From a5765c32390db341c4aca59f65ebf6111f1abdf4 Mon Sep 17 00:00:00 2001
From: Rob Dingwell <rob@robdingwell.org>
Date: Wed, 27 Aug 2014 16:37:42 -0400
Subject: [PATCH 1/3] Adding 'rolify' role based access library.  This is being
 done to begin to support user/provider level authorization to results.

---
 Gemfile                                        |  2 ++
 Gemfile.lock                                   |  2 ++
 app/controllers/admin_controller.rb            |  4 ++--
 app/controllers/api/patients_controller.rb     |  2 +-
 app/controllers/logs_controller.rb             |  2 +-
 app/models/ability.rb                          | 18 +++++++++++++-----
 app/models/role.rb                             | 16 ++++++++++++++++
 app/models/user.rb                             | 17 +++++++++++++----
 app/views/admin/users.html.erb                 |  4 ++--
 app/views/home/index.html.erb                  |  6 +++++-
 app/views/shared/_header.html.erb              |  4 ++--
 app/views/shared/_top_nav.html.erb             |  6 +++---
 .../initializers/active_model_serializers.rb   |  1 +
 config/initializers/mongo.rb                   |  1 +
 config/initializers/rolify.rb                  |  8 ++++++++
 lib/hds/provider.rb                            |  3 ++-
 lib/tasks/popHealth_users.rake                 | 10 ++++++++++
 test/fixtures/roles.yml                        | 11 +++++++++++
 test/fixtures/roles/admin_role.json            | 10 ++++++++++
 test/fixtures/roles/staff_role.json            | 12 ++++++++++++
 test/fixtures/users/admin_user.json            |  8 ++++++--
 test/fixtures/users/admin_user2.json           |  7 +++++--
 test/fixtures/users/generic_user.json          |  6 ++++--
 test/fixtures/users/generic_user2.json         |  6 ++++--
 test/fixtures/users/no_staff_role_user.json    |  3 +--
 test/fixtures/users/unapproved_user.json       |  3 +--
 test/functional/admin_controller_test.rb       |  2 +-
 test/functional/api/queries_controller_test.rb |  1 +
 test/functional/logs_controller_test.rb        |  1 +
 test/models/role_test.rb                       |  7 +++++++
 test/unit/admin_rake_test.rb                   |  2 +-
 test/unit/models/user_test.rb                  |  1 +
 test/unit/user_rake_test.rb                    |  1 +
 33 files changed, 151 insertions(+), 36 deletions(-)
 create mode 100644 app/models/role.rb
 create mode 100644 config/initializers/rolify.rb
 create mode 100644 test/fixtures/roles.yml
 create mode 100644 test/fixtures/roles/admin_role.json
 create mode 100644 test/fixtures/roles/staff_role.json
 create mode 100644 test/models/role_test.rb

diff --git a/Gemfile b/Gemfile
index a7951bf55..518c6173b 100644
--- a/Gemfile
+++ b/Gemfile
@@ -44,6 +44,8 @@ gem 'jquery-rails' # necessary for jquery_ujs w/data-method="delete" etc
 gem 'uglifier'
 gem 'non-stupid-digest-assets' # support vendored non-digest assets
 
+gem 'rolify'
+
 group :test, :develop, :ci do
   gem 'pry'
   gem 'jasmine', '2.0.1'
diff --git a/Gemfile.lock b/Gemfile.lock
index d3cac71e7..f68b09b37 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -209,6 +209,7 @@ GEM
     rest-client (1.6.8)
       mime-types (~> 1.16)
       rdoc (>= 2.4.2)
+    rolify (3.4.0)
     rubyzip (0.9.9)
     sass (3.2.19)
     sass-rails (4.0.3)
@@ -299,6 +300,7 @@ DEPENDENCIES
   pry-byebug
   quality-measure-engine!
   rails (~> 4.1.2)
+  rolify
   rubyzip
   sass-rails (~> 4.0.2)
   simplecov
diff --git a/app/controllers/admin_controller.rb b/app/controllers/admin_controller.rb
index c314f5dbf..d148801ee 100644
--- a/app/controllers/admin_controller.rb
+++ b/app/controllers/admin_controller.rb
@@ -112,10 +112,10 @@ def toggle_privilidges(username, role, direction)
 
