Skip to content

Po- 5773 Tech Debt - Create reusable business-unit route permission guard#2709

Open
TimDanielsCQI wants to merge 30 commits into
masterfrom
PO-5773
Open

Po- 5773 Tech Debt - Create reusable business-unit route permission guard#2709
TimDanielsCQI wants to merge 30 commits into
masterfrom
PO-5773

Conversation

@TimDanielsCQI

@TimDanielsCQI TimDanielsCQI commented Jun 15, 2026

Copy link
Copy Markdown
Contributor

Jira link

See PO-5773

Change description

Current Position:

Some account maintenance routes rely on UI-level business-unit permission checks before navigating, but the route guards currently only check global permission IDs. This means the route layer cannot consistently enforce "user has permission X in the account's business unit" across direct navigation scenarios. We cannot reset FinesAccountStore on these journeys because amend/change/add pages depend on it.

Problem

routePermissionsGuard is generic and only checks whether the user has a permission anywhere. It does not know which business unit applies to the route. For account journeys, the relevant BU comes from account state or account heading data, not from static route configuration.

Common library dependency note

This PO-5773 change spans two repositories:

  • opal-frontend
  • opal-frontend-common-ui-lib

The frontend branch depends on new common-library behaviour introduced in the matching opal-frontend-common-ui-lib PO-5773 branch. Specifically, the common library adds/updates the BU-aware route permission guard so account-scoped denied routes are resolved relative to the current account route.

During local testing, the frontend was run against a locally packed common-library tarball. That local tarball dependency has not been committed, because a file: dependency would only work on a developer machine and would break CI/QA.

At the moment, the committed opal-frontend branch still points at the currently published common library version:

"@hmcts/opal-frontend-common": "^0.0.82"

Testing done

Unit tests
Browser testing

This the test plan I used to regression test all the routes that now use this generic guard:
PO-5773_ROUTE_BROWSER_TEST_PLAN.xls

Security Vulnerability Assessment

CVE Suppression: Are there any CVEs present in the codebase (either newly introduced or pre-existing) that are being intentionally suppressed or ignored by this commit?

  • Yes
  • No

Checklist

  • commit messages are meaningful and follow good commit message guidelines
  • README and other documentation has been updated / added (if needed)
  • tests have been updated / new tests has been added (if needed)
  • Does this PR introduce a breaking change

Comment thread .gitignore
@iamfrankiemoran

Copy link
Copy Markdown
Contributor

@TimDanielsCQI could you also run yarn audit:save to let the pipeline run please? Its being blocked by Security Checks

@Arnabsubedi233 Arnabsubedi233 left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

just some small changed

import { IOpalFinesAccountMinorCreditorDetailsHeader } from '../../fines-acc-minor-creditor-details/interfaces/fines-acc-minor-creditor-details-header.interface';
import { BusinessUnitIdResolver } from '@hmcts/opal-frontend-common/guards/business-unit-route-permissions';

type FinesAccountRouteType = 'defendant' | 'minor-creditor';

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

could we put this in its own file then import.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Agreed as it is used in two places. Make a types folder within this resolver folder and and move it there then it can be used here and on the spec.ts

return storedBusinessUnitId;
}

if (accountType === 'defendant') {

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can we remove the hard coding of 'defendant' etc and then import that in as a constant in a file.

import { IOpalFinesAccountMinorCreditorDetailsHeader } from '../../fines-acc-minor-creditor-details/interfaces/fines-acc-minor-creditor-details-header.interface';
import { BusinessUnitIdResolver } from '@hmcts/opal-frontend-common/guards/business-unit-route-permissions';

type FinesAccountRouteType = 'defendant' | 'minor-creditor';

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Agreed as it is used in two places. Make a types folder within this resolver folder and and move it there then it can be used here and on the spec.ts

@iamfrankiemoran iamfrankiemoran left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry just noticed the naming convention as well

@TimDanielsCQI

Copy link
Copy Markdown
Contributor Author

I think I have made all requested changes now. Build is failing on functional tests (on master as well) so I can't see sonar cube and coverage yet.

@iamfrankiemoran iamfrankiemoran left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@ChrisGarratt122 ChrisGarratt122 left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants