Restrict access to publications based on the user's organisation

app/controllers/application_controller.rb

@@ -63,4 +63,8 @@ def require_editor_permissions
     flash[:danger] = "You do not have correct editor permissions for this action."
     redirect_to edition_path(resource)
   end
+
+  def require_user_accessibility_to_edition(edition)
+    render plain: "404 Not Found", status: :not_found unless edition.is_accessible_to?(current_user)
+  end
 end

app/controllers/editions_controller.rb

@@ -4,6 +4,9 @@ class EditionsController < InheritedResources::Base
 
   defaults resource_class: Edition, collection_name: "editions", instance_name: "resource"
   before_action :setup_view_paths, except: %i[index]
+  before_action except: %i[index] do
+    require_user_accessibility_to_edition(@resource)
+  end
 
   helper_method :locale_to_language
 

app/controllers/legacy_editions_controller.rb

@@ -5,6 +5,9 @@ class LegacyEditionsController < InheritedResources::Base
   actions :create, :update, :destroy
   defaults resource_class: Edition, collection_name: "editions", instance_name: "resource"
   before_action :setup_view_paths, except: %i[index new create]
+  before_action except: %i[index create] do
+    require_user_accessibility_to_edition(@resource)
+  end
   before_action only: %i[update duplicate progress review destroy admin] do
     require_editor_permissions
   end

app/controllers/root_controller.rb

@@ -29,6 +29,7 @@ def index
     content_type_filter = filter_params_hash[:content_type_filter]
     title_filter = filter_params_hash[:title_filter]
     @presenter = FilteredEditionsPresenter.new(
+      current_user,
       states_filter: sanitised_states_filter_params,
       assigned_to_filter: assignee_filter,
       content_type_filter:,

app/models/edition.rb

@@ -35,10 +35,20 @@ class ResurrectionError < RuntimeError
 
   field :auth_bypass_id,       type: String, default: -> { SecureRandom.uuid }
 
+  field :owning_org_slugs, type: Array, default: []
+
   belongs_to :assigned_to, class_name: "User", optional: true
 
   embeds_many :link_check_reports
 
+  scope :accessible_to,
+        lambda { |user|
+          return all unless Flipflop.enabled?(:restrict_access_by_org)
+          return all if user.gds_editor?
+
+          where(owning_org_slugs: user.organisation_slug)
+        }
+
   # state_machine comes from Workflow
   state_machine.states.map(&:name).each do |state|
     scope state, -> { where(state:) }
@@ -503,6 +513,13 @@ def paths
     paths
   end
 
+  def is_accessible_to?(user)
+    return true unless Flipflop.enabled?(:restrict_access_by_org)
+    return true if user.gds_editor?
+
+    owning_org_slugs.include?(user.organisation_slug)
+  end
+
 private
 
   def base_field_keys

app/models/user.rb

@@ -87,4 +87,8 @@ def welsh_editor?
   def has_editor_permissions?(resource)
     govuk_editor? || (welsh_editor? && resource.artefact.welsh?)
   end
+
+  def gds_editor?
+    organisation_slug == "government-digital-service"
+  end
 end

app/presenters/filtered_editions_presenter.rb

@@ -3,7 +3,8 @@
 class FilteredEditionsPresenter
   ITEMS_PER_PAGE = 20
 
-  def initialize(states_filter: [], assigned_to_filter: nil, content_type_filter: nil, title_filter: nil, page: nil)
+  def initialize(user, states_filter: [], assigned_to_filter: nil, content_type_filter: nil, title_filter: nil, page: nil)
+    @user = user
     @states_filter = states_filter || []
     @assigned_to_filter = assigned_to_filter
     @content_type_filter = content_type_filter
@@ -62,6 +63,7 @@ def editions
     result = apply_states_filter(result)
     result = apply_assigned_to_filter(result)
     result = apply_title_filter(result)
+    result = result.accessible_to(user)
     result = result.where.not(_type: "PopularLinksEdition")
     result.order_by(%w[updated_at desc]).page(@page).per(ITEMS_PER_PAGE)
   end
@@ -129,5 +131,5 @@ def apply_title_filter(editions)
     editions.title_contains(title_filter)
   end
 
-  attr_reader :states_filter, :assigned_to_filter, :content_type_filter, :title_filter, :page
+  attr_reader :user, :states_filter, :assigned_to_filter, :content_type_filter, :title_filter, :page
 end

config/features.rb

@@ -16,4 +16,8 @@
   feature :design_system_edit,
           default: false,
           description: "Update the publications edit page to use the GOV.UK Design System"
+
+  feature :restrict_access_by_org,
+          default: false,
+          description: "Restrict access to editions based on the user's org and which org(s) own the edition"
 end

test/functional/editions_controller_test.rb

@@ -5,6 +5,9 @@ class EditionsControllerTest < ActionController::TestCase
     login_as_stub_user
     stub_linkables
     stub_holidays_used_by_fact_check
+
+    test_strategy = Flipflop::FeatureSet.current.test!
+    test_strategy.switch!(:restrict_access_by_org, false)
   end
 
   context "#template_folder_for" do
@@ -17,7 +20,7 @@ class EditionsControllerTest < ActionController::TestCase
   end
 
   context "#index" do
-    should "editions index redirects to root" do
+    should "redirect to root" do
       get :index
       assert_response :redirect
       assert_redirected_to root_path
@@ -36,12 +39,12 @@ class EditionsControllerTest < ActionController::TestCase
       @guide = GuideEdition.create!(title: "test", slug: "test2", panopticon_id: artefact.id)
     end
 
