From 4086ea35384f625a56a2f6867be627249ccc82c4 Mon Sep 17 00:00:00 2001
From: Sara Gowen <9001998+dynamictulip@users.noreply.github.com>
Date: Thu, 10 Oct 2024 17:37:17 +0100
Subject: [PATCH 01/17] Add check to see if User has access to FIAT

---
 .../Extensions/ClaimsPrincipleExtensions.cs           | 11 +++++++++++
 1 file changed, 11 insertions(+)
 create mode 100644 DfE.FindInformationAcademiesTrusts/Extensions/ClaimsPrincipleExtensions.cs

diff --git a/DfE.FindInformationAcademiesTrusts/Extensions/ClaimsPrincipleExtensions.cs b/DfE.FindInformationAcademiesTrusts/Extensions/ClaimsPrincipleExtensions.cs
new file mode 100644
index 000000000..d4e8aaba3
--- /dev/null
+++ b/DfE.FindInformationAcademiesTrusts/Extensions/ClaimsPrincipleExtensions.cs
@@ -0,0 +1,11 @@
+using System.Security.Claims;
+
+namespace DfE.FindInformationAcademiesTrusts.Extensions;
+
+public static class ClaimsPrincipleExtensions
+{
+    public static bool HasAccessToFiat(this ClaimsPrincipal user)
+    {
+        return user.IsInRole("User.Role.Authorised");
+    }
+}

From 1fa6d8a098855566aadef974d2346aa3a9726ace Mon Sep 17 00:00:00 2001
From: Sara Gowen <9001998+dynamictulip@users.noreply.github.com>
Date: Thu, 10 Oct 2024 17:39:05 +0100
Subject: [PATCH 02/17] Hide header and footer areas not accessible to users
 without FIAT access

Also test BasePageModel and ContentPageModel in their own dedicated test files and only test changes to default behaviour in subclasses
---
 .../Pages/Shared/BasePageModel.cs             | 10 ++-
 .../Pages/Shared/ContentPageModel.cs          | 12 ++-
 .../Pages/Shared/_Footer.cshtml               | 26 ++++---
 .../Pages/Shared/_Header.cshtml               | 29 ++++----
 .../Mocks/MockHttpContext.cs                  |  7 ++
 .../Pages/ErrorModelTests.cs                  |  9 ++-
 .../Pages/Shared/BasePageModelTests.cs        | 74 +++++++++++++++++++
 .../Pages/Shared/ContentPageModelTests.cs     | 56 ++++++++++++++
 .../Pages/Trusts/GovernanceModelTests.cs      |  6 --
 9 files changed, 195 insertions(+), 34 deletions(-)
 create mode 100644 tests/DfE.FindInformationAcademiesTrusts.UnitTests/Pages/Shared/BasePageModelTests.cs
 create mode 100644 tests/DfE.FindInformationAcademiesTrusts.UnitTests/Pages/Shared/ContentPageModelTests.cs

diff --git a/DfE.FindInformationAcademiesTrusts/Pages/Shared/BasePageModel.cs b/DfE.FindInformationAcademiesTrusts/Pages/Shared/BasePageModel.cs
index 418732a67..aa9ef52b6 100644
--- a/DfE.FindInformationAcademiesTrusts/Pages/Shared/BasePageModel.cs
+++ b/DfE.FindInformationAcademiesTrusts/Pages/Shared/BasePageModel.cs
@@ -1,3 +1,4 @@
+using DfE.FindInformationAcademiesTrusts.Extensions;
 using Microsoft.AspNetCore.Mvc;
 using Microsoft.AspNetCore.Mvc.RazorPages;
 
@@ -5,6 +6,13 @@ namespace DfE.FindInformationAcademiesTrusts.Pages.Shared;
 
 public abstract class BasePageModel : PageModel
 {
-    public bool ShowHeaderSearch { get; init; } = true;
+    private readonly bool _showHeaderSearch = true;
+
+    public bool ShowHeaderSearch
+    {
+        get => _showHeaderSearch && User.HasAccessToFiat();
+        init => _showHeaderSearch = value;
+    }
+
     [BindProperty(SupportsGet = true)] public string? KeyWords { get; set; } = string.Empty;
 }
diff --git a/DfE.FindInformationAcademiesTrusts/Pages/Shared/ContentPageModel.cs b/DfE.FindInformationAcademiesTrusts/Pages/Shared/ContentPageModel.cs
index 976c56db5..61cf454dd 100644
--- a/DfE.FindInformationAcademiesTrusts/Pages/Shared/ContentPageModel.cs
+++ b/DfE.FindInformationAcademiesTrusts/Pages/Shared/ContentPageModel.cs
@@ -1,6 +1,14 @@
+using DfE.FindInformationAcademiesTrusts.Extensions;
+
 namespace DfE.FindInformationAcademiesTrusts.Pages.Shared;
 
-public class ContentPageModel : BasePageModel
+public abstract class ContentPageModel : BasePageModel
 {
-    public bool ShowBreadcrumb { get; set; } = true;
+    private bool _showBreadcrumb = true;
+
+    public bool ShowBreadcrumb
+    {
+        get => _showBreadcrumb && User.HasAccessToFiat();
+        set => _showBreadcrumb = value;
+    }
 }
diff --git a/DfE.FindInformationAcademiesTrusts/Pages/Shared/_Footer.cshtml b/DfE.FindInformationAcademiesTrusts/Pages/Shared/_Footer.cshtml
index 4791909d8..fbc074318 100644
--- a/DfE.FindInformationAcademiesTrusts/Pages/Shared/_Footer.cshtml
+++ b/DfE.FindInformationAcademiesTrusts/Pages/Shared/_Footer.cshtml
@@ -1,4 +1,5 @@
 @using DfE.FindInformationAcademiesTrusts.Configuration
+@using DfE.FindInformationAcademiesTrusts.Extensions
 <footer class="govuk-footer">
   <div class="govuk-width-container">
     <div class="govuk-footer__navigation">
@@ -23,17 +24,20 @@
           </li>
         </ul>
       </div>
-      <div class="govuk-footer__section govuk-grid-column-one-half">
-        <h2 class="govuk-footer__heading govuk-heading-m">Give feedback</h2>
-        <ul class="govuk-footer__list">
-          <li class="govuk-footer__list-item">
-            <a class="govuk-footer__link" href="@ViewConstants.FeedbackFormLink" target="_blank" rel="noopener noreferrer">Give feedback (opens in a new tab)</a>
-          </li>
-          <li class="govuk-footer__list-item">
-            <a class="govuk-footer__link" href="@ViewConstants.SuggestChangeFormLink" target="_blank" rel="noopener noreferrer">Suggest a change (opens in a new tab)</a>
-          </li>
-        </ul>
-      </div>
+      @if (User.HasAccessToFiat())
+      {
+        <div class="govuk-footer__section govuk-grid-column-one-half">
+          <h2 class="govuk-footer__heading govuk-heading-m">Give feedback</h2>
+          <ul class="govuk-footer__list">
+            <li class="govuk-footer__list-item">
+              <a class="govuk-footer__link" href="@ViewConstants.FeedbackFormLink" target="_blank" rel="noopener noreferrer">Give feedback (opens in a new tab)</a>
+            </li>
+            <li class="govuk-footer__list-item">
+              <a class="govuk-footer__link" href="@ViewConstants.SuggestChangeFormLink" target="_blank" rel="noopener noreferrer">Suggest a change (opens in a new tab)</a>
+            </li>
+          </ul>
+        </div>
+      }
     </div>
     <div class="govuk-footer__meta">
       <div class="govuk-footer__meta-item govuk-footer__meta-item--grow">
diff --git a/DfE.FindInformationAcademiesTrusts/Pages/Shared/_Header.cshtml b/DfE.FindInformationAcademiesTrusts/Pages/Shared/_Header.cshtml
index 1cced5443..d87041580 100644
--- a/DfE.FindInformationAcademiesTrusts/Pages/Shared/_Header.cshtml
+++ b/DfE.FindInformationAcademiesTrusts/Pages/Shared/_Header.cshtml
@@ -15,24 +15,27 @@
       @if (Model.ShowHeaderSearch)
       {
         <div class="dfe-header__search">
-          <partial name="_HeaderSearchForm" model="Model"/>
+          <partial name="Shared/_HeaderSearchForm" model="Model"/>
         </div>
       }
     </div>
   </div>
 </header>
 
