Bug/65538 show system unavailable page for teachers (#2925)

* Remove short circuit that was teacher only from auth module * Move `isAdminWindowAvailable` to first middleware position * asset version bump * Revert "Remove short circuit that was teacher only from auth module" This reverts commit 805d9b9. * Bugfix - system unavailable error for teachers * Lint update
DFEAGILEDEVOPS · Oct 3, 2024 · 6063e54 · 6063e54
1 parent aaf5a72
commit 6063e54
Show file tree

Hide file tree

Showing 13 changed files with 68 additions and 46 deletions.
diff --git a/admin/app.js b/admin/app.js
@@ -394,7 +394,7 @@ app.use(function (err, req, res, next) {
   if (err.code === 'EBADCSRFTOKEN') return res.redirect('back')
 
   // catch system unavailable errors and redirect to the relevant page
-  if (err.code === 'SYSTEM_UNAVAILABLE') {
+  if (err.name === 'SystemUnavailableError' || err.code === 'SYSTEM_UNAVAILABLE') {
     res.locals.pageTitle = 'The service is currently closed'
     return res.render('availability/admin-window-unavailable', {})
   }

diff --git a/admin/authentication/dfe-signin-strategy.js b/admin/authentication/dfe-signin-strategy.js
@@ -9,6 +9,7 @@ const passport = require('passport')
 const authModes = require('../lib/consts/auth-modes')
 const { DfeSignInError } = require('../error-types/dfe-signin-error')
 const { DsiSchoolNotFoundError } = require('../error-types/DsiSchoolNotFoundError')
+const { SystemUnavailableError } = require('../error-types/system-unavailable-error')
 /**
  * Asynchronous setup of DfE signin with retry strategy for issuer discovery
  * @returns {Promise<Strategy>} configured Passport Strategy
@@ -54,6 +55,14 @@ const initSignOnAsync = async () => {
       if (error instanceof DsiSchoolNotFoundError) {
         userMessage = error.message
       }
+      // The SystemUnavailableError is generated from `initialiseUser` when the role is TEACHER and
+      // the system is not available (as defined in the SM Settings page).  This is not a sign-on error
+      // so we don't wrap it up as a DfeSIgnInError.  Instead, let app.js handle it and render the correct error
+      // page.
+      if (error instanceof SystemUnavailableError) {
+        done(SystemUnavailableError)
+        return
+      }
       const dfeSignInError = new DfeSignInError(systemErrorMessage, userMessage, error)
       done(dfeSignInError)
     }

diff --git a/admin/routes/access-arrangements.js b/admin/routes/access-arrangements.js
@@ -13,50 +13,50 @@ if (featureToggles.isFeatureEnabled('accessArrangements')) {
   /* Access arrangements routing */
   router.get(
     '/overview',
-    isAuthenticated([roles.teacher, roles.helpdesk, roles.staAdmin]),
     isAdminWindowAvailable,
+    isAuthenticated([roles.teacher, roles.helpdesk, roles.staAdmin]),
     accessArrangementsController.getOverview
   )
   router.get(
     '/select-access-arrangements',
-    isAuthenticated([roles.teacher, roles.helpdesk, roles.staAdmin]),
     isAdminWindowAvailable,
+    isAuthenticated([roles.teacher, roles.helpdesk, roles.staAdmin]),
     accessArrangementsController.getSelectAccessArrangements
   )
   router.get(
     '/select-access-arrangements/:pupilUrlSlug',
-    isAuthenticated([roles.teacher, roles.helpdesk, roles.staAdmin]),
     isAdminWindowAvailable,
+    isAuthenticated([roles.teacher, roles.helpdesk, roles.staAdmin]),
     accessArrangementsController.getEditAccessArrangements
   )
   router.post(
     '/submit',
-    isAuthenticated([roles.teacher, roles.helpdesk, roles.staAdmin]),
     isAdminWindowAvailable,
+    isAuthenticated([roles.teacher, roles.helpdesk, roles.staAdmin]),
     accessArrangementsController.postSubmitAccessArrangements
   )
   router.get(
     '/delete-access-arrangements/:pupilUrlSlug',
-    isAuthenticated([roles.teacher, roles.helpdesk, roles.staAdmin]),
     isAdminWindowAvailable,
+    isAuthenticated([roles.teacher, roles.helpdesk, roles.staAdmin]),
     accessArrangementsController.getDeleteAccessArrangements
   )
   router.get(
     '/retro-add-input-assistant',
-    isAuthenticated([roles.teacher, roles.helpdesk, roles.staAdmin]),
     isAdminWindowAvailable,
+    isAuthenticated([roles.teacher, roles.helpdesk, roles.staAdmin]),
     (req, res, next) => retroInputAssistantController.getAddRetroInputAssistant(req, res, next)
   )
   router.post(
     '/retro-add-input-assistant-submit',
-    isAuthenticated([roles.teacher, roles.helpdesk, roles.staAdmin]),
     isAdminWindowAvailable,
+    isAuthenticated([roles.teacher, roles.helpdesk, roles.staAdmin]),
     (req, res, next) => retroInputAssistantController.postSubmitRetroInputAssistant(req, res, next)
   )
   router.get(
     '/delete-retro-input-assistant/:pupilUrlSlug',
-    isAuthenticated([roles.teacher, roles.helpdesk, roles.staAdmin]),
     isAdminWindowAvailable,
+    isAuthenticated([roles.teacher, roles.helpdesk, roles.staAdmin]),
     (req, res, next) => retroInputAssistantController.getDeleteRetroInputAssistant(req, res, next)
   )
 }

