Production deploy

.env.example

@@ -103,6 +103,9 @@ BOPS_SUBMISSION_URL_BUCKINGHAMSHIRE=https://buckinghamshire.${BOPS_API_ROOT_DOMA
 ## Camden
 BOPS_SUBMISSION_URL_CAMDEN=https://camden.${BOPS_API_ROOT_DOMAIN}
 
+## Gloucester
+BOPS_SUBMISSION_URL_GLOUCESTER=https://gloucester.${BOPS_API_ROOT_DOMAIN}
+
 ## End-to-end test team (borrows Lambeth's details)
 GOV_UK_PAY_TOKEN_E2E=👻
 BOPS_SUBMISSION_URL_E2E=https://lambeth.${BOPS_API_ROOT_DOMAIN}

api.planx.uk/.env.test.example

@@ -53,3 +53,6 @@ BOPS_SUBMISSION_URL_BUCKINGHAMSHIRE=https://buckinghamshire.${BOPS_API_ROOT_DOMA
 
 ## Camden
 BOPS_SUBMISSION_URL_CAMDEN=https://camden.${BOPS_API_ROOT_DOMAIN}
+
+## Gloucester
+BOPS_SUBMISSION_URL_GLOUCESTER=https://gloucester.${BOPS_API_ROOT_DOMAIN}

api.planx.uk/gis/digitalLand.ts

@@ -19,6 +19,7 @@ export interface LocalAuthorityMetadata {
 
 const localAuthorityMetadata: Record<string, LocalAuthorityMetadata> = {
   buckinghamshire: require("./local_authorities/metadata/buckinghamshire"),
+  camden: require("./local_authorities/metadata/camden"),
   canterbury: require("./local_authorities/metadata/canterbury"),
   doncaster: require("./local_authorities/metadata/doncaster"),
   lambeth: require("./local_authorities/metadata/lambeth"),

api.planx.uk/gis/local_authorities/metadata/camden.ts

@@ -0,0 +1,37 @@
+/*
+LAD20CD: E09000007
+LAD20NM: Camden
+LAD20NMW:
+FID:
+
+https://www.planning.data.gov.uk/entity/?dataset=article-4-direction-area&geometry_curie=statistical-geography%3AE09000007&entries=all&entry_date_day=&entry_date_month=&entry_date_year=
+https://docs.google.com/spreadsheets/d/1pFzq0cv_cwDx33d8QgRPVfIXtiseSxgmwQb6cORCVYs/edit#gid=0
+*/
+
+import { LocalAuthorityMetadata } from "../../digitalLand";
+
+const planningConstraints: LocalAuthorityMetadata["planningConstraints"] = {
+  article4: {
+    // Planx granular values link to Digital Land entity.reference
+    records: {
+      "article4.camden.147kentishTown": "A4KTRa1",
+      "article4.camden.187kentishTown": "A4KTRa2",
+      "article4.camden.33yorkRise": "A4aYR1",
+      "article4.camden.basements": "A4Ba3",
+      "article4.camden.belsize": "A4Ba1",
+      "article4.camden.belsizeAvenue": "A4Ba2",
+      "article4.camden.eC3Caz": "A4EC3a1",
+      "article4.camden.eC3NoCaz": "A4EC3b1",
+      "article4.camden.fitzjohnAvenue": "A4Fa2",
+      "article4.camden.frognal": "A4Fa1",
+      "article4.camden.hampstead": "A4Ha1",
+      "article4.camden.parkway": "A4Pa2",
+      "article4.camden.primroseHill": "A4Pa1",
+      "article4.camden.southHill": "A4aSHP1",
+      "article4.camden.suiGenC3": "A4SGC3a1",
+      "article4.camden.swissCottage": "A4Sa1",
+    },
+  },
+};
+
+export { planningConstraints };

api.planx.uk/modules/auth/service.ts

@@ -1,34 +1,49 @@
 import { sign } from "jsonwebtoken";
-import { adminGraphQLClient as adminClient } from "../../hasura";
-import { gql } from "graphql-request";
+import { $admin } from "../../client";
+import { User, Role } from "@opensystemslab/planx-core/types";
 