     if user
       if direction == :promote
-        user.update_attribute(role, true)
+        user.add_role(role)
         render :text => "Yes - <a href=\"#\" class=\"demote\" data-role=\"#{role}\" data-username=\"#{username}\">revoke</a>"
       else
-        user.update_attribute(role, false)
+        user.remove_role(role)
         render :text => "No - <a href=\"#\" class=\"promote\" data-role=\"#{role}\" data-username=\"#{username}\">grant</a>"
       end
     else
diff --git a/app/controllers/api/patients_controller.rb b/app/controllers/api/patients_controller.rb
index 714f6f71a..653677c42 100644
--- a/app/controllers/api/patients_controller.rb
+++ b/app/controllers/api/patients_controller.rb
@@ -124,7 +124,7 @@ def set_filter_params
         @quality_report = QME::QualityReport.find(params[:quality_report_id])
         authorize! :read, @quality_report
         @query["provider.npi"] = {"$in" => @quality_report.filters["providers"]}
-      elsif current_user.admin?
+      elsif current_user.has_role?( :admin )
       else
          @query["provider.npi"] = current_user.npi
       end
diff --git a/app/controllers/logs_controller.rb b/app/controllers/logs_controller.rb
index 8864310d8..0a11fe4e0 100644
--- a/app/controllers/logs_controller.rb
+++ b/app/controllers/logs_controller.rb
@@ -20,7 +20,7 @@ def index
     end
 
     where = {}
-    where[:username] = current_user.username unless current_user.admin?
+    where[:username] = current_user.username unless current_user.has_role?( :admin )
 
     start_date = date_param_to_date(params[:log_start_date])
     if start_date
diff --git a/app/models/ability.rb b/app/models/ability.rb
index d36098bfd..57d7719b1 100755
--- a/app/models/ability.rb
+++ b/app/models/ability.rb
@@ -20,13 +20,13 @@ def initialize(user)
 
     user ||= User.new
 
-    if user.admin?
+    if user.has_role?(:admin)
       can :manage, :all
       # can [:create,:delete], Record
       # can :manage, Provider
       # can [:read, :recalculate,:create, :deleted], QME::QualityReport
       # can [:create,:delete], HealthDataStandards::CQM::Measure
-    elsif user.staff_role?
+    elsif user.has_role?(:staff)
       can :read, HealthDataStandards::CQM::Measure
       can :read, Record
       can :manage, Provider
@@ -39,12 +39,20 @@ def initialize(user)
         patient.providers.map(&:npi).include?(user.npi)
       end
       can [:read,:delete, :recalculate, :create], QME::QualityReport do |qr|
-         provider = Provider.by_npi(user.npi).first
-         provider ? (qr.filters || {})["providers"].include?(provider.id) : false
+         providers = Provider.with_role(:staff, user)
+         provider_ids = []
+         providers.each do |p|
+           provider_ids.concat  p.descendants_and_self.collect(&:id)
+         end
+         !(provider_ids & (qr.filters || {})["providers"]).empty?
       end
       can :read, HealthDataStandards::CQM::Measure
       can :read, Provider do |pv|
-        user.npi && (pv.npi == user.npi)
+        ret = false
+        pv.ancestors_and_self.each do |p|
+          ret = true if user.has_role?(:staff, p)
+        end
+        ret
       end
       can :manage, User, id: user.id
       cannot :manage, User unless APP_CONFIG['allow_user_update']
diff --git a/app/models/role.rb b/app/models/role.rb
new file mode 100644
index 000000000..8e5d8de94
--- /dev/null
+++ b/app/models/role.rb
@@ -0,0 +1,16 @@
+class Role
+  include Mongoid::Document
+  has_and_belongs_to_many :users
+  belongs_to :resource, :polymorphic => true
+  
+  field :name, :type => String
+
+  index({
+    :name => 1,
+    :resource_type => 1,
+    :resource_id => 1
+  },
+  { :unique => true})
+  
+  scopify
+end
diff --git a/app/models/user.rb b/app/models/user.rb
index 19e9c7725..73929e2c2 100644
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -5,7 +5,7 @@ class User
 