diff --git a/admin/routes/check-window.js b/admin/routes/check-window.js
@@ -8,7 +8,7 @@ const checkWindowController = require('../controllers/check-window')
 const featureToggles = require('feature-toggles')
 
 if (featureToggles.isFeatureEnabled('newCheckWindow')) {
-  /* Check Window routing */
+  /* Check Window routing  - SM feature */
   router.get('/manage-check-windows',
     isAuthenticated(roles.serviceManager),
     checkWindowController.getManageCheckWindows

diff --git a/admin/routes/group.js b/admin/routes/group.js
@@ -8,38 +8,38 @@ const group = require('../controllers/group')
 
 router.get(
   '/pupils-list',
-  isAuthenticated([roles.teacher, roles.helpdesk, roles.staAdmin]),
   isAdminWindowAvailable,
+  isAuthenticated([roles.teacher, roles.helpdesk, roles.staAdmin]),
   group.groupPupilsPage
 )
 router.get(
   '/pupils-list/add',
-  isAuthenticated([roles.teacher, roles.helpdesk, roles.staAdmin]),
   isAdminWindowAvailable,
+  isAuthenticated([roles.teacher, roles.helpdesk, roles.staAdmin]),
   group.manageGroupPage
 )
 router.get(
   '/pupils-list/edit/:groupId',
-  isAuthenticated([roles.teacher, roles.helpdesk, roles.staAdmin]),
   isAdminWindowAvailable,
+  isAuthenticated([roles.teacher, roles.helpdesk, roles.staAdmin]),
   group.manageGroupPage
 )
 router.post(
   '/pupils-list/add',
-  isAuthenticated([roles.teacher, roles.helpdesk, roles.staAdmin]),
   isAdminWindowAvailable,
+  isAuthenticated([roles.teacher, roles.helpdesk, roles.staAdmin]),
   group.addGroup
 )
 router.post(
   '/pupils-list/edit',
-  isAuthenticated([roles.teacher, roles.helpdesk, roles.staAdmin]),
   isAdminWindowAvailable,
+  isAuthenticated([roles.teacher, roles.helpdesk, roles.staAdmin]),
   group.editGroup
 )
 router.get(
   '/pupils-list/delete/:groupId',
-  isAuthenticated([roles.teacher, roles.helpdesk, roles.staAdmin]),
   isAdminWindowAvailable,
+  isAuthenticated([roles.teacher, roles.helpdesk, roles.staAdmin]),
   group.removeGroup
 )
 

diff --git a/admin/routes/hdf.js b/admin/routes/hdf.js
@@ -8,69 +8,69 @@ const hdfController = require('../controllers/hdf')
 
 router.get(
   ['/', '/results'],
-  isAuthenticated([roles.teacher, roles.helpdesk, roles.staAdmin]),
   isAdminWindowAvailable,
+  isAuthenticated([roles.teacher, roles.helpdesk, roles.staAdmin]),
   hdfController.getResults
 )
 router.get(
   '/download-results',
-  isAuthenticated([roles.teacher, roles.helpdesk, roles.staAdmin]),
   isAdminWindowAvailable,
+  isAuthenticated([roles.teacher, roles.helpdesk, roles.staAdmin]),
   hdfController.downloadResults
 )
 
