UNPKG

@ministryofjustice/hmpps-prison-permissions-lib

Version:

A library to centralise the process of determining whether a user should have access to create/read/update/delete a prison resource, for example, accessing a prisoner's Prisoner Profile.

1,074 lines (972 loc) 68.5 kB
import { RestClient, asSystem } from '@ministryofjustice/hmpps-rest-client'; // eslint-disable-next-line import/prefer-default-export var PermissionCheckStatus; (function (PermissionCheckStatus) { PermissionCheckStatus["NOT_PERMITTED"] = "NOT_PERMITTED"; PermissionCheckStatus["NOT_IN_CASELOAD"] = "NOT_IN_CASELOAD"; PermissionCheckStatus["NOT_ACTIVE_CASELOAD"] = "NOT_ACTIVE_CASELOAD"; PermissionCheckStatus["RESTRICTED_PATIENT"] = "RESTRICTED_PATIENT"; PermissionCheckStatus["PRISONER_IS_RELEASED"] = "PRISONER_IS_RELEASED"; PermissionCheckStatus["PRISONER_IS_TRANSFERRING"] = "PRISONER_IS_TRANSFERRING"; PermissionCheckStatus["ROLE_NOT_PRESENT"] = "ROLE_NOT_PRESENT"; PermissionCheckStatus["NOT_PRISON_USER"] = "NOT_PRISON_USER"; PermissionCheckStatus["OK"] = "OK"; })(PermissionCheckStatus || (PermissionCheckStatus = {})); class PermissionsLogger { logger; telemetryClient; constructor(logger, telemetryClient) { this.logger = logger; this.telemetryClient = telemetryClient; } logPermissionCheckStatus(user, prisoner, permission, permissionCheckStatus) { if (permissionCheckStatus === PermissionCheckStatus.OK) return; if (this.telemetryClient) { this.telemetryClient.trackEvent({ name: 'prisoner-permission-denied', properties: { username: user.username, prisonerNumber: prisoner.prisonerNumber, activeCaseLoad: user.authSource === 'nomis' && user.activeCaseLoadId, permissionChecked: permission, status: permissionCheckStatus, }, }); } else { this.logger.info(`Prisoner permission denied: ${permission} (${permissionCheckStatus}) for user ${user.username}`); } } } class PrisonerSearchClient extends RestClient { constructor(logger, config, authenticationClient) { super('Prisoner Search', config, logger, authenticationClient); } getPrisonerDetails(prisonerNumber) { return this.get({ path: `/prisoner/${prisonerNumber}` }, asSystem()); } } var PersonSentenceCalculationPermission; (function (PersonSentenceCalculationPermission) { PersonSentenceCalculationPermission["read"] = "prisoner:person-sentence-calculation:read"; PersonSentenceCalculationPermission["edit_adjustments"] = "prisoner:person-sentence-calculation:adjustments:edit"; })(PersonSentenceCalculationPermission || (PersonSentenceCalculationPermission = {})); // eslint-disable-next-line import/prefer-default-export var Role; (function (Role) { Role["ActivityHub"] = "ROLE_ACTIVITY_HUB"; Role["AddSensitiveCaseNotes"] = "ROLE_ADD_SENSITIVE_CASE_NOTES"; Role["AdjustmentsMaintainer"] = "ROLE_ADJUSTMENTS_MAINTAINER"; Role["ApproveCategorisation"] = "ROLE_APPROVE_CATEGORISATION"; Role["CategorisationSecurity"] = "ROLE_CATEGORISATION_SECURITY"; Role["CellMove"] = "ROLE_CELL_MOVE"; Role["ContactsAdministrator"] = "ROLE_CONTACTS_ADMINISTRATOR"; Role["ContactsAuthoriser"] = "ROLE_CONTACTS_AUTHORISER"; Role["CreateCategorisation"] = "ROLE_CREATE_CATEGORISATION"; Role["CreateRecategorisation"] = "ROLE_CREATE_RECATEGORISATION"; Role["DeleteSensitiveCaseNotes"] = "ROLE_DELETE_SENSITIVE_CASE_NOTES"; Role["DietAndAllergiesEdit"] = "ROLE_DIET_AND_FOOD_ALLERGIES_EDIT"; Role["GlobalSearch"] = "ROLE_GLOBAL_SEARCH"; Role["InactiveBookings"] = "ROLE_INACTIVE_BOOKINGS"; Role["PathfinderApproval"] = "ROLE_PF_APPROVAL"; Role["PathfinderHQ"] = "ROLE_PF_HQ"; Role["PathfinderLocalReader"] = "ROLE_PF_LOCAL_READER"; Role["PathfinderNationalReader"] = "ROLE_PF_NATIONAL_READER"; Role["PathfinderPolice"] = "ROLE_PF_POLICE"; Role["PathfinderPsychologist"] = "ROLE_PF_PSYCHOLOGIST"; Role["PathfinderStdPrison"] = "ROLE_PF_STD_PRISON"; Role["PathfinderStdProbation"] = "ROLE_PF_STD_PROBATION"; Role["PathfinderUser"] = "ROLE_PF_USER"; Role["PomUser"] = "ROLE_POM"; Role["PrisonerProfilePhotoUpload"] = "ROLE_PRISONER_PROFILE_PHOTO_UPLOAD"; Role["PrisonerProfileSensitiveEdit"] = "ROLE_PRISONER_PROFILE_SENSITIVE_RW"; Role["ReceptionUser"] = "ROLE_PRISON_RECEPTION"; Role["ReleaseDatesCalculator"] = "ROLE_RELEASE_DATES_CALCULATOR"; Role["SocCommunity"] = "ROLE_SOC_COMMUNITY"; Role["SocCustody"] = "ROLE_SOC_CUSTODY"; Role["SocDataAnalyst"] = "ROLE_SOC_DATA_ANALYST"; Role["SocDataManager"] = "ROLE_SOC_DATA_MANAGER"; Role["UpdateAlert"] = "ROLE_UPDATE_ALERT"; Role["ViewProbationDocuments"] = "ROLE_VIEW_PROBATION_DOCUMENTS"; Role["ViewSensitiveCaseNotes"] = "ROLE_VIEW_SENSITIVE_CASE_NOTES"; })(Role || (Role = {})); function isRequiredPermission(permission, requiredPermissions) { return requiredPermissions.includes(permission); } function logDeniedPermissionCheck(permission, request, status) { const { user, prisoner, baseCheckStatus, requestDependentOn, permissionsLogger } = request; const baseCheckPassed = baseCheckStatus === PermissionCheckStatus.OK; if (isRequiredPermission(permission, requestDependentOn)) { permissionsLogger.logPermissionCheckStatus(user, prisoner, permission, baseCheckPassed ? status : baseCheckStatus); } } const isActiveCaseLoad = (prisonId, user) => user.authSource === 'nomis' && user.activeCaseLoadId === prisonId; function isInUsersCaseLoad(prisonId, user) { return user.authSource === 'nomis' && user.caseLoads?.some(caseLoad => caseLoad.caseLoadId === prisonId); } function isReleasedOrTransferring(prisonId) { return ['OUT', 'TRN'].includes(prisonId); } function userHasSomeRolesFrom(rolesToCheck, user) { return (rolesToCheck.length === 0 || rolesToCheck.map(normaliseRoleText).some(role => user.userRoles.map(normaliseRoleText).includes(role))); } function userHasAllRoles(rolesToCheck, user) { return rolesToCheck.map(normaliseRoleText).every(role => user.userRoles.map(normaliseRoleText).includes(role)); } const