From 8e71281abf20dc6ea6d0f953ae35984aceb3c877 Mon Sep 17 00:00:00 2001
From: Jonathon <jonathon.shire@digital.cabinet-office.gov.uk>
Date: Tue, 22 Oct 2024 21:21:08 +0100
Subject: [PATCH] Add rake task to assign access permissions for an
 organisation

Four tasks are added that allow us to:

- Assign and remove permissions on a case by case basis for specific artefacts
- Remove all permission flags from an artefact, essentially resetting it to open permission
- Assign an org permission to a group of artefacts from a CSV file containing rows of URLs

There is no easy way to find the OrgID from an org name so OrgID must be provided by us
when using it in the rake tasks.
---
 lib/tasks/access_and_permissions.rake | 60 +++++++++++++++++++++++++++
 1 file changed, 60 insertions(+)
 create mode 100644 lib/tasks/access_and_permissions.rake

diff --git a/lib/tasks/access_and_permissions.rake b/lib/tasks/access_and_permissions.rake
new file mode 100644
index 000000000..4ff56d9dd
--- /dev/null
+++ b/lib/tasks/access_and_permissions.rake
@@ -0,0 +1,60 @@
+namespace :permissions do
+  desc "Add an organisation to an document's access permissions list"
+  task :add_organisation_access, %i[document_content_id org_content_id] => :environment do |_, args|
+    document = Artefact.where(id: args[document_content_id])
+    if document.nil?
+      puts "Document not found, no permissions changed."
+    elsif document.latest_edition.owning_org_content_ids.include? args[org_content_id]
+      puts "Organisation already has permission to access this document"
+    else
+      Edition.where(panopticon_id: document.id).each do |edition|
+        edition.owning_org_content_ids << args[org_content_id]
+      end
+      document.save_as_task("PermissionsAddition")
+      puts "Access permission successfully assigned"
+    end
+  end
+
+  desc "Remove an organisation from an document's access permissions list"
+  task :remove_organisation_access, %i[document_content_id org_content_id] => :environment do |_, args|
+    document = Artefact.where(id: args[document_content_id])
+    if document.exists?
+      Edition.where(panopticon_id: document.id).each do |edition|
+        edition.owning_org_content_ids.delete(args[org_content_id])
+      end
+      document.save_as_task("PermissionsRemoval")
+      puts "Access removed from organisation"
+    else
+      puts "Document not found, no permissions changed."
+    end
+  end
+
+  desc "Remove all access permissions from an document"
+  task :remove_all_access_flags, %i[document_content_id] => :environment do |_, args|
+    document = Artefact.where(id: args[document_content_id])
+    if document.exists?
+      Edition.where(panopticon_id: document.id).each do |edition|
+        edition.owning_org_content_ids.clear
+      end
+      document.save_as_task("PermissionsClear")
+      puts "All access permissions removed"
+    else
+      puts "Document not found, no permissions changed."
+    end
+  end
+
+  desc "Bulk process access permissions from CSV of URLs - See doc"
+  task :bulk_process_access_flags, %i[csv_filename, organisation_id] => :environment do |_, args|
+    csv = CSV.new(args[csv_filename])
+    csv.each do |row|
+      path = row[0]
+      path.slice! "https://www.gov.uk/"
+      document = Artefact.where(slug: path)
+
+      next if document.nil?
+
+      Rake::Task["permissions:add_organisation_access"].reenable # I prefer to do this first but can be done after if cleaner
+      Rake::Task["permissions:add_organisation_access"].invoke(document.id, organisation_id)
+    end
+  end
+end