   include ActiveModel::MassAssignmentSecurity
   include Mongoid::Document
-
+  rolify
   after_initialize :build_preferences, unless: Proc.new { |user| user.preferences.present? }
   before_save :denullify_arrays
   before_create :set_defaults
@@ -80,7 +80,7 @@ class User
   validates :username, :presence => true, length: {minimum: 3, maximum: 254}
 
   def set_defaults
-    self.staff_role ||= APP_CONFIG["default_user_staff_role"]
+    self.add_role :staff if APP_CONFIG["default_user_staff_role"]
     self.approved ||= APP_CONFIG["default_user_approved"]
     true
   end
@@ -128,7 +128,7 @@ def self.by_email(email)
   # =============
 
   def grant_admin
-    update_attribute(:admin, true)
+    self.add_role :admin
     update_attribute(:approved, true)
   end
 
@@ -137,7 +137,16 @@ def approve
   end
 
   def revoke_admin
-    update_attribute(:admin, false)
+    self.remove_role :admin
+    self[:admin]
+  end
+
+  def admin?
+    self.has_role?( :admin )
+  end
+
+  def staff_role? 
+    self.has_role?( :staff )
   end
 
 end
diff --git a/app/views/admin/users.html.erb b/app/views/admin/users.html.erb
index c7b8d8bda..8aaf78b14 100644
--- a/app/views/admin/users.html.erb
+++ b/app/views/admin/users.html.erb
@@ -108,14 +108,14 @@
       </select>
     </td>
     <td>
-      <% if user.admin? -%>
+      <% if user.has_role?(:admin) -%>
       Yes - <a href="#" class="demote" data-role="admin" data-username="<%= user.username %>">revoke</a>
       <% else -%>
       No - <a href="#" class="promote" data-role="admin" data-username="<%= user.username %>">grant</a>
       <% end -%>
     </td>
     <td>
-      <% if user.staff_role? -%>
+      <% if user.has_role?(:staff) -%>
       Yes - <a href="#" class="demote" data-role="staff_role" data-username="<%= user.username %>">revoke</a>
       <% else -%>
       No - <a href="#" class="promote" data-role="staff_role" data-username="<%= user.username %>">grant</a>
diff --git a/app/views/home/index.html.erb b/app/views/home/index.html.erb
index 413d09e33..fa40220cf 100644
--- a/app/views/home/index.html.erb
+++ b/app/views/home/index.html.erb
@@ -3,7 +3,11 @@
   PopHealth.categories = <%= @categories.to_json.html_safe %>;
   PopHealth.patientCount = <%= @patient_count %>;
   PopHealth.currentUser = new Thorax.Models.User(<%= current_user.to_json({:include => :preferences }).html_safe %>);
-  PopHealth.rootProvider = new Thorax.Models.Provider(<%= Provider.root.to_json({:include => :children }).html_safe %>, {parse:true});
+  <%
+  providerRoot = Provider.root if current_user.admin? || current_user.staff_role?
+  providerRoot ||= Provider.with_role(:staff, current_user).first
+  %>
+  PopHealth.rootProvider = new Thorax.Models.Provider(<%= providerRoot.to_json({:include => :children }).html_safe %>, {parse:true});
   PopHealth.router = new PopHealth.Router();
   Backbone.history.start();
 </script>
diff --git a/app/views/shared/_header.html.erb b/app/views/shared/_header.html.erb
index 4ca67b53e..2bdeb0afd 100644
--- a/app/views/shared/_header.html.erb
+++ b/app/views/shared/_header.html.erb
@@ -22,11 +22,11 @@
               <% if APP_CONFIG['logout_enabled']%>
                 <li><%= link_to raw('<i class="glyphicon glyphicon-log-out"></i> Logout'), destroy_user_session_path, method: 'delete' %></li>
               <% end %>
-              <% if current_user.staff_role? || current_user.admin? %>
+              <% if current_user.has_role? (:staff )|| current_user.has_role?( :admin )%>
                 <li class="divider"></li>
                 <li role="presentation" class="dropdown-header">Admin</li>
                 <li><%= link_to raw('<i class="glyphicon glyphicon-plus"></i> Providers'), '/#providers'%></li>
-                <% if current_user.admin? %>
+                <% if current_user.has_role?( :admin )%>
                   <% if (APP_CONFIG['patient_management_enabled']) %>
                     <li><%= link_to raw('<i class="glyphicon glyphicon-eye-open"></i> Patients'), admin_patients_path%></li>
                   <% end %>
diff --git a/app/views/shared/_top_nav.html.erb b/app/views/shared/_top_nav.html.erb
index abb2014eb..e984d5714 100644
--- a/app/views/shared/_top_nav.html.erb
+++ b/app/views/shared/_top_nav.html.erb
@@ -2,16 +2,16 @@
   Welcome, <%= current_user.first_name.to_s %>
   <span class="sep">|</span> <a href="http://projectpophealth.org/faq.html">help</a>
   <% if APP_CONFIG['edit_account_enabled']%><span class="sep">|</span> <%= link_to 'account', edit_user_registration_path(current_user) %> <% end %>
-  <% if current_user.staff_role? || current_user.admin? %> <span class="sep">|</span> <a id="manage_link" href="javascript:void(0)">manage</a> <% end %>
+  <% if current_user.has_role?( :staff) || current_user.has_role?(:admin) %> <span class="sep">|</span> <a id="manage_link" href="javascript:void(0)">manage</a> <% end %>
   <% if APP_CONFIG['logout_enabled']%><span class="sep">|</span> <%= link_to 'logout', destroy_user_session_path, 'class' => 'log'%> <% end %>
   