-<div class="app-banner app-banner--s">
-  <div class="dfe-width-container">
-    <div class="govuk-phase-banner">
-      <p class="govuk-phase-banner__content">
-        <strong class="govuk-tag govuk-phase-banner__content__tag">
-          Beta
-        </strong>
-        <span class="govuk-phase-banner__text">
-          This is a new product – your <a class="govuk-link" href="@ViewConstants.FeedbackFormLink" target="_blank">feedback (opens in a new tab)</a> will help us to improve it.
-        </span>
-      </p>
+@if (Model.ShowHeaderSearch)
+{
+  <div class="app-banner app-banner--s">
+    <div class="dfe-width-container">
+      <div class="govuk-phase-banner">
+        <p class="govuk-phase-banner__content">
+          <strong class="govuk-tag govuk-phase-banner__content__tag">
+            Beta
+          </strong>
+          <span class="govuk-phase-banner__text">
+            This is a new product – your <a class="govuk-link" href="@ViewConstants.FeedbackFormLink" target="_blank">feedback (opens in a new tab)</a> will help us to improve it.
+          </span>
+        </p>
+      </div>
     </div>
   </div>
-</div>
+}
diff --git a/tests/DfE.FindInformationAcademiesTrusts.UnitTests/Mocks/MockHttpContext.cs b/tests/DfE.FindInformationAcademiesTrusts.UnitTests/Mocks/MockHttpContext.cs
index 81c711934..20079a044 100644
--- a/tests/DfE.FindInformationAcademiesTrusts.UnitTests/Mocks/MockHttpContext.cs
+++ b/tests/DfE.FindInformationAcademiesTrusts.UnitTests/Mocks/MockHttpContext.cs
@@ -20,6 +20,7 @@ public MockHttpContext()
 
         ClaimsPrincipal user = new();
         user.AddIdentity(_claimsIdentity);
+        AddUserClaim(_claimsIdentity.RoleClaimType, "User.Role.Authorised");
 
         _mockRequest.Setup(m => m.Cookies).Returns(_mockRequestCookies.Object);
         _mockRequest.Setup(m => m.Query[It.IsAny<string>()]).Returns("");
@@ -35,6 +36,12 @@ public MockHttpContext()
         Setup(m => m.User).Returns(user);
     }
 
+    public void SetupUnauthorizedUser()
+    {
+        var roleClaim = _claimsIdentity.Claims.Single(c => c.Type == _claimsIdentity.RoleClaimType);
+        _claimsIdentity.RemoveClaim(roleClaim);
+    }
+
     public void AddUserClaim(string type, string value)
     {
         _claimsIdentity.AddClaim(new Claim(type, value));
diff --git a/tests/DfE.FindInformationAcademiesTrusts.UnitTests/Pages/ErrorModelTests.cs b/tests/DfE.FindInformationAcademiesTrusts.UnitTests/Pages/ErrorModelTests.cs
index 802c34965..f3e6634a8 100644
--- a/tests/DfE.FindInformationAcademiesTrusts.UnitTests/Pages/ErrorModelTests.cs
+++ b/tests/DfE.FindInformationAcademiesTrusts.UnitTests/Pages/ErrorModelTests.cs
@@ -1,6 +1,7 @@
 using DfE.FindInformationAcademiesTrusts.Pages;
 using DfE.FindInformationAcademiesTrusts.UnitTests.Mocks;
 using Microsoft.AspNetCore.Http;
+using Microsoft.AspNetCore.Mvc.RazorPages;
 
 namespace DfE.FindInformationAcademiesTrusts.UnitTests.Pages;
 
@@ -14,7 +15,13 @@ public ErrorModelTests()
         Mock<IHttpContextAccessor> mockHttpAccessor = new();
         mockHttpAccessor.Setup(m => m.HttpContext).Returns(_mockHttpContext.Object);
 
-        _sut = new ErrorModel(mockHttpAccessor.Object);
+        _sut = new ErrorModel(mockHttpAccessor.Object)
+        {
+            PageContext = new PageContext
+            {
+                HttpContext = _mockHttpContext.Object
+            }
+        };
     }
 
