From 64c0c19419f23de7568473093955f966a6f93aed Mon Sep 17 00:00:00 2001
From: Pea Tyczynska <pea.tyczynska@digital.cabinet-office.gov.uk>
Date: Mon, 11 Mar 2019 15:01:22 +0000
Subject: [PATCH] Set user permissions when creating a folder

If the new folder has a parent folder, it inherits user permissions
from its parent. Else if the new folder is at root level, all users
will have a permission to view it.
---
 app/dao/service_user_dao.py                   | 11 ++++++-
 app/template_folder/rest.py                   | 11 ++++---
 .../test_template_folder_rest.py              | 32 +++++++++++++++++++
 3 files changed, 49 insertions(+), 5 deletions(-)

diff --git a/app/dao/service_user_dao.py b/app/dao/service_user_dao.py
index f37abda33..4eaad0008 100644
--- a/app/dao/service_user_dao.py
+++ b/app/dao/service_user_dao.py
@@ -1,13 +1,22 @@
 
 from app import db
 from app.dao.dao_utils import transactional
-from app.models import ServiceUser
+from app.models import ServiceUser, User
 
 
 def dao_get_service_user(user_id, service_id):
     return ServiceUser.query.filter_by(user_id=user_id, service_id=service_id).one()
 
 
+def dao_get_active_service_users(service_id):
+    query = ServiceUser.query.join(ServiceUser.user).filter(
+        ServiceUser.service_id == service_id,
+        User.state == 'active'
+    )
+
+    return query.all()
+
+
 @transactional
 def dao_update_service_user(service_user):
     db.session.add(service_user)
diff --git a/app/template_folder/rest.py b/app/template_folder/rest.py
index 010bc1a66..fac997e39 100644
--- a/app/template_folder/rest.py
+++ b/app/template_folder/rest.py
@@ -11,6 +11,7 @@ from app.dao.template_folder_dao import (
     dao_delete_template_folder
 )
 from app.dao.services_dao import dao_fetch_service_by_id
+from app.dao.service_user_dao import dao_get_active_service_users
 from app.errors import InvalidRequest, register_errors
 from app.models import TemplateFolder
 from app.template_folder.template_folder_schema import (
@@ -49,17 +50,19 @@ def create_template_folder(service_id):
     data = request.get_json()
 
     validate(data, post_create_template_folder_schema)
-
     if data.get('parent_id') is not None:
         try:
-            dao_get_template_folder_by_id_and_service_id(data['parent_id'], service_id)
+            parent_folder = dao_get_template_folder_by_id_and_service_id(data['parent_id'], service_id)
+            users_with_permission = parent_folder.users
         except NoResultFound:
             raise InvalidRequest("parent_id not found", status_code=400)
-
+    else:
+        users_with_permission = dao_get_active_service_users(service_id)
     template_folder = TemplateFolder(
         service_id=service_id,
         name=data['name'].strip(),
-        parent_id=data['parent_id']
+        parent_id=data['parent_id'],
+        users=users_with_permission,
     )
 
     dao_create_template_folder(template_folder)
diff --git a/tests/app/template_folder/test_template_folder_rest.py b/tests/app/template_folder/test_template_folder_rest.py
index b304b6fc3..137551bcb 100644
--- a/tests/app/template_folder/test_template_folder_rest.py
+++ b/tests/app/template_folder/test_template_folder_rest.py
@@ -73,6 +73,38 @@ def test_create_template_folder(admin_request, sample_service, has_parent):
     assert resp['data']['parent_id'] == parent_id
 
 
+@pytest.mark.parametrize('has_parent', [True, False])
+def test_create_template_folder_sets_user_permissions(admin_request, sample_service, has_parent):
+    user_1 = create_user(email='one@gov.uk')
+    user_2 = create_user(email='two@gov.uk')
+    user_3 = create_user(email='three@gov.uk', state='pending')
+    existing_folder = create_template_folder(sample_service)
+    sample_service.users = [user_1, user_2, user_3]
+    service_user_1 = dao_get_service_user(user_1.id, sample_service.id)
+    service_user_1.folders = [existing_folder]
+
+    parent_id = str(existing_folder.id) if has_parent else None
+
+    resp = admin_request.post(
+        'template_folder.create_template_folder',
+        service_id=sample_service.id,
+        _data={
+            'name': 'foo',
+            'parent_id': parent_id
+        },
+        _expected_status=201
+    )
+
+    assert resp['data']['name'] == 'foo'
+    assert resp['data']['service_id'] == str(sample_service.id)
+    assert resp['data']['parent_id'] == parent_id
+
+    if has_parent:
+        assert resp['data']['users_with_permission'] == [str(user_1.id)]
+    else:
+        assert resp['data']['users_with_permission'] == [str(user_1.id), str(user_2.id)]
+
+
 @pytest.mark.parametrize('missing_field', ['name', 'parent_id'])
 def test_create_template_folder_fails_if_missing_fields(admin_request, sample_service, missing_field):
     data = {