Track consent revoked by and display it on the file card

[dtgreiner]

Merging this PR

• use the squash-merge strategy for PRs targeting a release-X branch
• use a merge-commit or rebase strategy for PRs targeting the stable branch

Description

Track consent revoked by and display the data on the file card the file has been revoked.

Type of change

New feature

Checklist before requesting review

• I have performed a self-review of my code
• I have run the code that is being changed under ideal conditions, and it doesn't fail
• If adding a new endpoint / exposing data in a new way, I have:
  • ensured the API can't leak data from other data sources
  • ensured this does not introduce N+1s
  • ensured permissions and visibility checks are performed in the right places
• I have updated the documentation (or not applicable)
• I have added spec tests (or not applicable)
• I have provided testing instructions in this PR or the related issue (or not applicable)

[eanders]

Suggested change

# binding.pry

[eanders]

Is there some reason we can't just call this from the controller? There are a bunch of callbacks, but the controller should know the user that made the change, so should be able to set consent_revoked_by_user_id: current_user.id when creating or updating the record. (There is significant complexity here, so I may be missing something.)

While we're in here, it might be worth adding has_paper_trail. I was going to suggest we pull the user out of the versions table, but it appears these aren't being logged.

[dtgreiner]

It was mentioned in the ticket that this may be a good way to go. At the time, it felt like capturing it at a deeper level may good if we are working with files in multiple controllers, but I see what you are saying and it does feel less complex to just have the controller handle it. I'll adjust the PR.

[eanders]

Happy to discuss if you already looked at these ideas, but dropped a few questions inline.

[dtgreiner]

@eanders I just pushed an update to pull the logic out of the callbacks and into the controllers. It should be good for another look whenever you have the chance. Thanks!

Edit - missed adding paper_trail here. Working on that now.

[eanders]

Suggested change

	revoked_by_id = current_user.id if @file.consent_revoked_at.present?
	@file.consent_revoked_by_user_id = revoked_by_id if @file.consent_revoked_at_changed?
	if @file.consent_revoked_at_changed?
	@file.consent_revoked_by_user_id = if @file.consent_revoked_at.present?
	current_user.id
	else
	nil
	end
	end

[eanders]

The above can go in a method on ClientFile so you can call @file.set_revocation_info(current_user)

[eanders]

Don't think you need this since we aren't passing it as a parameter.

[eanders]

Thanks @dtgreiner, this is way cleaner.

[gigxz]

This caused a test regression on HMIS, because duplicate versions are being created for HMIS files. https://github.com/greenriver/hmis-warehouse/actions/runs/11525170831/job/32086897713

The problem is that Hmis::File also calls has_paper_trail (and attaches some metadata).

Paper Trail has an unreleased (breaking) change that will actually cause this to fail https://github.com/paper-trail-gem/paper_trail/blob/master/CHANGELOG.md#breaking-changes / paper-trail-gem/paper_trail#1479. They acknowledge that this can create duplicates. Glad we caught it with the test first!

I don't have much context on this PR, so not sure what the best course of action is. This class is pretty lightweight, so one approach is for Hmis::File to just not subclass it. I did that here #4872 and the tests pass, but it needed some weirdness to get type set.

[eanders]

Good catch @gigxz ! I believe our intent was actually to add has_paper_trail to ClientFile. Not sure we need it in the base class. I'll give that a try and see if tests still fail.