-export const buildJWT = async (email: string | undefined) => {
-  const { users } = await adminClient.request(
-    gql`
-      query ($email: String!) {
-        users(where: { email: { _eq: $email } }, limit: 1) {
-          id
-        }
-      }
-    `,
-    { email },
-  );
-
-  if (!users.length) return;
-
-  const { id } = users[0];
-
-  const hasura = {
-    "x-hasura-allowed-roles": ["admin"],
-    "x-hasura-default-role": "admin",
-    "x-hasura-user-id": id.toString(),
-  };
+export const buildJWT = async (email: string): Promise<string | undefined> => {
+  const user = await $admin.user.getByEmail(email);
+  if (!user) return;
 
   const data = {
-    sub: id.toString(),
-    "https://hasura.io/jwt/claims": hasura,
+    sub: user.id.toString(),
+    "https://hasura.io/jwt/claims": generateHasuraClaimsForUser(user),
   };
 
   const jwt = sign(data, process.env.JWT_SECRET!);
   return jwt;
 };
+
+const generateHasuraClaimsForUser = (user: User) => ({
+  "x-hasura-allowed-roles": getAllowedRolesForUser(user),
+  "x-hasura-default-role": getDefaultRoleForUser(user),
+  "x-hasura-user-id": user.id.toString(),
+});
+
+/**
+ * Get all possible roles for this user
+ * Requests made outside this scope will not be authorised by Hasura
+ */
+const getAllowedRolesForUser = (user: User): Role[] => {
+  const teamRoles = user.teams.map((teamRole) => teamRole.role);
+  const allowedRoles: Role[] = [
+    "public", // Allow public access
+    "teamEditor", // Least privileged role for authenticated users - required for Editor access
+    ...teamRoles, // User specific roles
+  ];
+  if (user.isPlatformAdmin) allowedRoles.push("platformAdmin");
+
+  return [...new Set(allowedRoles)];
+};
+
+/**
+ * The default role is used for all requests
+ * Can be overwritten on a per-request basis in the client using the x-hasura-role header
+ * set to a role in the x-hasura-allowed-roles list
+ *
+ * This is the role of least privilege for the user
+ */
+const getDefaultRoleForUser = (user: User): Role => {
+  return user.isPlatformAdmin ? "platformAdmin" : "teamEditor";
+};

api.planx.uk/modules/auth/strategy/google.ts

@@ -9,6 +9,8 @@ export const googleStrategy = new GoogleStrategy(
   },
   async function (_accessToken, _refreshToken, profile, done) {
     const { email } = profile._json;
+    if (!email) throw Error("Unable to authenticate without email");
+
     const jwt = await buildJWT(email);
 
     if (!jwt) {

api.planx.uk/modules/team/controller.ts

@@ -12,7 +12,7 @@ export const upsertMemberSchema = z.object({
   }),
   body: z.object({
     userId: z.number(),
-    role: z.enum(["teamAdmin", "teamViewer"]),
+    role: z.enum(["teamEditor", "teamViewer"]),
   }),
 });
 

api.planx.uk/modules/team/docs.yaml

@@ -21,7 +21,7 @@ components:
           example: 123
         role:
           type: string
-          enum: ["teamViewer", "teamAdmin"]
+          enum: ["teamViewer", "teamEditor"]
 paths:
   /team/{teamId}/add-member:
     put:

api.planx.uk/modules/team/index.test.ts

@@ -57,7 +57,7 @@ describe("Adding a user to a team", () => {
       });
   });
 
-  it("validates that role must one an accepted value", async () => {
+  it("validates that role must be an accepted value", async () => {
     await supertest(app)
       .put("/team/123/add-member")
       .set(authHeader())
@@ -80,7 +80,7 @@ describe("Adding a user to a team", () => {
       .set(authHeader())
       .send({
         userId: 123,
-        role: "teamAdmin",
+        role: "teamEditor",
       })
       .expect(500)
       .then((res) => {
@@ -98,7 +98,7 @@ describe("Adding a user to a team", () => {
       .set(authHeader())
       .send({
         userId: 123,
-        role: "teamAdmin",
+        role: "teamEditor",
       })
       .expect(200)
       .then((res) => {
@@ -156,7 +156,7 @@ describe("Removing a user from a team", () => {
       .set(authHeader())
       .send({
         userId: 123,
-        role: "teamAdmin",
+        role: "teamEditor",
       })
       .expect(200)
       .then((res) => {
@@ -173,7 +173,7 @@ describe("Changing a user's role", () => {
       .patch("/team/123/change-member-role")
       .send({
         userId: 123,
-        role: "teamAdmin",
+        role: "teamEditor",
       })
       .expect(401);
   });
@@ -183,7 +183,7 @@ describe("Changing a user's role", () => {
       .patch("/team/123/change-member-role")
       .set(authHeader())
       .send({
-        role: "teamAdmin",
+        role: "teamEditor",
       })
       .expect(400)
       .then((res) => {
@@ -229,7 +229,7 @@ describe("Changing a user's role", () => {
       .set(authHeader())
       .send({
         userId: 123,
-        role: "teamAdmin",
+        role: "teamEditor",
       })
       .expect(500)
       .then((res) => {
@@ -247,7 +247,7 @@ describe("Changing a user's role", () => {
       .set(authHeader())
       .send({
         userId: 123,
-        role: "teamAdmin",
+        role: "teamEditor",
       })
       .expect(200)
       .then((res) => {