   <ul id="manage-menu" class="ui-menu ui-widget ui-widget-content ui-corner-all dialog-menu" role="listbox" aria-activedescendant="ui-active-menuitem">
-    <% if current_user.staff_role? || current_user.admin? %>
+    <% if current_user.has_role?(:staff) || current_user.has_role?(:admin ) %>
     <li class="ui-menu-item" role="menuitem" data-type="providers">
       <a class="ui-corner-all" tabindex="-1" href="<%=providers_path%>">Providers</a>
     </li>
     <% end %>
-    <% if current_user.admin? %>
+    <% if current_user.has_role?(:admin) %>
       <li class="ui-menu-item" role="menuitem" data-type="users">
         <a class="ui-corner-all" tabindex="-1" href="<%=admin_users_path%>">Users</a>
       </li>
diff --git a/config/initializers/active_model_serializers.rb b/config/initializers/active_model_serializers.rb
index 589ac70f4..4340d03c0 100644
--- a/config/initializers/active_model_serializers.rb
+++ b/config/initializers/active_model_serializers.rb
@@ -1,3 +1,4 @@
+Rolify.orm=:mongoid
 ActiveSupport.on_load(:active_model_serializers) do
   # Disable for all serializers (except ArraySerializer)
   ActiveModel::Serializer.root = false
diff --git a/config/initializers/mongo.rb b/config/initializers/mongo.rb
index 0977b7f03..02242c60d 100644
--- a/config/initializers/mongo.rb
+++ b/config/initializers/mongo.rb
@@ -1,3 +1,4 @@
+
 MONGO_DB = Mongoid.default_session
 
 # js_collection = MONGO_DB['system.js']
diff --git a/config/initializers/rolify.rb b/config/initializers/rolify.rb
new file mode 100644
index 000000000..112cbe85a
--- /dev/null
+++ b/config/initializers/rolify.rb
@@ -0,0 +1,8 @@
+Rolify.configure do |config|
+  # By default ORM adapter is ActiveRecord. uncomment to use mongoid
+  config.use_mongoid
+  
+  # Dynamic shortcuts for User class (user.is_admin? like methods). Default is: false
+  # Enable this feature _after_ running rake db:migrate as it relies on the roles table
+  # config.use_dynamic_shortcuts
+end
\ No newline at end of file
diff --git a/lib/hds/provider.rb b/lib/hds/provider.rb
index 693ba7885..c0fdf4553 100644
--- a/lib/hds/provider.rb
+++ b/lib/hds/provider.rb
@@ -1,5 +1,6 @@
 class Provider
-
+  include Mongoid::Document
+  resourcify
   field :level, type: String
   