userHasRole = (roleToCheck, user) => { return userHasAllRoles([roleToCheck], user); }; const normaliseRoleText = (role) => role.replace(/ROLE_/, ''); function baseCheckAndUserHasAllRoles(roles, permission, request) { const { user, baseCheckStatus } = request; const baseCheckPassed = baseCheckStatus === PermissionCheckStatus.OK; const check = baseCheckPassed && userHasAllRoles(roles, user); if (!check) logDeniedPermissionCheck(permission, request, PermissionCheckStatus.ROLE_NOT_PRESENT); return check; } function baseCheckAndUserHasRole(role, permission, request) { return baseCheckAndUserHasAllRoles([role], permission, request); } function sentenceCalculationReadCheck(request) { return baseCheckAndUserHasRole(Role.ReleaseDatesCalculator, PersonSentenceCalculationPermission.read, request); } function sentenceCalculationEditAdjustmentCheck(request) { return baseCheckAndUserHasRole(Role.AdjustmentsMaintainer, PersonSentenceCalculationPermission.edit_adjustments, request); } function personSentenceCalculationCheck(request) { return { [PersonSentenceCalculationPermission.read]: sentenceCalculationReadCheck(request), [PersonSentenceCalculationPermission.edit_adjustments]: sentenceCalculationEditAdjustmentCheck(request), }; } function sentenceAndOffenceCheck(request) { return { personSentenceCalculation: personSentenceCalculationCheck(request), }; } function baseCheck(permission, request) { const { user, prisoner, baseCheckStatus, requestDependentOn, permissionsLogger } = request; const baseCheckPassed = baseCheckStatus === PermissionCheckStatus.OK; if (!baseCheckPassed && isRequiredPermission(permission, requestDependentOn)) { permissionsLogger.logPermissionCheckStatus(user, prisoner, permission, baseCheckStatus); } return baseCheckPassed; } /* * Restricted patients can be accessed in the following circumstances: * - The user has the "Inactive Bookings" role * - The user is a POM user and has the supporting prison ID in their caseloads */ function restrictedPatientStatus(user, prisoner) { const pomUser = userHasRole(Role.PomUser, user); const inactiveBookingsUser = userHasRole(Role.InactiveBookings, user); const userHasPrisonersSupportingPrisonInTheirCaseLoad = isInUsersCaseLoad(prisoner.supportingPrisonId, user); const userIsPomUserWithSupportingPrisonInTheirCaseLoad = pomUser && userHasPrisonersSupportingPrisonInTheirCaseLoad; if (userIsPomUserWithSupportingPrisonInTheirCaseLoad) return PermissionCheckStatus.OK; if (inactiveBookingsUser) return PermissionCheckStatus.OK; return PermissionCheckStatus.RESTRICTED_PATIENT; } /* * Released prisoners can be accessed in the following circumstances: * - The user has the "Inactive Bookings" role */ function releasedPrisonerStatus(user) { const inactiveBookingsUser = userHasRole(Role.InactiveBookings, user); if (inactiveBookingsUser) return PermissionCheckStatus.OK; return PermissionCheckStatus.PRISONER_IS_RELEASED; } /* * Transferring prisoners can be accessed in the following circumstances: * - The user has the "Global search" role * - The user has the "Inactive Bookings" role */ function transferringPrisonerStatus(user) { const inactiveBookingsUser = userHasRole(Role.InactiveBookings, user); const globalSearchUser = userHasSomeRolesFrom([Role.GlobalSearch], user); if (globalSearchUser) return PermissionCheckStatus.OK; if (inactiveBookingsUser) return PermissionCheckStatus.OK; return PermissionCheckStatus.PRISONER_IS_TRANSFERRING; } function baseCheckStatus(user, prisoner) { const inUsersCaseLoad = isInUsersCaseLoad(prisoner.prisonId, user); const globalSearchUser = userHasSomeRolesFrom([Role.GlobalSearch], user); if (user.authSource !== 'nomis') return PermissionCheckStatus.NOT_PRISON_USER; if (prisoner.restrictedPatient) return restrictedPatientStatus(user, prisoner); if (prisoner.prisonId === 'OUT') return releasedPrisonerStatus(user); if (prisoner.prisonId === 'TRN') return transferringPrisonerStatus(user); if (inUsersCaseLoad || globalSearchUser) return PermissionCheckStatus.OK; return PermissionCheckStatus.NOT_IN_CASELOAD; } var PrisonerMoneyPermission; (function (PrisonerMoneyPermission) { PrisonerMoneyPermission["read"] = "prisoner:prisoner-money:read"; })(PrisonerMoneyPermission || (PrisonerMoneyPermission = {})); function inUsersCaseLoad(permission, request) { const { user, prisoner, baseCheckStatus } = request; const baseCheckPassed = baseCheckStatus === PermissionCheckStatus.OK; const check = baseCheckPassed && isInUsersCaseLoad(prisoner.prisonId, user); if (!check) logDeniedPermissionCheck(permission, request, PermissionCheckStatus.NOT_IN_CASELOAD); return check; } function prisonerMoneyReadCheck(request) { return inUsersCaseLoad(PrisonerMoneyPermission.read, request); } function prisonerMoneyCheck(request) { return { [PrisonerMoneyPermission.read]: prisonerMoneyReadCheck(request), }; } var PrisonerAdjudicationsPermission; (function (PrisonerAdjudicationsPermission) { PrisonerAdjudicationsPermission["read"] = "prisoner:prisoner-adjudications:read"; })(PrisonerAdjudicationsPermission || (PrisonerAdjudicationsPermission = {})); const permission$f = PrisonerAdjudicationsPermission.read; function prisonerAdjudicationsReadCheck(request) { const { user, prisoner, baseCheckStatus } = request; const baseCheckPassed = baseCheckStatus === PermissionCheckStatus.OK; const check = baseCheckPassed && (isInUsersCaseLoad(prisoner.prisonId, user) || userHasSomeRolesFrom([Role.PomUser, Role.ReceptionUser], user)); if (!check) logDeniedPermissionCheck(permission$f, request, PermissionCheckStatus.NOT_IN_CASELOAD); return check; } function prisonerAdjudicationsCheck(request) { return { [PrisonerAdjudicationsPermission.read]: prisonerAdjudicationsReadCheck(request), }; } var PrisonerIncentivesPermission; (function (PrisonerIncentivesPermission) { PrisonerIncentivesPermission["read"] = "prisoner:prisoner-incentives:read"; })(PrisonerIncentivesPermission || (PrisonerIncentivesPermission = {})); const permission$e = PrisonerIncentivesPermission.read; function prisonerIncentivesReadCheck(request) { const { user, prisoner, baseCheckStatus } = request; const baseCheckPassed = baseCheckStatus === PermissionCheckStatus.OK; const check = baseCheckPassed && (isInUsersCaseLoad(prisoner.prisonId, user) || userHasRole(Role.GlobalSearch, user)); if (!check) logDeniedPermissionCheck(permission$e, request, PermissionCheckStatus.NOT_IN_CASELOAD); return check; } function prisonerIncentivesCheck(request) { return { [PrisonerIncentivesPermission.read]: prisonerIncentivesReadCheck(request), }; } var PersonPrisonCategoryPermission; (function (PersonPrisonCategoryPermission) { PersonPrisonCategoryPermission["edit"] = "prisoner:person-prison-category:edit"; })(PersonPrisonCategoryPermission || (PersonPrisonCategoryPermission = {})); const permission$d = PersonPrisonCategoryPermission.edit; function personPrisonCategoryEditCheck(request) { const { user, baseCheckStatus } = request; const baseCheckPassed = baseCheckStatus === PermissionCheckStatus.OK; const check = baseCheckPassed && userHasSomeRolesFrom([Role.CreateCategorisation, Role.CreateRecategorisation, Role.ApproveCategorisation, Role.CategorisationSecurity], user); if (!check) logDeniedPermissionCheck(permission$d, request, PermissionCheckStatus.ROLE_NOT_PRESENT); return check; } function personPrisonCategoryCheck(request) { return { [PersonPrisonCategoryPermission.edit]: personPrisonCategoryEditCheck(request), }; } var PrisonerSchedulePermission; (function (PrisonerSchedulePermission) { PrisonerSchedulePermission["edit_appointment"] = "prisoner:appointment:edit"; PrisonerSchedulePermission["edit_activity"] = "prisoner:activity:edit"; })(PrisonerSchedulePermission || (PrisonerSchedulePermission = {})); const permission$c = PrisonerSchedulePermission.edit_appointment; function prisonerAppointmentEditCheck(request) { const { user, prisoner, baseCheckStatus } = request; const baseCheckPassed = baseCheckStatus === PermissionCheckStatus.OK; const check = baseCheckPassed && isActiveCaseLoad(prisoner.prisonId, user) && !prisoner.restrictedPatient; if (!check) logDeniedPermissionCheck(permission$c, request, PermissionCheckStatus.NOT_ACTIVE_CASELOAD); return check; } const permission$b = PrisonerSchedulePermission.edit_activity; function prisonerActivityEditCheck(request) { const { user, prisoner, baseCheckStatus } = request; const baseCheckPassed = baseCheckStatus === PermissionCheckStatus.OK; const userHasActivityHubRole = userHasRole(Role.ActivityHub, user); const check = baseCheckPassed && userHasActivityHubRole && isActiveCaseLoad(prisoner.prisonId, user) && !prisoner.restrictedPatient; if (!check) logDeniedPermissionCheck(permission$b, request, userHasActivityHubRole ? PermissionCheckStatus.NOT_ACTIVE_CASELOAD : PermissionCheckStatus.ROLE_NOT_PRESENT); return check; } function prisonerScheduleCheck(request) { return { [PrisonerSchedulePermission.edit_appointment]: prisonerAppointmentEditCheck(request), [PrisonerSchedulePermission.edit_activity]: prisonerActivityEditCheck(request), }; } var UseOfForcePermission; (function (UseOfForcePermission) { UseOfForcePermission["edit"] = "prisoner:use-of-force:edit"; })(UseOfForcePermission || (UseOfForcePermission = {})); const permission$a = UseOfForcePermission.edit; function useOfForceEditCheck(request) { const { user, prisoner, baseCheckStatus } = request; const baseCheckPassed = baseCheckStatus === PermissionCheckStatus.OK; const check = baseCheckPassed && !prisoner.restrictedPatient && (isInUsersCaseLoad(prisoner.prisonId, user) || (isReleasedOrTransferring(prisoner.prisonId) && userHasRole(Role.InactiveBookings, user))); if (!check) logDeniedPermissionCheck(permission$a, request, PermissionCheckStatus.NOT_IN_CASELOAD); return check; } function useOfForceCheck(request) { return { [UseOfForcePermission.edit]: useOfForceEditCheck(request), }; } var PrisonerAlertsPermission; (function (PrisonerAlertsPermission) { PrisonerAlertsPermission["edit"] = "prisoner:prisoner-alerts:edit"; })(PrisonerAlertsPermission || (PrisonerAlertsPermission = {})); const permission$9 = PrisonerAlertsPermission.edit; function prisonerAlertsEditCheck(request) { const baseCheckPassed = request.baseCheckStatus === PermissionCheckStatus.OK; const alertsEditCheck = checkAlertsEditAccess(request); const alertsEditCheckPassed = alertsEditCheck === PermissionCheckStatus.OK; const check = baseCheckPassed && alertsEditCheckPassed; if (!check) logDeniedPermissionCheck(permission$9, request, alertsEditCheck); return check; } function checkAlertsEditAccess(request) { const { user, prisoner } = request; const inUsersCaseLoad = isInUsersCaseLoad(prisoner.prisonId, user); // User must have Update Alert role: if (!userHasRole(Role.UpdateAlert, user)) return PermissionCheckStatus.ROLE_NOT_PRESENT; // Restricted patients follow the base check: if (prisoner.restrictedPatient) return restrictedPatientStatus(user, prisoner); // Released prisoners follow base check: if (prisoner.prisonId === 'OUT') return releasedPrisonerStatus(user); // For transferring prisoners, only the Inactive Bookings role is acceptable, // Global Search role is not sufficient: if (prisoner.prisonId === 'TRN') { return userHasRole(Role.InactiveBookings, user) ? PermissionCheckStatus.OK : PermissionCheckStatus.PRISONER_IS_TRANSFERRING; } if (inUsersCaseLoad) return PermissionCheckStatus.OK; // Global Search role is not sufficient for prisoners outside of user's caseload: return PermissionCheckStatus.NOT_IN_CASELOAD; } function prisonerAlertsCheck(request) { return { [PrisonerAlertsPermission.edit]: prisonerAlertsEditCheck(request), }; } function