     [Fact]
diff --git a/tests/DfE.FindInformationAcademiesTrusts.UnitTests/Pages/Shared/BasePageModelTests.cs b/tests/DfE.FindInformationAcademiesTrusts.UnitTests/Pages/Shared/BasePageModelTests.cs
new file mode 100644
index 000000000..a8ca03bb3
--- /dev/null
+++ b/tests/DfE.FindInformationAcademiesTrusts.UnitTests/Pages/Shared/BasePageModelTests.cs
@@ -0,0 +1,74 @@
+using DfE.FindInformationAcademiesTrusts.Pages.Shared;
+using DfE.FindInformationAcademiesTrusts.UnitTests.Mocks;
+using Microsoft.AspNetCore.Mvc.RazorPages;
+
+namespace DfE.FindInformationAcademiesTrusts.UnitTests.Pages.Shared;
+
+public class BasePageModelTests
+{
+    private readonly MockHttpContext _mockHttpContext = new();
+    private readonly PageContext _pageContext;
+
+    private class BasePageModelImplementation : BasePageModel;
+
+    public BasePageModelTests()
+    {
+        _pageContext = new PageContext
+        {
+            HttpContext = _mockHttpContext.Object
+        };
+    }
+
+    [Fact]
+    public void ShowHeaderSearch_should_default_to_true_for_authorized_user()
+    {
+        var sut = new BasePageModelImplementation
+        {
+            PageContext = _pageContext
+        };
+
+        sut.ShowHeaderSearch.Should().BeTrue();
+    }
+
+    [Theory]
+    [InlineData(true)]
+    [InlineData(false)]
+    public void ShowHeaderSearch_should_retain_setting_for_authorized_user(bool value)
+    {
+        var sut = new BasePageModelImplementation
+        {
+            PageContext = _pageContext,
+            ShowHeaderSearch = value
+        };
+
+        sut.ShowHeaderSearch.Should().Be(value);
+    }
+
+    [Fact]
+    public void ShowHeaderSearch_should_default_to_false_for_unauthorized_user()
+    {
+        _mockHttpContext.SetupUnauthorizedUser();
+        var sut = new BasePageModelImplementation
+        {
+            PageContext = _pageContext,
+            ShowHeaderSearch = true
+        };
+
+        sut.ShowHeaderSearch.Should().BeFalse();
+    }
+
+    [Theory]
+    [InlineData(true)]
+    [InlineData(false)]
+    public void ShowHeaderSearch_should_be_always_be_false_for_unauthorized_user(bool value)
+    {
+        _mockHttpContext.SetupUnauthorizedUser();
+        var sut = new BasePageModelImplementation
+        {
+            PageContext = _pageContext,
+            ShowHeaderSearch = value
+        };
+
+        sut.ShowHeaderSearch.Should().BeFalse();
+    }
+}
diff --git a/tests/DfE.FindInformationAcademiesTrusts.UnitTests/Pages/Shared/ContentPageModelTests.cs b/tests/DfE.FindInformationAcademiesTrusts.UnitTests/Pages/Shared/ContentPageModelTests.cs
new file mode 100644
index 000000000..8d99e0a7f
--- /dev/null
+++ b/tests/DfE.FindInformationAcademiesTrusts.UnitTests/Pages/Shared/ContentPageModelTests.cs
@@ -0,0 +1,56 @@
+using DfE.FindInformationAcademiesTrusts.Pages.Shared;
+using DfE.FindInformationAcademiesTrusts.UnitTests.Mocks;
+using Microsoft.AspNetCore.Mvc.RazorPages;
+
+namespace DfE.FindInformationAcademiesTrusts.UnitTests.Pages.Shared;
+
+public class ContentPageModelTests
+{
+    private readonly ContentPageModel _sut;
+    private readonly MockHttpContext _mockHttpContext = new();
+
+    private class ContentPageModelImplementation : ContentPageModel;
+
+    public ContentPageModelTests()
+    {
+        _sut = new ContentPageModelImplementation
+        {
+            PageContext = new PageContext
+            {
+                HttpContext = _mockHttpContext.Object
+            }
+        };
+    }
+
+    [Fact]
+    public void ShowBreadcrumb_should_default_to_true_for_authorized_user()
+    {
+        _sut.ShowBreadcrumb.Should().BeTrue();
+    }
+
+    [Theory]
+    [InlineData(true)]
+    [InlineData(false)]
+    public void ShowBreadcrumb_should_retain_setting_when_set_to_true_for_authorized_user(bool value)
+    {
+        _sut.ShowBreadcrumb = value;
+        _sut.ShowBreadcrumb.Should().Be(value);
+    }
+
+    [Fact]
+    public void ShowBreadcrumb_should_default_to_false_for_unauthorized_user()
+    {
+        _mockHttpContext.SetupUnauthorizedUser();
+        _sut.ShowBreadcrumb.Should().BeFalse();
+    }
+
+    [Theory]
+    [InlineData(true)]
+    [InlineData(false)]
+    public void ShowBreadcrumb_should_be_always_be_false_for_unauthorized_user(bool value)
+    {
+        _mockHttpContext.SetupUnauthorizedUser();
+        _sut.ShowBreadcrumb = value;
+        _sut.ShowBreadcrumb.Should().BeFalse();
+    }
+}
diff --git a/tests/DfE.FindInformationAcademiesTrusts.UnitTests/Pages/Trusts/GovernanceModelTests.cs b/tests/DfE.FindInformationAcademiesTrusts.UnitTests/Pages/Trusts/GovernanceModelTests.cs
index d4ddfbfeb..1c8b59bb0 100644
--- a/tests/DfE.FindInformationAcademiesTrusts.UnitTests/Pages/Trusts/GovernanceModelTests.cs
+++ b/tests/DfE.FindInformationAcademiesTrusts.UnitTests/Pages/Trusts/GovernanceModelTests.cs
@@ -84,12 +84,6 @@ public void PageName_should_be_Governance()
         _sut.PageName.Should().Be("Governance");
     }
 
-    [Fact]
-    public void ShowHeaderSearch_should_be_true()
-    {
-        _sut.ShowHeaderSearch.Should().Be(true);
-    }
-
     [Fact]
     public async Task OnGetAsync_returns_NotFoundResult_if_Trust_is_null()
     {

From 3d39ed476bf9d9ab83fc6092e522edd3df5c9fb3 Mon Sep 17 00:00:00 2001
From: Sara Gowen <9001998+dynamictulip@users.noreply.github.com>
Date: Mon, 14 Oct 2024 15:48:49 +0100
Subject: [PATCH 03/17] Move EnvironmentExtensions.cs into the Extensions
 folder

---
 .../Authorization/AutomationAuthorizationHandler.cs             | 1 +
 .../{ => Extensions}/EnvironmentExtensions.cs                   | 2 +-
 DfE.FindInformationAcademiesTrusts/Program.cs                   | 1 +
 .../EnvironmentExtensionsTests.cs                               | 1 +
 4 files changed, 4 insertions(+), 1 deletion(-)
 rename DfE.FindInformationAcademiesTrusts/{ => Extensions}/EnvironmentExtensions.cs (94%)

diff --git a/DfE.FindInformationAcademiesTrusts/Authorization/AutomationAuthorizationHandler.cs b/DfE.FindInformationAcademiesTrusts/Authorization/AutomationAuthorizationHandler.cs
index 257ceb46b..1f4424c2b 100644
--- a/DfE.FindInformationAcademiesTrusts/Authorization/AutomationAuthorizationHandler.cs
+++ b/DfE.FindInformationAcademiesTrusts/Authorization/AutomationAuthorizationHandler.cs
@@ -1,5 +1,6 @@
 using System.Diagnostics.CodeAnalysis;
 using System.Security.Claims;
+using DfE.FindInformationAcademiesTrusts.Extensions;
 using DfE.FindInformationAcademiesTrusts.Options;
 using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Authorization.Infrastructure;
diff --git a/DfE.FindInformationAcademiesTrusts/EnvironmentExtensions.cs b/DfE.FindInformationAcademiesTrusts/Extensions/EnvironmentExtensions.cs
similarity index 94%
rename from DfE.FindInformationAcademiesTrusts/EnvironmentExtensions.cs
rename to DfE.FindInformationAcademiesTrusts/Extensions/EnvironmentExtensions.cs
index dabb88025..243615356 100644
--- a/DfE.FindInformationAcademiesTrusts/EnvironmentExtensions.cs
+++ b/DfE.FindInformationAcademiesTrusts/Extensions/EnvironmentExtensions.cs
@@ -1,4 +1,4 @@
-namespace DfE.FindInformationAcademiesTrusts;
+namespace DfE.FindInformationAcademiesTrusts.Extensions;
 