   embeds_many :cda_identifiers, class_name: "CDAIdentifier"
diff --git a/lib/tasks/popHealth_users.rake b/lib/tasks/popHealth_users.rake
index 3308e5b62..9c14ec5a5 100644
--- a/lib/tasks/popHealth_users.rake
+++ b/lib/tasks/popHealth_users.rake
@@ -34,6 +34,16 @@ namespace :pophealth do
       RakeUserManager.approve ENV
     end
 
+    task :update_roles => :environment do
+      User.where(:admin=>true).each do |u|
+        u.add_role :admin
+      end
+      User.where(:staff_role=>true).each do |u|
+        u.add_role :staff
+      end
+
+    end
+
     class RakeUserManager
       def self.grant_admin(env)
         user = find_user(env)
diff --git a/test/fixtures/roles.yml b/test/fixtures/roles.yml
new file mode 100644
index 000000000..937a0c002
--- /dev/null
+++ b/test/fixtures/roles.yml
@@ -0,0 +1,11 @@
+# Read about fixtures at http://api.rubyonrails.org/classes/ActiveRecord/FixtureSet.html
+
+# This model initially had no columns defined.  If you add columns to the
+# model remove the '{}' from the fixture names and add the columns immediately
+# below each fixture, per the syntax in the comments below
+#
+one: {}
+# column: value
+#
+two: {}
+#  column: value
diff --git a/test/fixtures/roles/admin_role.json b/test/fixtures/roles/admin_role.json
new file mode 100644
index 000000000..1205bbad2
--- /dev/null
+++ b/test/fixtures/roles/admin_role.json
@@ -0,0 +1,10 @@
+{
+    "_id" : "admin_role",
+    "name" : "admin",
+    "resource_id" : null,
+    "resource_type" : null,
+    "user_ids" : [ 
+        "admin1",
+        "admin2"
+    ]
+}
\ No newline at end of file
diff --git a/test/fixtures/roles/staff_role.json b/test/fixtures/roles/staff_role.json
new file mode 100644
index 000000000..91f97fdd6
--- /dev/null
+++ b/test/fixtures/roles/staff_role.json
@@ -0,0 +1,12 @@
+{
+    "_id" : "staff_role",
+    "name" : "staff",
+    "resource_id" : null,
+    "resource_type" : null,
+    "user_ids" : [ 
+        "admin1",
+        "admin2",
+        "gen1",
+        "gen2"
+    ]
+}
\ No newline at end of file
diff --git a/test/fixtures/users/admin_user.json b/test/fixtures/users/admin_user.json
index 433bba8fd..86e8bff65 100644
--- a/test/fixtures/users/admin_user.json
+++ b/test/fixtures/users/admin_user.json
@@ -1,4 +1,5 @@
-{"admin":true,
+{
+  "admin":true,
  "agree_license":true,
  "approved":true,
  "company":null,
@@ -11,6 +12,9 @@
  "npi":null,
  "registry_id":null,
  "registry_name":null,
- "staff_role":true,
+ "role_ids" :[
+    "staff_role",
+    "admin_role"
+ ],
  "tin":null,
  "username":"adminuser"}
diff --git a/test/fixtures/users/admin_user2.json b/test/fixtures/users/admin_user2.json
index 72d0eeae6..dc97fd44d 100644
