From 4635676c5cb026d6ea5e4239e1f1d824374d309a Mon Sep 17 00:00:00 2001 From: davidsauntson Date: Fri, 15 May 2026 15:45:09 +0100 Subject: [PATCH] Selectively allow unpublishing of historical editions Previously only GDS Editors and GDS Admins could unpublish historical content. The DBT are about to unpublish and archive a lot of content, so an exception has been made to allow specific users outside of those two GDS roles to unpublish historic content. This change creates the relevant unpublishing permission and allows users with it to perform the unpublishing action for historic documents. --- app/models/user.rb | 5 ++++ .../authority/rules/edition_rules.rb | 10 +++++++- test/factories/users.rb | 8 +++++++ .../authority/historical_unpublisher_test.rb | 24 +++++++++++++++++++ 4 files changed, 46 insertions(+), 1 deletion(-) create mode 100644 test/unit/lib/whitehall/authority/historical_unpublisher_test.rb diff --git a/app/models/user.rb b/app/models/user.rb index 2026e3e8bf5..3d4f1496eaf 100644 --- a/app/models/user.rb +++ b/app/models/user.rb @@ -23,6 +23,7 @@ module Permissions PUBLISH_SCHEDULED_EDITIONS = "Publish scheduled editions".freeze GDS_ADMIN = "GDS Admin".freeze SIDEKIQ_ADMIN = "Sidekiq Admin".freeze + UNPUBLISH_HISTORIC_CONTENT = "Unpublish historic content".freeze end def role @@ -81,4 +82,8 @@ def organisation_content_id end attr_writer :organisation_content_id + + def can_unpublish_historic_content? + has_permission?(Permissions::UNPUBLISH_HISTORIC_CONTENT) + end end diff --git a/lib/whitehall/authority/rules/edition_rules.rb b/lib/whitehall/authority/rules/edition_rules.rb index 4e310fbe867..fee39e6a8f9 100644 --- a/lib/whitehall/authority/rules/edition_rules.rb +++ b/lib/whitehall/authority/rules/edition_rules.rb @@ -88,8 +88,16 @@ def can_with_an_instance?(action) def can_with_a_historic_instance?(action) return false if access_limit_enforced? + return true if actor.gds_admin? || actor.gds_editor? - action == :see || actor.gds_editor? || actor.gds_admin? + case action + when :see + true + when :unpublish + actor.can_unpublish_historic_content? + else + false + end end def access_limit_enforced? diff --git a/test/factories/users.rb b/test/factories/users.rb index db6057bf0c4..f7d0ee0cef7 100644 --- a/test/factories/users.rb +++ b/test/factories/users.rb @@ -72,4 +72,12 @@ ] end end + + factory :historical_unpublisher, parent: :user do + permissions do + [ + User::Permissions::UNPUBLISH_HISTORIC_CONTENT, + ] + end + end end diff --git a/test/unit/lib/whitehall/authority/historical_unpublisher_test.rb b/test/unit/lib/whitehall/authority/historical_unpublisher_test.rb new file mode 100644 index 00000000000..da0dad0bd5b --- /dev/null +++ b/test/unit/lib/whitehall/authority/historical_unpublisher_test.rb @@ -0,0 +1,24 @@ +require_relative "authority_test_helper" + +class HistoricalUnpublisherTest < ActiveSupport::TestCase + include AuthorityTestHelper + + setup do + @user = create(:historical_unpublisher) + end + + test "can see an historical document" do + assert enforcer_for(@user, historic_edition).can?(:see) + end + + test "can unpublish an historical document" do + assert enforcer_for(@user, historic_edition).can?(:unpublish) + end + + test "can't perform any other action on an historical document" do + denied_actions = Whitehall::Authority::Rules::EditionRules.actions - %i[see unpublish] + denied_actions.each do |action| + assert_not enforcer_for(@user, historic_edition).can?(action) + end + end +end