 public static class EnvironmentExtensions
 {
diff --git a/DfE.FindInformationAcademiesTrusts/Program.cs b/DfE.FindInformationAcademiesTrusts/Program.cs
index 45b4dea9e..93532e277 100644
--- a/DfE.FindInformationAcademiesTrusts/Program.cs
+++ b/DfE.FindInformationAcademiesTrusts/Program.cs
@@ -10,6 +10,7 @@
 using DfE.FindInformationAcademiesTrusts.Data.Repositories.Academy;
 using DfE.FindInformationAcademiesTrusts.Data.Repositories.DataSource;
 using DfE.FindInformationAcademiesTrusts.Data.Repositories.Trust;
+using DfE.FindInformationAcademiesTrusts.Extensions;
 using DfE.FindInformationAcademiesTrusts.Options;
 using DfE.FindInformationAcademiesTrusts.Pages;
 using DfE.FindInformationAcademiesTrusts.Services.Academy;
diff --git a/tests/DfE.FindInformationAcademiesTrusts.UnitTests/EnvironmentExtensionsTests.cs b/tests/DfE.FindInformationAcademiesTrusts.UnitTests/EnvironmentExtensionsTests.cs
index a08a493f5..08d37a717 100644
--- a/tests/DfE.FindInformationAcademiesTrusts.UnitTests/EnvironmentExtensionsTests.cs
+++ b/tests/DfE.FindInformationAcademiesTrusts.UnitTests/EnvironmentExtensionsTests.cs
@@ -1,3 +1,4 @@
+using DfE.FindInformationAcademiesTrusts.Extensions;
 using Microsoft.AspNetCore.Hosting;
 
 namespace DfE.FindInformationAcademiesTrusts.UnitTests;

From dcbb005a73ea36c9716ebaeb64927caa48748365 Mon Sep 17 00:00:00 2001
From: Sara Gowen <9001998+dynamictulip@users.noreply.github.com>
Date: Mon, 14 Oct 2024 17:45:57 +0100
Subject: [PATCH 04/17] Add role requirement to authorisation

This is to enable a redirect to a friendly page for users that are authenticated with DfE AD but do not have access to FIAT
---
 DfE.FindInformationAcademiesTrusts/Program.cs | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/DfE.FindInformationAcademiesTrusts/Program.cs b/DfE.FindInformationAcademiesTrusts/Program.cs
index 93532e277..2aa0145b1 100644
--- a/DfE.FindInformationAcademiesTrusts/Program.cs
+++ b/DfE.FindInformationAcademiesTrusts/Program.cs
@@ -251,9 +251,10 @@ private static void AddAuthenticationServices(WebApplicationBuilder builder)
     {
         builder.Services.AddAuthorization(options =>
         {
-            var policyBuilder = new AuthorizationPolicyBuilder();
-            policyBuilder.RequireAuthenticatedUser();
-            options.DefaultPolicy = policyBuilder.Build();
+            options.DefaultPolicy = new AuthorizationPolicyBuilder()
+                .RequireAuthenticatedUser()
+                .RequireRole("User.Role.Authorised")
+                .Build();
             options.FallbackPolicy = options.DefaultPolicy;
         });
 
@@ -269,6 +270,8 @@ private static void AddAuthenticationServices(WebApplicationBuilder builder)
                 options.Cookie.IsEssential = true;
                 options.Cookie.SameSite = SameSiteMode.None;
                 options.Cookie.SecurePolicy = CookieSecurePolicy.Always;
+
+                options.AccessDeniedPath = "/no-access";
             });
 
         builder.Services.AddAntiforgery(opts => { opts.Cookie.Name = ".FindInformationAcademiesTrusts.Antiforgery"; });

From d5d4611a7cf308375d2c7b72fa866447915eb9fc Mon Sep 17 00:00:00 2001
From: Sara Gowen <9001998+dynamictulip@users.noreply.github.com>
Date: Mon, 14 Oct 2024 17:46:43 +0100
Subject: [PATCH 05/17] Fix Privacy page having incorrect width

---
 DfE.FindInformationAcademiesTrusts/Pages/Privacy.cshtml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/DfE.FindInformationAcademiesTrusts/Pages/Privacy.cshtml b/DfE.FindInformationAcademiesTrusts/Pages/Privacy.cshtml
index e00ff1497..c86a9edaa 100644
--- a/DfE.FindInformationAcademiesTrusts/Pages/Privacy.cshtml
+++ b/DfE.FindInformationAcademiesTrusts/Pages/Privacy.cshtml
@@ -7,7 +7,7 @@
 }
 
 <div class="govuk-grid-row">
-  <div class="govuk-grid-column-two-thirds">
+  <div class="govuk-grid-column-three-quarters">
     <h1 class="govuk-heading-l">
       Privacy notice for Find information about academies and trusts
     </h1>

From 4f69cf61692bd730b84893f5fb2da73edcfbe4c1 Mon Sep 17 00:00:00 2001
From: Sara Gowen <9001998+dynamictulip@users.noreply.github.com>
Date: Mon, 14 Oct 2024 17:48:02 +0100
Subject: [PATCH 06/17] Add no access page

---
 .../Pages/NoAccess.cshtml                     | 21 +++++++++++++++++++
 .../Pages/NoAccess.cshtml.cs                  |  7 +++++++
 2 files changed, 28 insertions(+)
 create mode 100644 DfE.FindInformationAcademiesTrusts/Pages/NoAccess.cshtml
 create mode 100644 DfE.FindInformationAcademiesTrusts/Pages/NoAccess.cshtml.cs

diff --git a/DfE.FindInformationAcademiesTrusts/Pages/NoAccess.cshtml b/DfE.FindInformationAcademiesTrusts/Pages/NoAccess.cshtml
new file mode 100644
index 000000000..61b535ec7
--- /dev/null
+++ b/DfE.FindInformationAcademiesTrusts/Pages/NoAccess.cshtml
@@ -0,0 +1,21 @@
+@page "/no-access"
+@model NoAccessModel
+
+@{
+  Layout = "_ContentLayout";
+  ViewData["Title"] = "You do not have access to this service";
+}
+
+<div class="govuk-grid-row">
+  <div class="govuk-grid-column-three-quarters">
+    <h1 class="govuk-heading-l">
+      You do not have access to this service
+    </h1>
+    <p class="govuk-body">
+      You must <a href="https://dfe.service-now.com/ithelpcentre?id=sc_cat_item&sys_id=19732a3b1b181250593ddce7b04bcbc2">request access to Find information about academies and trusts</a> before you can use it.
+    </p>
+    <p class="govuk-body">
+      It can take up to 5 days for access to be granted and you will be notified when this has happened.
+    </p>
+  </div>
+</div>
diff --git a/DfE.FindInformationAcademiesTrusts/Pages/NoAccess.cshtml.cs b/DfE.FindInformationAcademiesTrusts/Pages/NoAccess.cshtml.cs
new file mode 100644
index 000000000..5ae0609c8
--- /dev/null
+++ b/DfE.FindInformationAcademiesTrusts/Pages/NoAccess.cshtml.cs
@@ -0,0 +1,7 @@
+using DfE.FindInformationAcademiesTrusts.Pages.Shared;
+using Microsoft.AspNetCore.Authorization;
+
+namespace DfE.FindInformationAcademiesTrusts.Pages;
+
+[AllowAnonymous]
+public class NoAccessModel : ContentPageModel;