-    should "requesting a publication that doesn't exist returns a 404" do
+    should "return a 404 when requesting a publication that doesn't exist" do
       get :show, params: { id: "4e663834e2ba80480a0000e6" }
       assert_response :not_found
     end
 
-    should "we can view a guide" do
+    should "return a view for the requested guide" do
       get :show, params: { id: @guide.id }
       assert_response :success
       assert_not_nil assigns(:resource)
@@ -64,4 +67,50 @@ class EditionsControllerTest < ActionController::TestCase
       assert_equal EditionsController.new.method(:metadata).super_method.name, :show
     end
   end
+
+  context "when 'restrict_access_by_org' feature toggle is disabled" do
+    %i[show metadata history admin linking unpublish].each do |action|
+      context "##{action}" do
+        setup do
+          @edition = FactoryBot.create(:edition, owning_org_slugs: %w[org-two])
+        end
+
+        should "return a 200 when requesting an edition owned by a different organisation" do
+          login_as(FactoryBot.create(:user, organisation_slug: "org-one"))
+
+          get action, params: { id: @edition.id }
+
+          assert_response :ok
+        end
+      end
+    end
+  end
+
+  context "when 'restrict_access_by_org' feature toggle is enabled" do
+    setup do
+      test_strategy = Flipflop::FeatureSet.current.test!
+      test_strategy.switch!(:restrict_access_by_org, true)
+    end
+
+    teardown do
+      test_strategy = Flipflop::FeatureSet.current.test!
+      test_strategy.switch!(:restrict_access_by_org, false)
+    end
+
+    %i[show metadata history admin linking unpublish].each do |action|
+      context "##{action}" do
+        setup do
+          @edition = FactoryBot.create(:edition, owning_org_slugs: %w[org-two])
+        end
+
+        should "return a 404 when requesting an edition owned by a different organisation" do
+          login_as(FactoryBot.create(:user, organisation_slug: "org-one"))
+
+          get action, params: { id: @edition.id }
+
+          assert_response :not_found
+        end
+      end
+    end
+  end
 end

test/functional/legacy_editions_controller_test.rb

@@ -5,6 +5,9 @@ class LegacyEditionsControllerTest < ActionController::TestCase
     login_as_stub_user
     stub_linkables
     stub_holidays_used_by_fact_check
+
+    test_strategy = Flipflop::FeatureSet.current.test!
+    test_strategy.switch!(:restrict_access_by_org, false)
   end
 
   context "#create" do
@@ -1304,4 +1307,50 @@ class LegacyEditionsControllerTest < ActionController::TestCase
       end
     end
   end
+
+  context "when 'restrict_access_by_org' feature toggle is disabled" do
+    %i[metadata history].each do |action|
+      context "##{action}" do
+        setup do
+          @edition = FactoryBot.create(:edition, owning_org_slugs: %w[org-two])
+        end
+
+        should "return a 200 when requesting an edition owned by a different organisation" do
+          login_as(FactoryBot.create(:user, organisation_slug: "org-one"))
+
+          get action, params: { id: @edition.id }
+
+          assert_response :ok
+        end
+      end
+    end
+  end
+
+  context "when 'restrict_access_by_org' feature toggle is enabled" do
+    setup do
+      test_strategy = Flipflop::FeatureSet.current.test!
+      test_strategy.switch!(:restrict_access_by_org, true)
+    end
+
+    teardown do
+      test_strategy = Flipflop::FeatureSet.current.test!
+      test_strategy.switch!(:restrict_access_by_org, false)
+    end
+
+    %i[show metadata history admin unpublish duplicate update linking update_tagging update_related_external_links review destroy progress diff process_unpublish diagram].each do |action|
+      context "##{action}" do
+        setup do
+          @edition = FactoryBot.create(:edition, owning_org_slugs: %w[org-two])
+        end
+
+        should "return a 404 when requesting an edition owned by a different organisation" do
+          login_as(FactoryBot.create(:user, :govuk_editor, organisation_slug: "org-one"))
+
+          get action, params: { id: @edition.id }
+
+          assert_response :not_found
+        end
+      end
+    end
+  end
 end

test/functional/root_controller_test.rb

@@ -152,7 +152,7 @@ class RootControllerTest < ActionController::TestCase
     should "ignore unrecognised filter states" do
       FilteredEditionsPresenter
         .expects(:new)
-        .with(has_entry(:states_filter, %w[draft]))
+        .with(anything, has_entry(:states_filter, %w[draft]))
         .returns(stub(
                    editions: Kaminari.paginate_array([]).page(1),
                    available_users: [],