 router.get(
   '/declaration-form',
-  isAuthenticated([roles.teacher, roles.helpdesk, roles.staAdmin]),
   isAdminWindowAvailable,
+  isAuthenticated([roles.teacher, roles.helpdesk, roles.staAdmin]),
   hdfController.getDeclarationForm
 )
 router.post(
   '/submit-declaration-form',
-  isAuthenticated([roles.teacher, roles.helpdesk, roles.staAdmin]),
   isAdminWindowAvailable,
+  isAuthenticated([roles.teacher, roles.helpdesk, roles.staAdmin]),
   hdfController.postDeclarationForm
 )
 router.get(
   '/review-pupil-details',
-  isAuthenticated([roles.teacher, roles.helpdesk, roles.staAdmin]),
   isAdminWindowAvailable,
+  isAuthenticated([roles.teacher, roles.helpdesk, roles.staAdmin]),
   hdfController.getReviewPupilDetails
 )
 router.get(
   '/edit-reason/:urlSlug',
-  isAuthenticated([roles.teacher, roles.helpdesk, roles.staAdmin]),
   isAdminWindowAvailable,
+  isAuthenticated([roles.teacher, roles.helpdesk, roles.staAdmin]),
   hdfController.getEditReason
 )
 router.post(
   '/submit-edit-reason',
-  isAuthenticated([roles.teacher, roles.helpdesk, roles.staAdmin]),
   isAdminWindowAvailable,
+  isAuthenticated([roles.teacher, roles.helpdesk, roles.staAdmin]),
   hdfController.postSubmitEditReason
 )
 router.get(
   '/confirm-and-submit',
-  isAuthenticated([roles.teacher, roles.helpdesk, roles.staAdmin]),
   isAdminWindowAvailable,
+  isAuthenticated([roles.teacher, roles.helpdesk, roles.staAdmin]),
   hdfController.getConfirmSubmit
 )
 router.post(
   '/confirm-and-submit',
-  isAuthenticated([roles.teacher, roles.helpdesk, roles.staAdmin]),
   isAdminWindowAvailable,
+  isAuthenticated([roles.teacher, roles.helpdesk, roles.staAdmin]),
   hdfController.postConfirmSubmit
 )
 router.get(
   '/submitted',
-  isAuthenticated([roles.teacher, roles.helpdesk, roles.staAdmin]),
   isAdminWindowAvailable,
+  isAuthenticated([roles.teacher, roles.helpdesk, roles.staAdmin]),
   hdfController.getHDFSubmitted
 )
 router.get(
   '/submitted-form',
-  isAuthenticated([roles.teacher, roles.helpdesk, roles.staAdmin]),
   isAdminWindowAvailable,
+  isAuthenticated([roles.teacher, roles.helpdesk, roles.staAdmin]),
   hdfController.getHDFSubmittedForm
 )
 

diff --git a/admin/routes/pupil-pin.js b/admin/routes/pupil-pin.js
@@ -14,33 +14,33 @@ const {
 
 router.get(
   '/select-official-or-try-it-out',
-  isAuthenticated([roles.teacher, roles.helpdesk, roles.staAdmin]),
   isAdminWindowAvailable,
+  isAuthenticated([roles.teacher, roles.helpdesk, roles.staAdmin]),
   getSelectOfficialOrTryItOutPinGen
 )
 
 router.get(
   '/generate-:pinEnv-pins-overview',
-  isAuthenticated([roles.teacher, roles.helpdesk, roles.staAdmin]),
   isAdminWindowAvailable,
+  isAuthenticated([roles.teacher, roles.helpdesk, roles.staAdmin]),
   getGeneratePinsOverview
 )
 router.get(
   '/generate-:pinEnv-pins-list/:groupIds?',
-  isAuthenticated([roles.teacher, roles.helpdesk, roles.staAdmin]),
   isAdminWindowAvailable,
+  isAuthenticated([roles.teacher, roles.helpdesk, roles.staAdmin]),
   getGeneratePinsList
 )
 router.post(
   '/generate-:pinEnv-pins',
-  isAuthenticated([roles.teacher, roles.helpdesk, roles.staAdmin]),
   isAdminWindowAvailable,
+  isAuthenticated([roles.teacher, roles.helpdesk, roles.staAdmin]),
   postGeneratePins
 )
 router.get(
   '/view-and-custom-print-:pinEnv-pins',
-  isAuthenticated([roles.teacher, roles.helpdesk, roles.staAdmin]),
   isAdminWindowAvailable,
+  isAuthenticated([roles.teacher, roles.helpdesk, roles.staAdmin]),
   getViewAndCustomPrintPins
 )
 