prisonerSpecificCheck(request) { return { prisonerMoney: prisonerMoneyCheck(request), prisonerAdjudications: prisonerAdjudicationsCheck(request), prisonerIncentives: prisonerIncentivesCheck(request), personPrisonCategory: personPrisonCategoryCheck(request), prisonerSchedule: prisonerScheduleCheck(request), useOfForce: useOfForceCheck(request), prisonerAlerts: prisonerAlertsCheck(request), }; } var PrisonerVisitsAndVisitorsPermission; (function (PrisonerVisitsAndVisitorsPermission) { PrisonerVisitsAndVisitorsPermission["read"] = "prisoner:prisoner-visits-and-visitors:read"; })(PrisonerVisitsAndVisitorsPermission || (PrisonerVisitsAndVisitorsPermission = {})); function prisonerVisitsAndVisitorsReadCheck(request) { return inUsersCaseLoad(PrisonerVisitsAndVisitorsPermission.read, request); } function prisonerVisitsAndVisitorsCheck(request) { return { [PrisonerVisitsAndVisitorsPermission.read]: prisonerVisitsAndVisitorsReadCheck(request), }; } function locationDetailsAndHistoryReadCheck(permission, request) { const baseCheckPassed = request.baseCheckStatus === PermissionCheckStatus.OK; const locationDetailsAndHistoryCheckStatus = checkLocationDetailsAndHistoryAccess(request); const locationDetailsAndHistoryCheckPassed = locationDetailsAndHistoryCheckStatus === PermissionCheckStatus.OK; const check = baseCheckPassed && locationDetailsAndHistoryCheckPassed; if (!check) logDeniedPermissionCheck(permission, request, locationDetailsAndHistoryCheckStatus); return check; } function checkLocationDetailsAndHistoryAccess(request) { const { user, prisoner } = request; const inUsersCaseLoad = isInUsersCaseLoad(prisoner.prisonId, user); // Follows the base check: if (prisoner.restrictedPatient) return restrictedPatientStatus(user, prisoner); if (prisoner.prisonId === 'OUT') return releasedPrisonerStatus(user); if (prisoner.prisonId === 'TRN') return transferringPrisonerStatus(user); if (inUsersCaseLoad) return PermissionCheckStatus.OK; // Global Search access not allowed: return PermissionCheckStatus.NOT_IN_CASELOAD; } var PrisonerBaseLocationPermission; (function (PrisonerBaseLocationPermission) { PrisonerBaseLocationPermission["read_location_details"] = "prisoner:location-details:read"; PrisonerBaseLocationPermission["read_location_history"] = "prisoner:location-history:read"; PrisonerBaseLocationPermission["move_cell"] = "prisoner:location-cell:edit"; })(PrisonerBaseLocationPermission || (PrisonerBaseLocationPermission = {})); const permission$8 = PrisonerBaseLocationPermission.move_cell; function moveCellCheck(request) { const baseCheckPassed = request.baseCheckStatus === PermissionCheckStatus.OK; const hasCellMoveRole = userHasRole(Role.CellMove, request.user); const locationDetailsAndHistoryCheckStatus = checkLocationDetailsAndHistoryAccess(request); const locationDetailsAndHistoryCheckPassed = locationDetailsAndHistoryCheckStatus === PermissionCheckStatus.OK; const check = baseCheckPassed && hasCellMoveRole && locationDetailsAndHistoryCheckPassed; if (!check) logDeniedPermissionCheck(permission$8, request, hasCellMoveRole ? locationDetailsAndHistoryCheckStatus : PermissionCheckStatus.ROLE_NOT_PRESENT); return check; } function prisonerBaseLocationCheck(request) { return { [PrisonerBaseLocationPermission.read_location_details]: locationDetailsAndHistoryReadCheck(PrisonerBaseLocationPermission.read_location_details, request), [PrisonerBaseLocationPermission.read_location_history]: locationDetailsAndHistoryReadCheck(PrisonerBaseLocationPermission.read_location_history, request), [PrisonerBaseLocationPermission.move_cell]: moveCellCheck(request), }; } function runningAPrisonCheck(request) { return { prisonerVisitsAndVisitors: prisonerVisitsAndVisitorsCheck(request), prisonerBaseLocation: prisonerBaseLocationCheck(request), }; } var CaseNotesPermission; (function (CaseNotesPermission) { CaseNotesPermission["read"] = "prisoner:case-notes:read"; CaseNotesPermission["edit"] = "prisoner:case-notes:edit"; CaseNotesPermission["read_sensitive"] = "prisoner:case-notes:sensitive:read"; CaseNotesPermission["delete_sensitive"] = "prisoner:case-notes:sensitive:delete"; CaseNotesPermission["edit_sensitive"] = "prisoner:case-notes:sensitive:edit"; })(CaseNotesPermission || (CaseNotesPermission = {})); function caseNotesReadAndEditCheck(permission, request) { const baseCheckPassed = request.baseCheckStatus === PermissionCheckStatus.OK; const caseNotesCheckStatus = checkCaseNotesAccess(request); const caseNotesCheckPassed = caseNotesCheckStatus === PermissionCheckStatus.OK; const check = baseCheckPassed && caseNotesCheckPassed; if (!check) logDeniedPermissionCheck(permission, request, caseNotesCheckStatus); return check; } function checkCaseNotesAccess(request) { const { user, prisoner } = request; // Restricted patients follows the base check rules: if (prisoner.restrictedPatient) return restrictedPatientStatus(user, prisoner); // Released prisoners follows the base check rules: if (prisoner.prisonId === 'OUT') return releasedPrisonerStatus(user); // Case notes are only accessible for transferring prisoners if the user has the Inactive Bookings role: if (prisoner.prisonId === 'TRN') { return userHasRole(Role.InactiveBookings, user) ? PermissionCheckStatus.OK : PermissionCheckStatus.PRISONER_IS_TRANSFERRING; } // Case notes are accessible if the prisoner's prison is in the user's caseload: if (isInUsersCaseLoad(prisoner.prisonId, user)) return PermissionCheckStatus.OK; // Case notes for prisoners outside the user's caseload are only accessible with both Global Search and POM roles: return userHasAllRoles([Role.GlobalSearch, Role.PomUser], user) ? PermissionCheckStatus.OK : PermissionCheckStatus.ROLE_NOT_PRESENT; } const permission$7 = CaseNotesPermission.read; function caseNotesReadCheck(request) { return