api.planx.uk/package.json

@@ -4,7 +4,7 @@
   "private": true,
   "dependencies": {
     "@airbrake/node": "^2.1.8",
-    "@opensystemslab/planx-core": "git+https://github.com/theopensystemslab/planx-core#f6fcac9",
+    "@opensystemslab/planx-core": "git+https://github.com/theopensystemslab/planx-core#4e3d09f",
     "@types/isomorphic-fetch": "^0.0.36",
     "adm-zip": "^0.5.10",
     "aws-sdk": "^2.1441.0",

api.planx.uk/server.ts

@@ -133,6 +133,7 @@ assert(process.env.BOPS_SUBMISSION_URL_LAMBETH);
 assert(process.env.BOPS_SUBMISSION_URL_BUCKINGHAMSHIRE);
 assert(process.env.BOPS_SUBMISSION_URL_SOUTHWARK);
 assert(process.env.BOPS_SUBMISSION_URL_CAMDEN);
+assert(process.env.BOPS_SUBMISSION_URL_GLOUCESTER);
 app.post("/bops/:localAuthority", useHasuraAuth, sendToBOPS);
 
 assert(process.env.UNIFORM_TOKEN_URL);

api.planx.uk/tests/mockJWT.js

@@ -4,8 +4,8 @@ function getJWT(userId) {
   const data = {
     sub: String(userId),
     "https://hasura.io/jwt/claims": {
-      "x-hasura-allowed-roles": ["admin"],
-      "x-hasura-default-role": "admin",
+      "x-hasura-allowed-roles": ["platformAdmin", "public"],
+      "x-hasura-default-role": "platformAdmin",
       "x-hasura-user-id": String(userId),
     },
   };

docker-compose.yml

@@ -157,6 +157,8 @@ services:
       BOPS_SUBMISSION_URL_BUCKINGHAMSHIRE: ${BOPS_SUBMISSION_URL_BUCKINGHAMSHIRE}
       # Camden
       BOPS_SUBMISSION_URL_CAMDEN: ${BOPS_SUBMISSION_URL_CAMDEN}
+      # Gloucester
+      BOPS_SUBMISSION_URL_GLOUCESTER: ${BOPS_SUBMISSION_URL_GLOUCESTER}
 
   sharedb:
     restart: unless-stopped

e2e/tests/api-driven/package.json

@@ -6,7 +6,7 @@
   },
   "dependencies": {
     "@cucumber/cucumber": "^9.3.0",
-    "@opensystemslab/planx-core": "git+https://github.com/theopensystemslab/planx-core#f6fcac9",
+    "@opensystemslab/planx-core": "git+https://github.com/theopensystemslab/planx-core#4e3d09f",
     "axios": "^1.4.0",
     "dotenv": "^16.3.1",
     "dotenv-expand": "^10.0.0",

e2e/tests/ui-driven/package.json

@@ -8,7 +8,7 @@
     "postinstall": "./install-dependencies.sh"
   },
   "dependencies": {
-    "@opensystemslab/planx-core": "git+https://github.com/theopensystemslab/planx-core#f6fcac9",
+    "@opensystemslab/planx-core": "git+https://github.com/theopensystemslab/planx-core#4e3d09f",
     "axios": "^1.4.0",
     "dotenv": "^16.3.1",
     "eslint": "^8.44.0",

e2e/tests/ui-driven/src/context.ts

@@ -108,8 +108,8 @@ export function generateAuthenticationToken(userId) {
     {
       sub: `${userId}`,
       "https://hasura.io/jwt/claims": {
-        "x-hasura-allowed-roles": ["admin"],
-        "x-hasura-default-role": "admin",
+        "x-hasura-allowed-roles": ["platformAdmin", "public"],
+        "x-hasura-default-role": "platformAdmin",
         "x-hasura-user-id": `${userId}`,
       },
     },

e2e/tests/ui-driven/src/utils.ts

@@ -29,8 +29,8 @@ export const getJWT = (userId) => {
   const data = {
     sub: String(userId),
     "https://hasura.io/jwt/claims": {
-      "x-hasura-allowed-roles": ["admin"],
-      "x-hasura-default-role": "admin",
+      "x-hasura-allowed-roles": ["platformAdmin", "public"],
+      "x-hasura-default-role": "platformAdmin",
       "x-hasura-user-id": String(userId),
     },
   };