From f4c658cef6a9c9c9b73656196805adf8a7b7d956 Mon Sep 17 00:00:00 2001
From: Sara Gowen <9001998+dynamictulip@users.noreply.github.com>
Date: Mon, 14 Oct 2024 17:49:09 +0100
Subject: [PATCH 07/17] Make some basic content pages accessible to users not
 set up to use FIAT

---
 .../Pages/Accessibility.cshtml                             | 2 +-
 .../Pages/Accessibility.cshtml.cs                          | 7 +++++++
 DfE.FindInformationAcademiesTrusts/Pages/Cookies.cshtml.cs | 2 ++
 DfE.FindInformationAcademiesTrusts/Pages/Privacy.cshtml    | 2 +-
 DfE.FindInformationAcademiesTrusts/Pages/Privacy.cshtml.cs | 7 +++++++
 5 files changed, 18 insertions(+), 2 deletions(-)
 create mode 100644 DfE.FindInformationAcademiesTrusts/Pages/Accessibility.cshtml.cs
 create mode 100644 DfE.FindInformationAcademiesTrusts/Pages/Privacy.cshtml.cs

diff --git a/DfE.FindInformationAcademiesTrusts/Pages/Accessibility.cshtml b/DfE.FindInformationAcademiesTrusts/Pages/Accessibility.cshtml
index 5649f9de8..b70d3363d 100644
--- a/DfE.FindInformationAcademiesTrusts/Pages/Accessibility.cshtml
+++ b/DfE.FindInformationAcademiesTrusts/Pages/Accessibility.cshtml
@@ -1,5 +1,5 @@
 @page
-@model DfE.FindInformationAcademiesTrusts.Pages.Shared.ContentPageModel
+@model AccessibilityModel
 
 @{
   Layout = "_ContentLayout";
diff --git a/DfE.FindInformationAcademiesTrusts/Pages/Accessibility.cshtml.cs b/DfE.FindInformationAcademiesTrusts/Pages/Accessibility.cshtml.cs
new file mode 100644
index 000000000..1afbe906a
--- /dev/null
+++ b/DfE.FindInformationAcademiesTrusts/Pages/Accessibility.cshtml.cs
@@ -0,0 +1,7 @@
+using DfE.FindInformationAcademiesTrusts.Pages.Shared;
+using Microsoft.AspNetCore.Authorization;
+
+namespace DfE.FindInformationAcademiesTrusts.Pages;
+
+[AllowAnonymous]
+public class AccessibilityModel : ContentPageModel;
diff --git a/DfE.FindInformationAcademiesTrusts/Pages/Cookies.cshtml.cs b/DfE.FindInformationAcademiesTrusts/Pages/Cookies.cshtml.cs
index d3691616e..c1c286e71 100644
--- a/DfE.FindInformationAcademiesTrusts/Pages/Cookies.cshtml.cs
+++ b/DfE.FindInformationAcademiesTrusts/Pages/Cookies.cshtml.cs
@@ -1,9 +1,11 @@
 using DfE.FindInformationAcademiesTrusts.Pages.Shared;
+using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Mvc;
 using Microsoft.IdentityModel.Tokens;
 
 namespace DfE.FindInformationAcademiesTrusts.Pages;
 
+[AllowAnonymous]
 public class CookiesModel : ContentPageModel
 {
     private readonly IHttpContextAccessor _httpContextAccessor;
diff --git a/DfE.FindInformationAcademiesTrusts/Pages/Privacy.cshtml b/DfE.FindInformationAcademiesTrusts/Pages/Privacy.cshtml
index c86a9edaa..6b1e88804 100644
--- a/DfE.FindInformationAcademiesTrusts/Pages/Privacy.cshtml
+++ b/DfE.FindInformationAcademiesTrusts/Pages/Privacy.cshtml
@@ -1,5 +1,5 @@
 @page
-@model DfE.FindInformationAcademiesTrusts.Pages.Shared.ContentPageModel
+@model PrivacyModel
 
 @{
   Layout = "_ContentLayout";
diff --git a/DfE.FindInformationAcademiesTrusts/Pages/Privacy.cshtml.cs b/DfE.FindInformationAcademiesTrusts/Pages/Privacy.cshtml.cs
new file mode 100644
index 000000000..d0af908cf
--- /dev/null
+++ b/DfE.FindInformationAcademiesTrusts/Pages/Privacy.cshtml.cs
@@ -0,0 +1,7 @@
+using DfE.FindInformationAcademiesTrusts.Pages.Shared;
+using Microsoft.AspNetCore.Authorization;
+
+namespace DfE.FindInformationAcademiesTrusts.Pages;
+
+[AllowAnonymous]
+public class PrivacyModel : ContentPageModel;

From dc13189a715beed1496e2d4960da27eb67335e34 Mon Sep 17 00:00:00 2001
From: Sara Gowen <9001998+dynamictulip@users.noreply.github.com>
Date: Thu, 17 Oct 2024 16:15:06 +0100
Subject: [PATCH 08/17] Move authorised user role name into a static config
 class

---
 .../Configuration/UserRoles.cs                              | 6 ++++++
 .../Extensions/ClaimsPrincipleExtensions.cs                 | 3 ++-
 DfE.FindInformationAcademiesTrusts/Program.cs               | 3 ++-
 3 files changed, 10 insertions(+), 2 deletions(-)
 create mode 100644 DfE.FindInformationAcademiesTrusts/Configuration/UserRoles.cs

diff --git a/DfE.FindInformationAcademiesTrusts/Configuration/UserRoles.cs b/DfE.FindInformationAcademiesTrusts/Configuration/UserRoles.cs
new file mode 100644
index 000000000..f82af8238
--- /dev/null
+++ b/DfE.FindInformationAcademiesTrusts/Configuration/UserRoles.cs
@@ -0,0 +1,6 @@
+namespace DfE.FindInformationAcademiesTrusts.Configuration;
+
+public static class UserRoles
+{
+    public const string AuthorisedFiatUser = "User.Role.Authorised";
+}
diff --git a/DfE.FindInformationAcademiesTrusts/Extensions/ClaimsPrincipleExtensions.cs b/DfE.FindInformationAcademiesTrusts/Extensions/ClaimsPrincipleExtensions.cs
index d4e8aaba3..499c14050 100644
--- a/DfE.FindInformationAcademiesTrusts/Extensions/ClaimsPrincipleExtensions.cs
+++ b/DfE.FindInformationAcademiesTrusts/Extensions/ClaimsPrincipleExtensions.cs
@@ -1,4 +1,5 @@
 using System.Security.Claims;
+using DfE.FindInformationAcademiesTrusts.Configuration;
 
 namespace DfE.FindInformationAcademiesTrusts.Extensions;
 
