DDLS-369 Users should not be able to access discharged clients (#1699)

* Updated ACL to exclude clients that are discharged

* Test discharged client cannot be found when accessing url

* Updated test to check that discharged client cannot be accessed

* Add command to set feature flag from terminal
---------

Co-authored-by: Iqpal Mannan <iqpal.mannan@digital.justice.gov.uk>

Makefile

@@ -196,3 +196,6 @@ smoke-tests: ##@smoke-tests Run smoke tests (requires app to be up)
 resilience-tests: ##@resilience-tests Run resilience tests (requires app to be up)
 	docker compose build orchestration
 	docker compose run -e LOG_AND_CONTINUE=true --remove-orphans orchestration sh tests/run-resilience-tests.sh
+
+set-feature-flag: ##@localstack Set a particular feature flags value e.g. set-feature-flag name=multi-accounts value=1
+	docker compose exec localstack awslocal ssm put-parameter --name "/local/flag/$(name)" --value "$(value)" --type String --overwrite

api/app/tests/Behat/bootstrap/v2/Common/AuthTrait.php

@@ -315,6 +315,18 @@ public function IShouldBeRedirectedAndDeniedAccessToContinue()
         );
     }
 
+    /**
+     * @Then /^I should be redirected and denied access to continue as client not found$/
+     */
+    public function IShouldBeRedirectedAndDeniedAccessToContinueAsNotFound()
+    {
+        $this->assertIntEqualsInt(
+            '404',
+            $this->getSession()->getStatusCode(),
+            'Status code after accessing endpoint'
+        );
+    }
+
     /**
      * @Given /^a Lay Deputy has multiple client accounts$/
      */
@@ -466,6 +478,22 @@ public function theyShouldBeOnThatClientSDashboard($isPrimary)
         $this->assertPageContainsText($clientLastName);
     }
 
+    /**
+     * @When /^they try to access their "(primary|secondary)" discharged Client$/
+     */
+    public function theyChooseTheirDischargedClient($isPrimary)
+    {
+        if ('primary' == $isPrimary) {
+            $clientId = $this->layPfaHighNotStartedMultiClientDeputyPrimaryUser->getClientId();
+        } else {
+            $clientId = $this->layPfaHighNotStartedMultiClientDeputyNonPrimaryUser->getClientId();
+        }
+
+        $urlRegex = sprintf('/client\/%d$/', $clientId);
+
+        $this->visitPath($urlRegex);
+    }
+
     /**
      * @Given /^they discharge the deputy from "([^"]*)" secondary client\(s\)$/
      */

api/app/tests/Behat/bootstrap/v2/Common/BaseFeatureContext.php

@@ -643,7 +643,7 @@ public function createLayPfaHighNotStartedMultiClientDeputy()
     }
 
     /**
-     * @BeforeScenario @lay-pfa-high-not-started-multi-client-deputy-with-ndr 
+     * @BeforeScenario @lay-pfa-high-not-started-multi-client-deputy-with-ndr
      */
     public function createLayPfaHighNotStartedMultiClientDeputyWithNdr()
     {

api/app/tests/Behat/features-v2/acl/login/login.feature

@@ -110,6 +110,8 @@ Feature: Users logging into the service
         Given a Lay Deputy tries to login with their "primary" email address
         Then they should be on the Choose a Client homepage
         And have access to all active client dashboards
+        When they try to access their "primary" discharged Client
+        Then I should be redirected and denied access to continue as client not found
 
     @multi-feature-flag-enabled @super-admin @lay-pfa-high-started-multi-client-deputy-primary-client-discharged-two-active-clients
     Scenario: A user logs into the service with their primary account given they're remaining active client is linked to their secondary account

api/app/tests/Unit/Controller/AbstractTestController.php

@@ -199,6 +199,16 @@ protected function assertEndpointNotAllowedFor($method, $uri, $token, $data = []
         ]);
     }
 
+    protected function assertEndpointNotFoundFor($method, $uri, $token, $data = [])
+    {
+        $this->assertJsonRequest($method, $uri, [
+            'mustFail' => true,
+            'data' => $data,
+            'AuthToken' => $token,
+            'assertResponseCode' => 404,
+        ]);
+    }
+
     protected function assertEndpointAllowedFor($method, $uri, $token, $data = [])
     {
         $this->assertJsonRequest($method, $uri, [

api/app/tests/Unit/Controller/ClientControllerTest.php

@@ -21,7 +21,7 @@ class ClientControllerTest extends AbstractTestController
     private static $nonPrimaryUserAccount;
     private static $primaryAccountClient;
     private static $nonPrimaryAccountClient;
-
+    private static $primaryAccountDischargedClient;
     private static $tokenAdmin;
     private static $tokenDeputy;
     private static $tokenMainDeputy;
@@ -105,6 +105,7 @@ public function setUp(): void
         // multi-client deputy
         self::$primaryUserAccount = self::fixtures()->getRepo('User')->findOneByEmail('multi-client-primary-deputy@example.org');
         self::$primaryAccountClient = self::fixtures()->createClient(self::$primaryUserAccount, ['setFirstname' => 'Multi-Client1', 'setCaseNumber' => '34566543']);
+        self::$primaryAccountDischargedClient = self::fixtures()->createClient(self::$primaryUserAccount, ['setFirstname' => 'clientName', 'setCaseNumber' => '34566544', 'setDeletedAt' => new \DateTime()]);
 
         self::$nonPrimaryUserAccount = self::fixtures()->getRepo('User')->findOneByEmail('multi-client-non-primary-deputy@example.org');
         self::$nonPrimaryAccountClient = self::fixtures()->createClient(self::$nonPrimaryUserAccount, ['setFirstname' => 'Multi-Client2', 'setCaseNumber' => '78900987']);
@@ -251,6 +252,13 @@ public function testfindByIdAclNotAllowed()
         $this->assertEndpointNotAllowedFor('GET', $url, self::$tokenProf);
     }
 
+    public function testfindByIdDischargedClientNotFound()
+    {
+        $url = '/client/'.self::$primaryAccountDischargedClient->getId();
+
+        $this->assertEndpointNotFoundFor('GET', $url, self::$tokenMultiClientPrimaryDeputy);
+    }
+
     public function testfindByIdAclAllowed()
     {
         $url = '/client/'.self::$primaryAccountClient->getId();
@@ -356,7 +364,7 @@ public function testGetAllAction()
             'AuthToken' => self::$tokenAdmin,
         ])['data'];
 
-        $this->assertCount(6, $data);
+        $this->assertCount(7, $data);
     }
 
     public function testUpdateDeputy()