--- a/test/fixtures/users/admin_user2.json
+++ b/test/fixtures/users/admin_user2.json
@@ -1,4 +1,4 @@
-{"admin":true,
+{ "_id" : "admin2",
  "agree_license":true,
  "approved":true,
  "company":null,
@@ -11,6 +11,9 @@
  "npi":null,
  "registry_id":null,
  "registry_name":null,
- "staff_role":true,
+ "role_ids" :[
+    "staff_role",
+    "admin_role"
+ ],
  "tin":null,
  "username":"adminuser2"}
diff --git a/test/fixtures/users/generic_user.json b/test/fixtures/users/generic_user.json
index 2138110ba..d84172816 100644
--- a/test/fixtures/users/generic_user.json
+++ b/test/fixtures/users/generic_user.json
@@ -1,4 +1,4 @@
-{"admin":false,
+{"_id" : "gen1",
  "agree_license":true,
  "approved":true,
  "company":null,
@@ -11,6 +11,8 @@
  "npi":null,
  "registry_id":null,
  "registry_name":null,
- "staff_role":true,
+ "role_ids" :[
+    "staff_role"
+ ],
  "tin":null,
  "username":"genericuser"}
diff --git a/test/fixtures/users/generic_user2.json b/test/fixtures/users/generic_user2.json
index b8d890e9e..bdaefdaef 100644
--- a/test/fixtures/users/generic_user2.json
+++ b/test/fixtures/users/generic_user2.json
@@ -1,4 +1,4 @@
-{"admin":false,
+{"_id" : "gen2",
  "agree_license":true,
  "approved":true,
  "company":null,
@@ -11,6 +11,8 @@
  "npi":null,
  "registry_id":null,
  "registry_name":null,
- "staff_role":true,
+ "role_ids" :[
+    "staff_role"
+ ],
  "tin":null,
  "username":"genericuser2"}
diff --git a/test/fixtures/users/no_staff_role_user.json b/test/fixtures/users/no_staff_role_user.json
index b50a72ec7..28c00c938 100644
--- a/test/fixtures/users/no_staff_role_user.json
+++ b/test/fixtures/users/no_staff_role_user.json
@@ -1,4 +1,4 @@
-{"admin":false,
+{
  "agree_license":true,
  "approved":true,
  "company":null,
@@ -11,6 +11,5 @@
  "npi":null,
  "registry_id":null,
  "registry_name":null,
- "staff_role":false,
  "tin":null,
  "username":"nostaffuser"}
diff --git a/test/fixtures/users/unapproved_user.json b/test/fixtures/users/unapproved_user.json
index 8d34ce2f2..2c17fc7d9 100644
--- a/test/fixtures/users/unapproved_user.json
+++ b/test/fixtures/users/unapproved_user.json
@@ -1,4 +1,4 @@
-{"admin":false,
+{
  "agree_license":true,
  "approved":false,
  "company":null,
@@ -11,6 +11,5 @@
  "npi":null,
  "registry_id":null,
  "registry_name":null,
- "staff_role":true,
  "tin":null,
  "username":"unapproved"}
diff --git a/test/functional/admin_controller_test.rb b/test/functional/admin_controller_test.rb
index 1f8bf466f..117a0bf04 100755
--- a/test/functional/admin_controller_test.rb
+++ b/test/functional/admin_controller_test.rb
@@ -6,7 +6,7 @@ class AdminControllerTest < ActionController::TestCase
   setup  do
 
     dump_database
-
+    collection_fixtures 'roles'
     collection_fixtures 'users'
 
     @admin = User.where({email: 'admin@test.com'}).first
diff --git a/test/functional/api/queries_controller_test.rb b/test/functional/api/queries_controller_test.rb
index 295961728..cfb7690c8 100644
--- a/test/functional/api/queries_controller_test.rb
+++ b/test/functional/api/queries_controller_test.rb
@@ -23,6 +23,7 @@ class QueriesControllerTest < ActionController::TestCase
       @provider = Provider.where({family_name: "Darling"}).first
       @provider.npi = @npi_user.npi
       @provider.save
+      @npi_user.add_role(:staff, @provider)
 
       QME::QualityReport.where({}).each do |q|
         if q.filters
diff --git a/test/functional/logs_controller_test.rb b/test/functional/logs_controller_test.rb
index 6637c2a45..24ace6fa3 100644
--- a/test/functional/logs_controller_test.rb
+++ b/test/functional/logs_controller_test.rb
@@ -5,6 +5,7 @@ class LogsControllerTest < ActionController::TestCase
 
   setup do
     dump_database
+    collection_fixtures 'roles'
     collection_fixtures 'users'
 
     @user = User.where({email: 'admin@test.com'}).first
diff --git a/test/models/role_test.rb b/test/models/role_test.rb
new file mode 100644
index 000000000..11c53a8b5
--- /dev/null
+++ b/test/models/role_test.rb
@@ -0,0 +1,7 @@
+require 'test_helper'
+
+class RoleTest < ActiveSupport::TestCase
+  # test "the truth" do
+  #   assert true
+  # end
+end
diff --git a/test/unit/admin_rake_test.rb b/test/unit/admin_rake_test.rb
index 13204d355..bec9791e5 100755
--- a/test/unit/admin_rake_test.rb
+++ b/test/unit/admin_rake_test.rb
@@ -7,7 +7,7 @@ class AdminRakeTest < ActiveSupport::TestCase
   setup do
     
     dump_database
-    
+    collection_fixtures 'roles'
     if (!@@rake)
       @@rake = Rake.application
       Rake.application = @@rake
diff --git a/test/unit/models/user_test.rb b/test/unit/models/user_test.rb
index 241225a4f..1a0eb5a71 100755
--- a/test/unit/models/user_test.rb
+++ b/test/unit/models/user_test.rb
@@ -4,6 +4,7 @@ class UserTest < ActiveSupport::TestCase
 
   setup do
     dump_database
+    collection_fixtures 'roles'
     collection_fixtures 'users'
 
     @user = User.where({email: 'noadmin@test.com'}).first
diff --git a/test/unit/user_rake_test.rb b/test/unit/user_rake_test.rb
index 363cd61fb..ed9c9a186 100755
--- a/test/unit/user_rake_test.rb
+++ b/test/unit/user_rake_test.rb
@@ -7,6 +7,7 @@ class UserRakeTest < ActiveSupport::TestCase
   setup do
 
     dump_database
+    collection_fixtures 'roles'
     collection_fixtures 'users'
 
     @unapproved_user = User.where({email: 'unapproved@test.com'}).first

From 698aa317e49864e8065adddd043cf4774d12b43f Mon Sep 17 00:00:00 2001
From: Rob Dingwell <rob@robdingwell.org>
Date: Thu, 28 Aug 2014 15:01:03 -0400
Subject: [PATCH 2/3] fixing issue with provider parent showing up in the ui
 regardless of whether the use has access to the provider

---
 app/controllers/api/providers_controller.rb |  9 ++++++++-
 app/models/user.rb                          | 10 ++++++++++
 app/views/home/index.html.erb               |  8 +++++---
 3 files changed, 23 insertions(+), 4 deletions(-)

diff --git a/app/controllers/api/providers_controller.rb b/app/controllers/api/providers_controller.rb
index 40703b34c..cf3e7c1c1 100644
--- a/app/controllers/api/providers_controller.rb
+++ b/app/controllers/api/providers_controller.rb
@@ -83,7 +83,14 @@ def index
     EXAMPLE
     def show
       provider_json = @provider.as_json
-      provider_json[:parent] = Provider.find(@provider.parent_id) if @provider.parent_id
+      if @provider.parent && can?(:read, @provider.parent)
+        provider_json[:parent] = Provider.find(@provider.parent_id) if @provider.parent_id
+      else
+        #clean these out so the ui does npt attempt to render them
+        provider_json[:parent] =nil
+        provider_json[:parent_id]=nil
+        provider_json[:parent_ids]=nil
+      end
       provider_json[:children] = @provider.children if @provider.children.present?
       render json: provider_json
     end
diff --git a/app/models/user.rb b/app/models/user.rb
index 73929e2c2..fe56e248d 100644
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -149,4 +149,14 @@ def staff_role?
     self.has_role?( :staff )
   end
 