@@ -6,6 +7,6 @@ public static class ClaimsPrincipleExtensions
 {
     public static bool HasAccessToFiat(this ClaimsPrincipal user)
     {
-        return user.IsInRole("User.Role.Authorised");
+        return user.IsInRole(UserRoles.AuthorisedFiatUser);
     }
 }
diff --git a/DfE.FindInformationAcademiesTrusts/Program.cs b/DfE.FindInformationAcademiesTrusts/Program.cs
index 2aa0145b1..8308efce3 100644
--- a/DfE.FindInformationAcademiesTrusts/Program.cs
+++ b/DfE.FindInformationAcademiesTrusts/Program.cs
@@ -1,5 +1,6 @@
 using Azure.Identity;
 using DfE.FindInformationAcademiesTrusts.Authorization;
+using DfE.FindInformationAcademiesTrusts.Configuration;
 using DfE.FindInformationAcademiesTrusts.Data;
 using DfE.FindInformationAcademiesTrusts.Data.AcademiesDb;
 using DfE.FindInformationAcademiesTrusts.Data.AcademiesDb.Contexts;
@@ -253,7 +254,7 @@ private static void AddAuthenticationServices(WebApplicationBuilder builder)
         {
             options.DefaultPolicy = new AuthorizationPolicyBuilder()
                 .RequireAuthenticatedUser()
-                .RequireRole("User.Role.Authorised")
+                .RequireRole(UserRoles.AuthorisedFiatUser)
                 .Build();
             options.FallbackPolicy = options.DefaultPolicy;
         });

From b257340cdc5c75e0c6f0b8f151706c7fdb25a448 Mon Sep 17 00:00:00 2001
From: Sara Gowen <9001998+dynamictulip@users.noreply.github.com>
Date: Fri, 18 Oct 2024 12:58:56 +0100
Subject: [PATCH 09/17] Move FIAT cookie names to static config class

---
 .../Configuration/FiatCookies.cs              |   8 +
 .../CookiesHelper.cs                          |  10 +-
 .../Pages/Cookies.cshtml                      | 277 +++++++++---------
 .../Pages/Cookies.cshtml.cs                   |  23 +-
 DfE.FindInformationAcademiesTrusts/Program.cs |  10 +-
 .../Mocks/MockHttpContext.cs                  |  15 +-
 .../Pages/CookiesModelTests.cs                |   5 +-
 7 files changed, 177 insertions(+), 171 deletions(-)
 create mode 100644 DfE.FindInformationAcademiesTrusts/Configuration/FiatCookies.cs

diff --git a/DfE.FindInformationAcademiesTrusts/Configuration/FiatCookies.cs b/DfE.FindInformationAcademiesTrusts/Configuration/FiatCookies.cs
new file mode 100644
index 000000000..068dd0200
--- /dev/null
+++ b/DfE.FindInformationAcademiesTrusts/Configuration/FiatCookies.cs
@@ -0,0 +1,8 @@
+namespace DfE.FindInformationAcademiesTrusts.Configuration;
+
+public static class FiatCookies
+{
+    public const string Antiforgery = ".FindInformationAcademiesTrusts.Antiforgery";
+    public const string CookieConsent = ".FindInformationAcademiesTrusts.CookieConsent";
+    public const string Login = ".FindInformationAcademiesTrusts.Login";
+}
diff --git a/DfE.FindInformationAcademiesTrusts/CookiesHelper.cs b/DfE.FindInformationAcademiesTrusts/CookiesHelper.cs
index 0a697af5a..5c2b8118c 100644
--- a/DfE.FindInformationAcademiesTrusts/CookiesHelper.cs
+++ b/DfE.FindInformationAcademiesTrusts/CookiesHelper.cs
@@ -1,10 +1,10 @@
-using Microsoft.AspNetCore.Mvc.ViewFeatures;
+using DfE.FindInformationAcademiesTrusts.Configuration;
+using Microsoft.AspNetCore.Mvc.ViewFeatures;
 
 namespace DfE.FindInformationAcademiesTrusts;
 
 public static class CookiesHelper
 {
-    public const string ConsentCookieName = ".FindInformationAcademiesTrust.CookieConsent";
     public const string DeleteCookieTempDataName = "DeleteCookie";
     public const string CookieChangedTempDataName = "CookieResponse";
     public const string ReturnPathQuery = "returnPath";
@@ -22,8 +22,8 @@ public static bool OptionalCookiesAreAccepted(HttpContext context, ITempDataDict
             return false;
         }
 
-        return context.Request.Cookies.ContainsKey(ConsentCookieName) &&
-               bool.Parse(context.Request.Cookies[ConsentCookieName]!);
+        return context.Request.Cookies.ContainsKey(FiatCookies.CookieConsent) &&
+               bool.Parse(context.Request.Cookies[FiatCookies.CookieConsent]!);
     }
 
     public static string ReturnPath(HttpContext context)
@@ -35,7 +35,7 @@ public static string ReturnPath(HttpContext context)
 
     public static bool ShowCookieBanner(HttpContext context, ITempDataDictionary tempData)
     {
-        return !context.Request.Cookies.ContainsKey(ConsentCookieName) &&
+        return !context.Request.Cookies.ContainsKey(FiatCookies.CookieConsent) &&
                tempData[DeleteCookieTempDataName] is null;
     }
 }
diff --git a/DfE.FindInformationAcademiesTrusts/Pages/Cookies.cshtml b/DfE.FindInformationAcademiesTrusts/Pages/Cookies.cshtml
index b4452fe59..4ea3c3af8 100644
--- a/DfE.FindInformationAcademiesTrusts/Pages/Cookies.cshtml
+++ b/DfE.FindInformationAcademiesTrusts/Pages/Cookies.cshtml
@@ -1,157 +1,158 @@
 @page
+@using DfE.FindInformationAcademiesTrusts.Configuration
 @model CookiesModel
 
 @{
-    Layout = "_ContentLayout";
-    ViewData["Title"] = "Cookies";
+  Layout = "_ContentLayout";
+  ViewData["Title"] = "Cookies";
 }
 
 @if (Model.DisplayCookieChangedMessageOnCookiesPage)
 {
-    <div class="govuk-notification-banner govuk-notification-banner--success" role="alert" aria-labelledby="govuk-notification-banner-title" data-module="govuk-notification-banner">
-        <div class="govuk-notification-banner__header">
-            <h2 class="govuk-notification-banner__title" id="govuk-notification-banner-title">
-                Success
-            </h2>
-        </div>
-        <div class="govuk-notification-banner__content">
-            <p class="govuk-notification-banner__heading">
-                You’ve set your cookie preferences. <a class="govuk-notification-banner__link" href="@Model.ReturnPath" data-testid="return-to-previous-page">Go back to the page you were looking at</a>.
-            </p>
-        </div>
+  <div class="govuk-notification-banner govuk-notification-banner--success" role="alert" aria-labelledby="govuk-notification-banner-title" data-module="govuk-notification-banner">
+    <div class="govuk-notification-banner__header">
+      <h2 class="govuk-notification-banner__title" id="govuk-notification-banner-title">
+        Success
+      </h2>
     </div>
+    <div class="govuk-notification-banner__content">
+      <p class="govuk-notification-banner__heading">
+        You’ve set your cookie preferences. <a class="govuk-notification-banner__link" href="@Model.ReturnPath" data-testid="return-to-previous-page">Go back to the page you were looking at</a>.
+      </p>
+    </div>
+  </div>
 }
 
