+          text: "Limit access to named publishers",
+          bold: true,
+          checked: edition.named_users?,
+          conditional: (render "govuk_publishing_components/components/textarea", {
+            label: {
+              text: "Add publishers who will have access",
+              bold: true,
+            },
+            name: "edition[access_limited_named_users]",
+            textarea_id: "edition_access_limited_named_users",
+            error_message: named_users_error,
+            value: named_users_value,
+            hint: "Add the emails of the publishers who will have access to this document before publishing. After publishing the document will be available to all publishers in the organisation associated with this document.",
+          }),
         },
       ],
     } %>
-  <% end %>
 </div>

db/schema.rb

@@ -357,7 +357,6 @@
 
   create_table "editions", id: :integer, charset: "utf8mb4", collation: "utf8mb4_unicode_ci", force: :cascade do |t|
     t.integer "access_limited", default: 0, null: false
-    t.integer "accessible_by", default: 0, null: false
     t.string "additional_related_mainstream_content_title"
     t.string "additional_related_mainstream_content_url"
     t.boolean "all_nation_applicability", default: true
@@ -625,7 +624,7 @@
     t.integer "edition_id"
     t.integer "image_data_id"
     t.datetime "updated_at", precision: nil
-    t.string "usage"
+    t.string "usage", null: false
     t.index ["edition_id"], name: "index_images_on_edition_id"
     t.index ["image_data_id"], name: "index_images_on_image_data_id"
   end

lib/whitehall/authority/rules/edition_rules.rb

@@ -93,10 +93,12 @@ def can_with_a_historic_instance?(action)
     end
 
     def access_limit_enforced?
-      if subject.access_limited?
+      if subject.organisations?
         organisations = subject.organisations
         organisations += subject.edition_organisations.map(&:organisation) if subject.respond_to?(:edition_organisations)
         organisations.exclude?(actor.organisation)
+      elsif subject.named_users?
+        subject.named_accesses.none? { |na| na.email.casecmp?(actor.email) }
       else
         false
       end

test/factories/named_accesses.rb

@@ -0,0 +1,6 @@
+FactoryBot.define do
+  factory :named_access do
+    association :edition
+    email { generate(:email) }
+  end
+end

test/functional/admin/edition_access_limited_controller_test.rb

@@ -27,7 +27,7 @@ class Admin::EditionAccessLimitedControllerTest < ActionController::TestCase
     get :edit, params: { id: edition }
 
     assert_select "form[action='#{update_access_limited_admin_edition_path(edition.id)}']" do
-      assert_select "input[name='edition[access_limited]'][type=checkbox][checked=checked]"
+      assert_select "input[name='edition[access_limited]'][type=radio][value='organisations'][checked=checked]"
       assert_select "textarea[name='edition[editorial_remark]']"
 
       (1..4).each do |i|
@@ -147,6 +147,31 @@ class Admin::EditionAccessLimitedControllerTest < ActionController::TestCase
     assert edition.reload.access_limited?
   end
 
+  test "PATCH :update updates named_users access and creates an editorial remark" do
+    edition = create(
+      :consultation,
+      access_limited: :disabled,
+    )
+
+    editorial_remark = "Limiting to named users."
+
+    put :update,
+        params: {
+          id: edition,
+          edition: {
+            access_limited: :named_users,
+            access_limited_named_users: "named@example.com",
+            editorial_remark:,
+          },
+        }
+
+    assert edition.reload.named_users?
+    assert_includes edition.named_accesses.pluck(:email), "named@example.com"
+    assert_redirected_to admin_editions_path
+    assert_equal "Access updated for #{edition.title}", flash[:notice]
+    assert_equal "Access options updated by GDS Admin: #{editorial_remark}", edition.editorial_remarks.last.body
+  end
+
   test "PATCH :update doesn't create an editorial remark or re-render with an error when nothing has changed" do
     first_organisation = create(:organisation)
     second_organisation = create(:organisation)

test/integration/asset_access_options_integration_test.rb

@@ -34,7 +34,7 @@ class AssetAccessOptionsIntegrationTest < ActionDispatch::IntegrationTest
       context "when document is marked as access limited in Whitehall" do
         before do
           visit edit_admin_edition_path(edition)
-          check "Limit access"
+          choose "Limit access to publishers from organisations associated with this document"
           click_button "Save"
           assert_text "Your document has been saved"
         end
@@ -163,7 +163,7 @@ class AssetAccessOptionsIntegrationTest < ActionDispatch::IntegrationTest
       context "when document is unmarked as access limited in Whitehall" do
         before do
           visit edit_admin_edition_path(edition)
-          uncheck "Limit access"
+          choose "No – This document should be available to all publishers"
           click_button "Save"
           assert_text "Your document has been saved"
         end