diff --git a/admin/routes/pupil-register.js b/admin/routes/pupil-register.js
@@ -16,48 +16,56 @@ router.get(
 )
 router.get(
   '/pupil/add',
+  isAdminWindowAvailable,
   isAuthenticated([roles.teacher, roles.helpdesk, roles.staAdmin]),
   ifNotRole(roles.staAdmin, isPostLiveOrLaterCheckPhase),
   pupilController.getAddPupil
 )
 router.post(
   '/pupil/add',
+  isAdminWindowAvailable,
   isAuthenticated([roles.teacher, roles.helpdesk, roles.staAdmin]),
   ifNotRole(roles.staAdmin, isPostLiveOrLaterCheckPhase),
   pupilController.postAddPupil
 )
 router.get(
   '/pupil/add-batch-pupils',
+  isAdminWindowAvailable,
   isAuthenticated([roles.teacher, roles.helpdesk, roles.staAdmin]),
   isPostLiveOrLaterCheckPhase,
   pupilController.getAddMultiplePupils
 )
 router.post(
   '/pupil/add-batch-pupils',
+  isAdminWindowAvailable,
   isAuthenticated([roles.teacher, roles.helpdesk, roles.staAdmin]),
   isPostLiveOrLaterCheckPhase,
   pupilController.postAddMultiplePupils
 )
 router.get(
   '/pupil/download-error-csv',
+  isAdminWindowAvailable,
   isAuthenticated([roles.teacher, roles.helpdesk, roles.staAdmin]),
   isPostLiveOrLaterCheckPhase,
   pupilController.getErrorCSVFile
 )
 router.get(
   '/pupil/edit/:id',
+  isAdminWindowAvailable,
   isAuthenticated([roles.teacher, roles.helpdesk, roles.staAdmin]),
   isPostLiveOrLaterCheckPhase,
   pupilController.getEditPupilById
 )
 router.post(
   '/pupil/edit',
+  isAdminWindowAvailable,
   isAuthenticated([roles.teacher, roles.helpdesk, roles.staAdmin]),
   isPostLiveOrLaterCheckPhase,
   pupilController.postEditPupil
 )
 router.get(
   '/history/:urlSlug',
+  isAdminWindowAvailable,
   isAuthenticated([roles.staAdmin, roles.helpdesk]),
   isAdminWindowAvailable,
   pupilController.getViewPupilHistory

diff --git a/admin/routes/pupil-status.js b/admin/routes/pupil-status.js
@@ -5,9 +5,11 @@ const router = express.Router()
 const isAuthenticated = require('../authentication/middleware')
 const roles = require('../lib/consts/roles')
 const pupilStatusController = require('../controllers/pupil-status')
+const { isAdminWindowAvailable } = require('../availability/middleware')
 
 /* Pupil Status routing */
 router.get('/',
+  isAdminWindowAvailable,
   isAuthenticated([roles.teacher, roles.helpdesk, roles.staAdmin]),
   pupilStatusController.getViewPupilStatus
 )

diff --git a/admin/routes/pupils-not-taking-the-check.js b/admin/routes/pupils-not-taking-the-check.js
@@ -7,45 +7,45 @@ const pupilsNotTakingTheCheck = require('../controllers/pupils-not-taking-the-ch
 
 router.get(
   '/select-pupils/:groupIds?',
-  isAuthenticated([roles.teacher, roles.helpdesk, roles.staAdmin]),
   isAdminWindowAvailable,
+  isAuthenticated([roles.teacher, roles.helpdesk, roles.staAdmin]),
   pupilsNotTakingTheCheck.getSelectPupilNotTakingCheck
 )
 router.get(
   '/save-pupils',
-  isAuthenticated([roles.teacher, roles.helpdesk, roles.staAdmin]),
   isAdminWindowAvailable,
+  isAuthenticated([roles.teacher, roles.helpdesk, roles.staAdmin]),
   pupilsNotTakingTheCheck.getSelectPupilNotTakingCheck
 )
 router.post(
   '/save-pupils',
-  isAuthenticated([roles.teacher, roles.helpdesk, roles.staAdmin]),
   isAdminWindowAvailable,
+  isAuthenticated([roles.teacher, roles.helpdesk, roles.staAdmin]),
   pupilsNotTakingTheCheck.savePupilNotTakingCheck
 )
 router.get(
   '/remove/:pupilId',
-  isAuthenticated([roles.teacher, roles.helpdesk, roles.staAdmin]),
   isAdminWindowAvailable,
+  isAuthenticated([roles.teacher, roles.helpdesk, roles.staAdmin]),
   refuseIfHdfSigned,
   (req, res, next) => pupilsNotTakingTheCheck.removePupilNotTakingCheck(req, res, next)
 )
 router.get(
   '/view',
-  isAuthenticated([roles.teacher, roles.helpdesk, roles.staAdmin]),
   isAdminWindowAvailable,
+  isAuthenticated([roles.teacher, roles.helpdesk, roles.staAdmin]),
   pupilsNotTakingTheCheck.viewPupilsNotTakingTheCheck
 )
 router.get(
   ['/', '/pupils-list'],
-  isAuthenticated([roles.teacher, roles.helpdesk, roles.staAdmin]),
   isAdminWindowAvailable,
+  isAuthenticated([roles.teacher, roles.helpdesk, roles.staAdmin]),
   pupilsNotTakingTheCheck.getPupilNotTakingCheck
 )
 router.get(
   '/:removed',
-  isAuthenticated([roles.teacher, roles.helpdesk, roles.staAdmin]),
   isAdminWindowAvailable,
+  isAuthenticated([roles.teacher, roles.helpdesk, roles.staAdmin]),
   pupilsNotTakingTheCheck.getPupilNotTakingCheck
 )