 <h1 class="govuk-heading-l">Cookie preferences</h1>
 <div class="govuk-grid-row">
-    <div class="govuk-grid-column-three-quarters">
-        <p class="govuk-body">
-            Cookies are small files saved on your phone, tablet or computer when you visit a website.
-        </p>
-        <p class="govuk-body">
-            We use cookies to make Find information about academies and trusts work and collect information about how you use our service.
-        </p>
-        <h2 class="govuk-heading-m">Essential cookies</h2>
-        <p class="govuk-body">
-            Essential cookies keep your information secure while you use this site. We do not need to ask permission to use them.
-        </p>
-        <table class="govuk-table" aria-label="Essential cookies">
-            <thead class="govuk-table__header">
-                <tr>
-                    <th class="govuk-table__header">Name</th>
-                    <th class="govuk-table__header">Purpose</th>
-                    <th class="govuk-table__header">Expires</th>
-                </tr>
-            </thead>
-            <tbody class="govuk-table__body">
-                <tr>
-                    <td class="govuk-table__cell">.FindInformationAcademiesTrusts.Login</td>
-                    <td class="govuk-table__cell">Used to keep you signed in</td>
-                    <td class="govuk-table__cell">With browser settings (Session)</td>
-                </tr>
-                <tr>
-                    <td class="govuk-table__cell">.FindInformationAcademiesTrusts.CookieConsent </td>
-                    <td class="govuk-table__cell">Stores your consent to optional cookies </td>
-                    <td class="govuk-table__cell">1 year</td>
-                </tr>
-                <tr>
-                    <td class="govuk-table__cell">ASLBSA </td>
-                    <td class="govuk-table__cell">Used to balance the load on our servers </td>
-                    <td class="govuk-table__cell">With browser settings (Session)</td>
-                </tr>
-                <tr>
-                    <td class="govuk-table__cell">ASLBSACORS </td>
-                    <td class="govuk-table__cell">Used to balance the load on our servers </td>
-                    <td class="govuk-table__cell">With browser settings (Session)</td>
-                </tr>
-                <tr>
-                    <td class="govuk-table__cell">.FindInformationAcademiesTrusts.Antiforgery </td>
-                    <td class="govuk-table__cell">Secures you and our service against Cross Site Scripting Attacks (CSRF) </td>
-                    <td class="govuk-table__cell">With browser settings (Session)</td>
-                </tr>
-            </tbody>
-        </table>
+  <div class="govuk-grid-column-three-quarters">
+    <p class="govuk-body">
+      Cookies are small files saved on your phone, tablet or computer when you visit a website.
+    </p>
+    <p class="govuk-body">
+      We use cookies to make Find information about academies and trusts work and collect information about how you use our service.
+    </p>
+    <h2 class="govuk-heading-m">Essential cookies</h2>
+    <p class="govuk-body">
+      Essential cookies keep your information secure while you use this site. We do not need to ask permission to use them.
+    </p>
+    <table class="govuk-table" aria-label="Essential cookies">
+      <thead class="govuk-table__header">
+        <tr>
+          <th class="govuk-table__header">Name</th>
+          <th class="govuk-table__header">Purpose</th>
+          <th class="govuk-table__header">Expires</th>
+        </tr>
+      </thead>
+      <tbody class="govuk-table__body">
+        <tr>
+          <td class="govuk-table__cell">@FiatCookies.Login</td>
+          <td class="govuk-table__cell">Used to keep you signed in</td>
+          <td class="govuk-table__cell">With browser settings (Session)</td>
+        </tr>
+        <tr>
+          <td class="govuk-table__cell">@FiatCookies.CookieConsent</td>
+          <td class="govuk-table__cell">Stores your consent to optional cookies </td>
+          <td class="govuk-table__cell">1 year</td>
+        </tr>
+        <tr>
+          <td class="govuk-table__cell">ASLBSA </td>
+          <td class="govuk-table__cell">Used to balance the load on our servers </td>
+          <td class="govuk-table__cell">With browser settings (Session)</td>
+        </tr>
+        <tr>
+          <td class="govuk-table__cell">ASLBSACORS </td>
+          <td class="govuk-table__cell">Used to balance the load on our servers </td>
+          <td class="govuk-table__cell">With browser settings (Session)</td>
+        </tr>
+        <tr>
+          <td class="govuk-table__cell">@FiatCookies.Antiforgery</td>
+          <td class="govuk-table__cell">Secures you and our service against Cross Site Scripting Attacks (CSRF) </td>
+          <td class="govuk-table__cell">With browser settings (Session)</td>
+        </tr>
+      </tbody>
+    </table>
 
-        <h2 class="govuk-heading-m">Optional analytics cookies</h2>
-        <p class="govuk-body">
-            With your permission, we use Application Insights and Google Analytics to collect data about how you use this site. This information helps us to improve our service.
-        </p>
-        <p class="govuk-body">
-            Application Insights and Google Analytics are not allowed to use or share our analytics data with anyone. Application Insights and Google Analytics store information about:
-        </p>
-        <ul class="govuk-list govuk-list--bullet">
-            <li>how you got to this site</li>
-            <li>the pages you visit on this site and how long you spend on them</li>
-            <li>any errors you see while using this site</li>
-            <li>what you click on while you are visiting the site</li>
-            <li>whether you’ve visited before</li>
-            <li>your unique user identity</li>
-        </ul>
+    <h2 class="govuk-heading-m">Optional analytics cookies</h2>
+    <p class="govuk-body">
+      With your permission, we use Application Insights and Google Analytics to collect data about how you use this site. This information helps us to improve our service.
+    </p>
+    <p class="govuk-body">
+      Application Insights and Google Analytics are not allowed to use or share our analytics data with anyone. Application Insights and Google Analytics store information about:
+    </p>
+    <ul class="govuk-list govuk-list--bullet">
+      <li>how you got to this site</li>
+      <li>the pages you visit on this site and how long you spend on them</li>
+      <li>any errors you see while using this site</li>
+      <li>what you click on while you are visiting the site</li>
+      <li>whether you’ve visited before</li>
+      <li>your unique user identity</li>
+    </ul>
 