+  def provider_root
+    provider = nil
+    if self.admin? || self.staff_role?
+      provider =  Provider.root 
+    else
+      provider = Provider.with_role(:staff, self).first
+    end
+    provider
+  end
+
 end
diff --git a/app/views/home/index.html.erb b/app/views/home/index.html.erb
index fa40220cf..0c8d10d20 100644
--- a/app/views/home/index.html.erb
+++ b/app/views/home/index.html.erb
@@ -4,10 +4,12 @@
   PopHealth.patientCount = <%= @patient_count %>;
   PopHealth.currentUser = new Thorax.Models.User(<%= current_user.to_json({:include => :preferences }).html_safe %>);
   <%
-  providerRoot = Provider.root if current_user.admin? || current_user.staff_role?
-  providerRoot ||= Provider.with_role(:staff, current_user).first
+  providerRoot =  current_user.provider_root
+  providerRoot.parent_id = nil
+  providerRoot.parent_ids = nil
+
   %>
-  PopHealth.rootProvider = new Thorax.Models.Provider(<%= providerRoot.to_json({:include => :children }).html_safe %>, {parse:true});
+  PopHealth.rootProvider = new Thorax.Models.Provider(<%= providerRoot.to_json({:include => :children ,:except => :parent}).html_safe %>, {parse:true});
   PopHealth.router = new PopHealth.Router();
   Backbone.history.start();
 </script>

From 8420e1fa007f74477d6434c3d670570d4ec9bce4 Mon Sep 17 00:00:00 2001
From: Rob Dingwell <bobd@mitre.org>
Date: Fri, 12 Sep 2014 17:46:12 -0400
Subject: [PATCH 3/3] adding roles to list of fixtures for all of the tests.

---
 test/functional/api/patients_controller_test.rb  | 2 +-
 test/functional/api/providers_controller_test.rb | 2 +-
 test/functional/api/queries_controller_test.rb   | 2 +-
 test/functional/api/reports_controller_test.rb   | 2 +-
 4 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/test/functional/api/patients_controller_test.rb b/test/functional/api/patients_controller_test.rb
index c29e067f3..ba0c1264c 100644
--- a/test/functional/api/patients_controller_test.rb
+++ b/test/functional/api/patients_controller_test.rb
@@ -6,7 +6,7 @@ class PatientsControllerTest < ActionController::TestCase
 
     setup do
       dump_database
-      collection_fixtures 'measures', 'patient_cache', 'records', 'users'
+      collection_fixtures 'measures', 'patient_cache', 'records', 'users','roles'
       @user = User.where({email: 'admin@test.com'}).first
       sign_in @user
     end
diff --git a/test/functional/api/providers_controller_test.rb b/test/functional/api/providers_controller_test.rb
index c1032e711..7fe06bac2 100644
--- a/test/functional/api/providers_controller_test.rb
+++ b/test/functional/api/providers_controller_test.rb
@@ -5,7 +5,7 @@ class ProvidersControllerTest < ActionController::TestCase
 
     setup do
       dump_database
-      collection_fixtures 'users', 'providers', 'measures'
+      collection_fixtures 'users', 'providers', 'measures','roles'
       @user = User.where({email: 'admin@test.com'}).first
       @provider = Provider.where({family_name: "Darling"}).first
       sign_in @user
diff --git a/test/functional/api/queries_controller_test.rb b/test/functional/api/queries_controller_test.rb
index cfb7690c8..d0c02bc1b 100644
--- a/test/functional/api/queries_controller_test.rb
+++ b/test/functional/api/queries_controller_test.rb
@@ -10,7 +10,7 @@ class QueriesControllerTest < ActionController::TestCase
       collection_fixtures 'records'
       collection_fixtures 'patient_cache'
       collection_fixtures 'providers'
-      collection_fixtures 'users'
+      collection_fixtures 'users','roles'
 
       @staff = User.where({email: 'noadmin@test.com'}).first
       @admin = User.where({email: 'admin@test.com'}).first
diff --git a/test/functional/api/reports_controller_test.rb b/test/functional/api/reports_controller_test.rb
index 4a4c35a7e..ff420ef6c 100644
--- a/test/functional/api/reports_controller_test.rb
+++ b/test/functional/api/reports_controller_test.rb
@@ -10,7 +10,7 @@ class ReportsControllerTest < ActionController::TestCase
       collection_fixtures 'records'
       collection_fixtures 'patient_cache'
       collection_fixtures 'providers'
-      collection_fixtures 'users'
+      collection_fixtures 'users','roles'
 
       @user = User.where({email: "noadmin@test.com"}).first
     end