caseNotesReadAndEditCheck(permission$7, request); } function baseCheckAndUserHasSomeRolesFrom(roles, permission, request) { const { user, baseCheckStatus } = request; const baseCheckPassed = baseCheckStatus === PermissionCheckStatus.OK; const check = baseCheckPassed && userHasSomeRolesFrom(roles, user); if (!check) logDeniedPermissionCheck(permission, request, PermissionCheckStatus.ROLE_NOT_PRESENT); return check; } const permission$6 = CaseNotesPermission.read_sensitive; function sensitiveCaseNotesReadCheck(request) { return baseCheckAndUserHasSomeRolesFrom([Role.PomUser, Role.ViewSensitiveCaseNotes, Role.AddSensitiveCaseNotes], permission$6, request); } const permission$5 = CaseNotesPermission.delete_sensitive; function sensitiveCaseNotesDeleteCheck(request) { return baseCheckAndUserHasRole(Role.DeleteSensitiveCaseNotes, permission$5, request); } const permission$4 = CaseNotesPermission.edit_sensitive; function sensitiveCaseNotesEditCheck(request) { return baseCheckAndUserHasSomeRolesFrom([Role.PomUser, Role.AddSensitiveCaseNotes], permission$4, request); } const permission$3 = CaseNotesPermission.edit; function caseNotesEditCheck(request) { return caseNotesReadAndEditCheck(permission$3, request); } function caseNotesCheck(request) { return { [CaseNotesPermission.read]: caseNotesReadCheck(request), [CaseNotesPermission.edit]: caseNotesEditCheck(request), [CaseNotesPermission.read_sensitive]: sensitiveCaseNotesReadCheck(request), [CaseNotesPermission.delete_sensitive]: sensitiveCaseNotesDeleteCheck(request), [CaseNotesPermission.edit_sensitive]: sensitiveCaseNotesEditCheck(request), }; } var CorePersonRecordPermission; (function (CorePersonRecordPermission) { CorePersonRecordPermission["read_physical_characteristics"] = "prisoner:physical_characteristics:read"; CorePersonRecordPermission["edit_physical_characteristics"] = "prisoner:physical_characteristics:edit"; CorePersonRecordPermission["read_photo"] = "prisoner:photo:read"; CorePersonRecordPermission["edit_photo"] = "prisoner:photo:edit"; CorePersonRecordPermission["read_place_of_birth"] = "prisoner:place-of-birth:read"; CorePersonRecordPermission["edit_place_of_birth"] = "prisoner:place-of-birth:edit"; CorePersonRecordPermission["read_military_history"] = "prisoner:military-history:read"; CorePersonRecordPermission["edit_military_history"] = "prisoner:military-history:edit"; CorePersonRecordPermission["read_name_and_aliases"] = "prisoner:name-and-aliases:read"; CorePersonRecordPermission["edit_name_and_aliases"] = "prisoner:name-and-aliases:edit"; CorePersonRecordPermission["read_date_of_birth"] = "prisoner:date-of-birth:read"; CorePersonRecordPermission["edit_date_of_birth"] = "prisoner:date-of-birth:edit"; // (Prisoner's address) CorePersonRecordPermission["read_address"] = "prisoner:address:read"; CorePersonRecordPermission["edit_address"] = "prisoner:address:edit"; CorePersonRecordPermission["read_nationality"] = "prisoner:nationality:read"; CorePersonRecordPermission["edit_nationality"] = "prisoner:nationality:edit"; // (Such as PNC / CRO / NI number...) CorePersonRecordPermission["read_identifiers"] = "prisoner:identifiers:read"; CorePersonRecordPermission["edit_identifiers"] = "prisoner:identifiers:edit"; CorePersonRecordPermission["read_phone_numbers"] = "prisoner:phone-numbers:read"; CorePersonRecordPermission["edit_phone_numbers"] = "prisoner:phone-numbers:edit"; CorePersonRecordPermission["read_email_addresses"] = "prisoner:email-addresses:read"; CorePersonRecordPermission["edit_email_addresses"] = "prisoner:email-addresses:edit"; CorePersonRecordPermission["read_distinguishing_marks"] = "prisoner:distinguishing-marks:read"; CorePersonRecordPermission["edit_distinguishing_marks"] = "prisoner:distinguishing-marks:edit"; })(CorePersonRecordPermission || (CorePersonRecordPermission = {})); function inActiveCaseLoadAndUserHasSomeRolesFrom(roles, permission, request) { const { user, prisoner, baseCheckStatus } = request; const baseCheckPassed = baseCheckStatus === PermissionCheckStatus.OK; const inActiveCaseLoad = isActiveCaseLoad(prisoner.prisonId, user); const hasRole = userHasSomeRolesFrom(roles, user); const check = baseCheckPassed && inActiveCaseLoad && hasRole; if (!check) logDeniedPermissionCheck(permission, request, inActiveCaseLoad ? PermissionCheckStatus.ROLE_NOT_PRESENT : PermissionCheckStatus.NOT_ACTIVE_CASELOAD); return check; } function inActiveCaseLoad(permission, request) { return inActiveCaseLoadAndUserHasSomeRolesFrom([], permission, request); } function prisonerProfileEditCheck(permission, request) { return inActiveCaseLoad(permission, request); } function inActiveCaseLoadAndUserHasRole(role, permission, request) { return inActiveCaseLoadAndUserHasSomeRolesFrom([role], permission, request); } function prisonerProfileSensitiveEditCheck(permission, request) { return inActiveCaseLoadAndUserHasRole(Role.PrisonerProfileSensitiveEdit, permission, request); } const permission$2 = CorePersonRecordPermission.read_photo; function photoReadCheck(request) { const baseCheckPassed = request.baseCheckStatus === PermissionCheckStatus.OK; const photoCheckStatus = checkPhotoAccess(request); const photoCheckPassed = photoCheckStatus === PermissionCheckStatus.OK; const check = baseCheckPassed && photoCheckPassed; if (!check) logDeniedPermissionCheck(permission$2, request, photoCheckStatus); return check; } function checkPhotoAccess(request) { const { user, prisoner } = request; // Restricted patients follows the base check rules: if (prisoner.restrictedPatient) return restrictedPatientStatus(user, prisoner); // Released prisoners follows the base check rules: if (prisoner.prisonId === 'OUT') return releasedPrisonerStatus(user); // Photos are only accessible for transferring prisoners if the user has the Inactive Bookings role // (Global Search is NOT