Skip to content

[Representative Status] 135311: Log Details about POA Unauthorized Errors #27788

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
kristen-brown merged 4 commits into from
Apr 17, 2026
+48 −5
Merged

[Representative Status] 135311: Log Details about POA Unauthorized Errors #27788

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
f2400dc
135311: Add logging for when user access denied in POA policy
kristen-brown Apr 16, 2026
b689611
135311: Update POA policy tests
kristen-brown Apr 16, 2026
07d26e5
Merge branch 'master' into 135311/log-details-about-poa-403-errors
kristen-brown Apr 17, 2026
47054f3
135311: Implement code suggestions
kristen-brown Apr 17, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
17 changes: 16 additions & 1 deletion app/policies/power_of_attorney_policy.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,21 @@

PowerOfAttorneyPolicy = Struct.new(:user, :power_of_attorney) do
def access?
user.loa3? && user.icn.present? && user.participant_id.present?
unless user.loa3? && user.icn.present? && user.participant_id.present?
log_access_denied
return false
end

true
end

private

def log_access_denied
Rails.logger.info('POA ACCESS DENIED',
loa_current: user.loa&.dig(:current),
loa3: user.loa3?,
icn_present: user.icn.present?,
participant_id_present: user.participant_id.present?)
end
end
36 changes: 32 additions & 4 deletions spec/policies/power_of_attorney_policy_spec.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,31 +9,59 @@
context 'when user is LOA3, has an ICN, and has a participant_id' do
let(:user) { build(:user, :loa3) }

it 'grants access' do
it 'grants access and does not log' do
expect(Rails.logger).not_to receive(:info).with('POA ACCESS DENIED', anything)
expect(subject).to permit(user, :power_of_attorney)
end
end

context 'when user is LOA3 but does not have an ICN' do
let(:user) { build(:user, :loa3, icn: nil) }

it 'denies access due to missing ICN' do
it 'denies access due to missing ICN and logs the access denial details' do
expect(Rails.logger).to receive(:info).with(
'POA ACCESS DENIED',
hash_including(
loa_current: 3,
loa3: true,
icn_present: false,
participant_id_present: true
)
)
expect(subject).not_to permit(user, :power_of_attorney)
end
end

context 'when user is LOA3 but does not have a participant_id' do
let(:user) { build(:user, :loa3, participant_id: nil) }

it 'denies access due to missing participant_id' do
it 'denies access due to missing participant_id and logs the access denial details' do
expect(Rails.logger).to receive(:info).with(
'POA ACCESS DENIED',
hash_including(
loa_current: 3,
loa3: true,
icn_present: true,
participant_id_present: false
)
)
expect(subject).not_to permit(user, :power_of_attorney)
end
end

context 'when user is not LOA3' do
let(:user) { build(:user, :loa1) }

it 'denies access due to not being LOA3' do
it 'denies access due to not being LOA3 and logs the access denial details' do
expect(Rails.logger).to receive(:info).with(
'POA ACCESS DENIED',
hash_including(
loa_current: 1,
loa3: false,
icn_present: true,
participant_id_present: false
)
)
expect(subject).not_to permit(user, :power_of_attorney)
end
end
Expand Down
Loading