sufficient): if (prisoner.prisonId === 'TRN') { return userHasRole(Role.InactiveBookings, user) ? PermissionCheckStatus.OK : PermissionCheckStatus.PRISONER_IS_TRANSFERRING; } // Global search does NOT permit access to photo: return isInUsersCaseLoad(prisoner.prisonId, user) ? PermissionCheckStatus.OK : PermissionCheckStatus.NOT_IN_CASELOAD; } function corePersonRecordCheck(request) { return { [CorePersonRecordPermission.read_photo]: photoReadCheck(request), [CorePersonRecordPermission.edit_photo]: inActiveCaseLoadAndUserHasSomeRolesFrom([Role.PrisonerProfileSensitiveEdit, Role.PrisonerProfilePhotoUpload], CorePersonRecordPermission.edit_photo, request), ...readCheck$4(CorePersonRecordPermission.read_physical_characteristics, request), ...editCheck$4(CorePersonRecordPermission.edit_physical_characteristics, request), ...readCheck$4(CorePersonRecordPermission.read_place_of_birth, request), ...sensitiveEditCheck$2(CorePersonRecordPermission.edit_place_of_birth, request), ...readCheck$4(CorePersonRecordPermission.read_military_history, request), ...editCheck$4(CorePersonRecordPermission.edit_military_history, request), ...readCheck$4(CorePersonRecordPermission.read_name_and_aliases, request), ...sensitiveEditCheck$2(CorePersonRecordPermission.edit_name_and_aliases, request), ...readCheck$4(CorePersonRecordPermission.read_date_of_birth, request), ...sensitiveEditCheck$2(CorePersonRecordPermission.edit_date_of_birth, request), ...readCheck$4(CorePersonRecordPermission.read_address, request), ...sensitiveEditCheck$2(CorePersonRecordPermission.edit_address, request), ...readCheck$4(CorePersonRecordPermission.read_nationality, request), ...sensitiveEditCheck$2(CorePersonRecordPermission.edit_nationality, request), ...readCheck$4(CorePersonRecordPermission.read_identifiers, request), ...sensitiveEditCheck$2(CorePersonRecordPermission.edit_identifiers, request), ...readCheck$4(CorePersonRecordPermission.read_phone_numbers, request), ...sensitiveEditCheck$2(CorePersonRecordPermission.edit_phone_numbers, request), ...readCheck$4(CorePersonRecordPermission.read_email_addresses, request), ...sensitiveEditCheck$2(CorePersonRecordPermission.edit_email_addresses, request), ...readCheck$4(CorePersonRecordPermission.read_distinguishing_marks, request), ...sensitiveEditCheck$2(CorePersonRecordPermission.edit_distinguishing_marks, request), }; } function readCheck$4(permission, request) { return { [permission]: baseCheck(permission, request) }; } function editCheck$4(permission, request) { return { [permission]: prisonerProfileEditCheck(permission, request) }; } function sensitiveEditCheck$2(permission, request) { return { [permission]: prisonerProfileSensitiveEditCheck(permission, request) }; } var PersonProtectedCharacteristicsPermission; (function (PersonProtectedCharacteristicsPermission) { PersonProtectedCharacteristicsPermission["read_sexual_orientation"] = "prisoner:sexual-orientation:read"; PersonProtectedCharacteristicsPermission["edit_sexual_orientation"] = "prisoner:sexual-orientation:edit"; PersonProtectedCharacteristicsPermission["read_religion_and_belief"] = "prisoner:religion-and-belief:read"; PersonProtectedCharacteristicsPermission["edit_religion_and_belief"] = "prisoner:religion-and-belief:edit"; PersonProtectedCharacteristicsPermission["read_ethnicity"] = "prisoner:ethnicity:read"; PersonProtectedCharacteristicsPermission["edit_ethnicity"] = "prisoner:ethnicity:edit"; })(PersonProtectedCharacteristicsPermission || (PersonProtectedCharacteristicsPermission = {})); function personProtectedCharacteristicsCheck(request) { return { ...readCheck$3(PersonProtectedCharacteristicsPermission.read_sexual_orientation, request), ...sensitiveEditCheck$1(PersonProtectedCharacteristicsPermission.edit_sexual_orientation, request), ...readCheck$3(PersonProtectedCharacteristicsPermission.read_religion_and_belief, request), ...editCheck$3(PersonProtectedCharacteristicsPermission.edit_religion_and_belief, request), ...readCheck$3(PersonProtectedCharacteristicsPermission.read_ethnicity, request), ...sensitiveEditCheck$1(PersonProtectedCharacteristicsPermission.edit_ethnicity, request), }; } function readCheck$3(permission, request) { return { [permission]: baseCheck(permission, request) }; } function editCheck$3(permission, request) { return { [permission]: prisonerProfileEditCheck(permission, request) }; } function sensitiveEditCheck$1(permission, request) { return { [permission]: prisonerProfileSensitiveEditCheck(permission, request) }; } var PersonHealthAndMedicationPermission; (function (PersonHealthAndMedicationPermission) { PersonHealthAndMedicationPermission["read_pregnancy"] = "prisoner:pregnancy:read"; PersonHealthAndMedicationPermission["edit_pregnancy"] = "prisoner:pregnancy:edit"; PersonHealthAndMedicationPermission["read_diet"] = "prisoner:diet:read"; PersonHealthAndMedicationPermission["edit_diet"] = "prisoner:diet:edit"; PersonHealthAndMedicationPermission["read_smoker"] = "prisoner:smoker:read"; PersonHealthAndMedicationPermission["edit_smoker"] = "prisoner:smoker:edit"; })(PersonHealthAndMedicationPermission || (PersonHealthAndMedicationPermission = {})); const permission$1 = PersonHealthAndMedicationPermission.edit_diet; function dietEditCheck(request) { return inActiveCaseLoadAndUserHasRole(Role.DietAndAllergiesEdit, permission$1, request); } function personHealthAndMedicationCheck(request) { return { ...readCheck$2(PersonHealthAndMedicationPermission.read_pregnancy, request), ...editCheck$2(PersonHealthAndMedicationPermission.edit_pregnancy, request), ...readCheck$2(PersonHealthAndMedicationPermission.read_smoker, request), ...editCheck$2(PersonHealthAndMedicationPermission.edit_smoker, request), ...readCheck$2(PersonHealthAndMedicationPermission.read_diet, request), [PersonHealthAndMedicationPermission.edit_diet]: dietEditCheck(request), }; } function readCheck$2(permission, request) { return { [permission]: baseCheck(permission, request) }; } function editCheck$2(permission, request) { return { [permission]: prisonerProfileEditCheck(permission, request) }; } var PersonalRelationshipsPermission; (function (PersonalRelationshipsPermission) { PersonalRelationshipsPermission["read_number_of_children"] = "prisoner:number-of-children:read"; PersonalRelationshipsPermission["edit_number_of_children"] = "prisoner:number-of-children:edit"; PersonalRelationshipsPermission["read_domestic_status"] = "prisoner:domestic-status:read"; PersonalRelationshipsPermission["edit_domestic_status"] = "prisoner:domestic-status:edit"; // Next of kin & emergency contacts (via prisoner profile) // This needs a review once both the contacts service and the // profile edit have been rolled out wider: PersonalRelationshipsPermission["read_emergency_contacts"] = "prisoner:emergency-contacts:read"; PersonalRelationshipsPermission["edit_emergency_contacts"] = "prisoner:emergency-contacts:edit"; // All social and official contacts: PersonalRelationshipsPermission["read_contacts"] = "prisoner:contacts:read"; PersonalRelationshipsPermission["edit_contacts"] = "prisoner:contacts:edit"; PersonalRelationshipsPermission["edit_contact_restrictions"] = "prisoner:contact-restrictions:edit"; PersonalRelationshipsPermission["edit_contact_visit_approval"] = "prisoner:contact-visit-approval:edit"; })(PersonalRelationshipsPermission || (PersonalRelationshipsPermission = {})); function inUsersCaseLoadAndUserHasSomeRolesFrom(roles, permission, request) { const { user, prisoner, baseCheckStatus } = request; const baseCheckPassed = baseCheckStatus === PermissionCheckStatus.OK; const inUsersCaseLoad = isInUsersCaseLoad(prisoner.prisonId, user); const hasRole = userHasSomeRolesFrom(roles, user); const check = baseCheckPassed && inUsersCaseLoad && hasRole; if (!check) logDeniedPermissionCheck(permission, request, inUsersCaseLoad ? PermissionCheckStatus.ROLE_NOT_PRESENT : PermissionCheckStatus.NOT_IN_CASELOAD); return check; } function inUsersCaseLoadAndUserHasRole(role, permission, request) { return inUsersCaseLoadAndUserHasSomeRolesFrom([role], permission, request); } function personalRelationshipsCheck(request) { return { ...readCheck$1(PersonalRelationshipsPermission.read_number_of_children, request), ...editCheck$1(PersonalRelationshipsPermission.edit_number_of_children, request), ...readCheck$1(PersonalRelationshipsPermission.read_domestic_status, request), ...editCheck$1(PersonalRelationshipsPermission.edit_domestic_status, request), ...readCheck$1(PersonalRelationshipsPermission.read_emergency_contacts, request), ...sensitiveEditCheck(PersonalRelationshipsPermission.edit_emergency_contacts, request), [PersonalRelationshipsPermission.read_contacts]: inUsersCaseLoad(PersonalRelationshipsPermission.read_contacts, request), [PersonalRelationshipsPermission.edit_contacts]: inUsersCaseLoadAndUserHasSomeRolesFrom([Role.ContactsAdministrator, Role.ContactsAuthoriser], PersonalRelationshipsPermission.edit_contacts, request), [PersonalRelationshipsPermission.edit_contact_restrictions]: inUsersCaseLoadAndUserHasRole(Role.ContactsAuthoriser, PersonalRelationshipsPermission.edit_contact_restrictions, request), [PersonalRelationshipsPermission.edit_contact_visit_approval]: inUsersCaseLoadAndUserHasRole(Role.ContactsAuthoriser, PersonalRelationshipsPermission.edit_contact_visit_approval, request), }; } function readCheck$1(permission, request) { return { [permission]: baseCheck(permission, request) }; } function editCheck$1(permission, request) { return { [permission]: prisonerProfileEditCheck(permission, request) }; } function sensitiveEditCheck(permission, request) { return { [permission]: prisonerProfileSensitiveEditCheck(permission, request) }; } function personCheck(request) { return { caseNotes: caseNotesCheck(request), corePersonRecord: corePersonRecordCheck(request), personProtectedCharacteristics: personProtectedCharacteristicsCheck(request), personHealthAndMedication: personHealthAndMedicationCheck(request), personalRelationships: personalRelationshipsCheck(request), }; } var PathfinderPermission; (function (PathfinderPermission) { PathfinderPermission["read"] = "prisoner:pathfinder:read"; PathfinderPermission["edit"] = "prisoner:pathfinder:edit"; })(PathfinderPermission || (PathfinderPermission = {})); function pathfinderReadCheck(request) { return baseCheckAndUserHasSomeRolesFrom([ Role.PathfinderApproval, Role.PathfinderStdPrison, Role.PathfinderStdProbation, Role.PathfinderHQ, Role.PathfinderUser, Role.PathfinderLocalReader, Role.PathfinderNationalReader, Role.PathfinderPolice, Role.PathfinderPsychologist, ], PathfinderPermission.read, request); } function pathfinderEditCheck(request) { return baseCheckAndUserHasSomeRolesFrom([ Role.PathfinderApproval, Role.PathfinderStdPrison, Role.PathfinderStdProbation, Role.PathfinderHQ, Role.PathfinderUser, ], PathfinderPermission.edit, request); } function pathfinderCheck(request) { return { [PathfinderPermission.read]: pathfinderReadCheck(request), [PathfinderPermission.edit]: pathfinderEditCheck(request), }; } var SOCPermission; (function (SOCPermission) { SOCPermission["read"] = "prisoner:soc:read"; SOCPermission["edit"] = "prisoner:soc:edit"; })(SOCPermission || (SOCPermission = {})); function socReadCheck(request) { return baseCheckAndUserHasSomeRolesFrom([Role.SocCommunity, Role.SocCustody], SOCPermission.read, request); } function socEditCheck(request) { return baseCheckAndUserHasSomeRolesFrom([Role.SocCustody, Role.SocCommunity, Role.SocDataAnalyst, Role.SocDataManager], SOCPermission.edit, request); } function socCheck(request) { return { [SOCPermission.read]: socReadCheck(request), [SOCPermission.edit]: socEditCheck(request), }; } function securityCheck(request) { return { pathfinder: pathfinderCheck(request), soc: socCheck(request), }; } var ProbationDocumentsPermission; (function (ProbationDocumentsPermission) { ProbationDocumentsPermission["read"] = "prisoner:probation-documents:read"; })(ProbationDocumentsPermission || (ProbationDocumentsPermission = {})); const permission = ProbationDocumentsPermission.read; function probationDocumentsReadCheck(request) { const baseCheckPassed = request.baseCheckStatus === PermissionCheckStatus.OK; const probationDocumentsCheckStatus = checkProbationDocumentsReadAccess(request); const probationDocumentsCheckPassed = probationDocumentsCheckStatus === PermissionCheckStatus.OK; const check = baseCheckPassed && probationDocumentsCheckPassed; if (!check) logDeniedPermissionCheck(permission, request, probationDocumentsCheckStatus); return check; } function checkProbationDocumentsReadAccess(request) { const { user, prisoner } = request; // User must firstly have one of the following roles: if (!userHasSomeRolesFrom([Role.PomUser, Role.ViewProbationDocuments], user)) { return PermissionCheckStatus.ROLE_NOT_PRESENT; } // Restricted patients follow the base check rules: if (prisoner.restrictedPatient) return restrictedPatientStatus(user, prisoner); // Released prisoners follow the base check rules: if (prisoner.prisonId === 'OUT') return releasedPrisonerStatus(user); // Transferring prisoners follow the base check rules: if (prisoner.prisonId === 'TRN') return transferringPrisonerStatus(user); if (isInUsersCaseLoad(prisoner.prisonId, user)) return PermissionCheckStatus.OK; // Global search access is not allowed: return PermissionCheckStatus.NOT_IN_CASELOAD; } function probationDocumentsCheck(request) { return { [ProbationDocumentsPermission.read]: probationDocumentsReadCheck(request), }; } function probationCheck(request) { return { probationDocuments: probationDocumentsCheck(request), }; } var PersonInterventionsPermission; (function (PersonInterventionsPermission) { PersonInterventionsPermission["read_csip"] = "prisoner:csip:read"; })(PersonInterventionsPermission || (PersonInterventionsPermission = {})); function csipReadCheck(request) { return inUsersCaseLoad(PersonInterventionsPermission.read_csip, request); } function personInterventionsCheck(request) { return { [PersonInterventionsPermission.read_csip]: csipReadCheck(request), }; } function interventionsCheck(request) { return { personInterventions: personInterventionsCheck(request), }; } var PrisonerBasePermission; (function (PrisonerBasePermission) { PrisonerBasePermission["read"] = "prisoner:base-record:read"; })(PrisonerBasePermission || (PrisonerBasePermission = {})); var PersonCommunicationNeedsPermission; (function (PersonCommunicationNeedsPermission) { PersonCommunicationNeedsPermission["read_language"] = "prisoner:language:read"; PersonCommunicationNeedsPermission["edit_language"] = "prisoner:language:edit"; })(PersonCommunicationNeedsPermission || (PersonCommunicationNeedsPermission = {})); function personCommunicationNeedsCheck(request) { return { ...readCheck(PersonCommunicationNeedsPermission.read_language, request), ...editCheck(PersonCommunicationNeedsPermission.edit_language, request), }; } function readCheck(permission, request) { return { [permission]: baseCheck(permission, request) }; } function editCheck(permission, request) { return { [permission]: prisonerProfileEditCheck(permission, request) }; } function personPlanAndNeedsCheck(request) { return { personCommunicationNeeds: personCommunicationNeedsCheck(request), }; } class PermissionsService { prisonerSearchClient; permissionsLogger; static create({ prisonerSearchConfig, authenticationClient, logger = console, telemetryClient, }) { return new PermissionsService(new PrisonerSearchClient(logger, prisonerSearchConfig, authenticationClient), new PermissionsLogger(logger, telemetryClient)); } constructor(prisonerSearchClient, permissionsLogger) { this.prisonerSearchClient = prisonerSearchClient; this.permissionsLogger = permissionsLogger; } getPrisonerPermissions({ user, prisoner, requestDependentOn, }) { const request = { user, prisoner, baseCheckStatus: baseCheckStatus(user, prisoner), requestDependentOn, permissionsLogger: this.permissionsLogger, }; return { [PrisonerBasePermission.read]: baseCheck(PrisonerBasePermission.read, request), domainGroups: { interventions: interventionsCheck(request), person: personCheck(request), personPlanAndNeeds: personPlanAndNeedsCheck(request), prisonerSpecific: prisonerSpecificCheck(request), probation: probationCheck(request), runningAPrison: runningAPrisonCheck(request), security: securityCheck(request), sentenceAndOffence: sentenceAndOffenceCheck(request), }, }; } getPrisonerDetails(prisonerNumber) { return this.prisonerSearchClient.getPrisonerDetails(prisonerNumber); } } class PrisonerPermissionError extends Error { status = 403; deniedPermissionChecks; constructor(message = 'Access not permitted', failedPermissionChecks = []) { super(message); this.name = 'NotFoundError'; this.deniedPermissionChecks = failedPermissionChecks; } } // eslint-disable-next-line import/prefer-default-export const prisonerAdjudicationsPermissionPaths = { [PrisonerAdjudicationsPermission.read]: `domainGroups.prisonerSpecific.prisonerAdjudications.${PrisonerAdjudicationsPermission.read}`, }; // eslint-disable-next-line import/prefer-default-export const prisonerMoneyPermissionPaths = { [PrisonerMoneyPermission.read]: `domainGroups.prisonerSpecific.prisonerMoney.${PrisonerMoneyPermission.read}`, }; // eslint-disable-next-line import/prefer-default-export const prisonerIncentivesPermissionPaths = { [PrisonerIncentivesPermission.read]: `domainGroups.prisonerSpecific.prisonerIncentives.${PrisonerIncentivesPermission