-        <table class="govuk-table" aria-label="Essential cookies">
-            <thead class="govuk-table__header">
-                <tr>
-                    <th class="govuk-table__header">Name</th>
-                    <th class="govuk-table__header">Purpose</th>
-                    <th class="govuk-table__header">Expires</th>
-                </tr>
-            </thead>
-            <tbody class="govuk-table__body">
-                <tr>
-                    <td class="govuk-table__cell">ai_user</td>
-                    <td class="govuk-table__cell">Checks if you have visited this site before. This helps us count how many people visit our site.</td>
-                    <td class="govuk-table__cell">1 year</td>
-                </tr>
-                <tr>
-                    <td class="govuk-table__cell">ai_session</td>
-                    <td class="govuk-table__cell">Checks if you have visited this site before. This helps us count how many people visit our site.</td>
-                    <td class="govuk-table__cell">30 minutes</td>
-                </tr>
-                <tr class="govuk-table__row">
-                    <td class="govuk-table__cell">ai_authUser</td>
-                    <td class="govuk-table__cell">This helps us to identify authenticated users and how they interact with the site</td>
-                    <td class="govuk-table__cell">When you close your browser</td>
-                </tr>
-                <tr>
-                    <td class="govuk-table__cell">_ga</td>
-                    <td class="govuk-table__cell">Tracks your activity on the site. This helps us to improve our service.</td>
-                    <td class="govuk-table__cell">2 years</td>
-                </tr>
-                <tr>
-                    <td class="govuk-table__cell">_gid</td>
-                    <td class="govuk-table__cell">Tracks a number of users. This helps us determine patterns in behaviour.</td>
-                    <td class="govuk-table__cell">24 hours</td>
-                </tr>
-            </tbody>
-        </table>
-    </div>
+    <table class="govuk-table" aria-label="Essential cookies">
+      <thead class="govuk-table__header">
+        <tr>
+          <th class="govuk-table__header">Name</th>
+          <th class="govuk-table__header">Purpose</th>
+          <th class="govuk-table__header">Expires</th>
+        </tr>
+      </thead>
+      <tbody class="govuk-table__body">
+        <tr>
+          <td class="govuk-table__cell">ai_user</td>
+          <td class="govuk-table__cell">Checks if you have visited this site before. This helps us count how many people visit our site.</td>
+          <td class="govuk-table__cell">1 year</td>
+        </tr>
+        <tr>
+          <td class="govuk-table__cell">ai_session</td>
+          <td class="govuk-table__cell">Checks if you have visited this site before. This helps us count how many people visit our site.</td>
+          <td class="govuk-table__cell">30 minutes</td>
+        </tr>
+        <tr class="govuk-table__row">
+          <td class="govuk-table__cell">ai_authUser</td>
+          <td class="govuk-table__cell">This helps us to identify authenticated users and how they interact with the site</td>
+          <td class="govuk-table__cell">When you close your browser</td>
+        </tr>
+        <tr>
+          <td class="govuk-table__cell">_ga</td>
+          <td class="govuk-table__cell">Tracks your activity on the site. This helps us to improve our service.</td>
+          <td class="govuk-table__cell">2 years</td>
+        </tr>
+        <tr>
+          <td class="govuk-table__cell">_gid</td>
+          <td class="govuk-table__cell">Tracks a number of users. This helps us determine patterns in behaviour.</td>
+          <td class="govuk-table__cell">24 hours</td>
+        </tr>
+      </tbody>
+    </table>
+  </div>
 </div>
 <div class="govuk-grid-row">
-    <div class="govuk-grid-column-two-thirds">
-        <form method="post" name="frmCookies">
-            <div class="govuk-form-group">
-                <input type="hidden" name="redirectPath" value="@(HttpContext.Request.Path + HttpContext.Request.QueryString)"/>
-                <fieldset class="govuk-fieldset">
-                    <legend class="govuk-fieldset__legend govuk-fieldset__legend--m">
-                        <h3 class="govuk-fieldset__heading">Do you want to accept cookies that measure your website use?</h3>
-                    </legend>
-                    <div class="govuk-radios">
-                        <div class="govuk-radios__item">
-                            <input class="govuk-radios__input" id="cookies-accept" type="radio" name="consent" value="true" checked="@Model.Consent">
-                            <label class="govuk-label govuk-radios__label" for="cookies-accept">
-                                Yes
-                            </label>
-                        </div>
-                        <div class="govuk-radios__item">
-                            <input class="govuk-radios__input" id="cookies-reject" type="radio" name="consent" value="false" checked="@(!Model.Consent)">
-                            <label class="govuk-label govuk-radios__label" for="cookies-reject">
-                                No
-                            </label>
-                        </div>
-                    </div>
-                </fieldset>
+  <div class="govuk-grid-column-two-thirds">
+    <form method="post" name="frmCookies">
+      <div class="govuk-form-group">
+        <input type="hidden" name="redirectPath" value="@(HttpContext.Request.Path + HttpContext.Request.QueryString)"/>
+        <fieldset class="govuk-fieldset">
+          <legend class="govuk-fieldset__legend govuk-fieldset__legend--m">
+            <h3 class="govuk-fieldset__heading">Do you want to accept cookies that measure your website use?</h3>
+          </legend>
+          <div class="govuk-radios">
+            <div class="govuk-radios__item">
+              <input class="govuk-radios__input" id="cookies-accept" type="radio" name="consent" value="true" checked="@Model.Consent">
+              <label class="govuk-label govuk-radios__label" for="cookies-accept">
+                Yes
+              </label>
             </div>
-            <button type="submit" class="govuk-button" data-module="govuk-button" data-testid="save-cookie-preferences-button">Save changes</button>
-        </form>
-    </div>
+            <div class="govuk-radios__item">
+              <input class="govuk-radios__input" id="cookies-reject" type="radio" name="consent" value="false" checked="@(!Model.Consent)">
+              <label class="govuk-label govuk-radios__label" for="cookies-reject">
+                No
+              </label>
+            </div>
+          </div>
+        </fieldset>
+      </div>
+      <button type="submit" class="govuk-button" data-module="govuk-button" data-testid="save-cookie-preferences-button">Save changes</button>
+    </form>
+  </div>
 </div>
diff --git a/DfE.FindInformationAcademiesTrusts/Pages/Cookies.cshtml.cs b/DfE.FindInformationAcademiesTrusts/Pages/Cookies.cshtml.cs
index c1c286e71..ebc3f1b69 100644
--- a/DfE.FindInformationAcademiesTrusts/Pages/Cookies.cshtml.cs
+++ b/DfE.FindInformationAcademiesTrusts/Pages/Cookies.cshtml.cs
@@ -1,3 +1,4 @@
+using DfE.FindInformationAcademiesTrusts.Configuration;
 using DfE.FindInformationAcademiesTrusts.Pages.Shared;
 using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Mvc;
@@ -6,18 +7,12 @@
 namespace DfE.FindInformationAcademiesTrusts.Pages;
 
 [AllowAnonymous]
-public class CookiesModel : ContentPageModel
+public class CookiesModel(IHttpContextAccessor httpContextAccessor) : ContentPageModel
 {
-    private readonly IHttpContextAccessor _httpContextAccessor;
     public bool DisplayCookieChangedMessageOnCookiesPage { get; set; }
     [BindProperty(SupportsGet = true)] public string? ReturnPath { get; set; }
     [BindProperty(SupportsGet = true)] public bool? Consent { get; set; }
 
-    public CookiesModel(IHttpContextAccessor httpContextAccessor)
-    {
-        _httpContextAccessor = httpContextAccessor;
-    }
-
     /// <summary>
     /// Used to load the cookies page or to set cookie preferences from the cookie banner
     /// </summary>
@@ -32,7 +27,7 @@ public ActionResult OnGet()
         {
             if (CookiesPreferencesHaveBeenSet())
             {
-                Consent = CookiesHelper.OptionalCookiesAreAccepted(_httpContextAccessor.HttpContext!, TempData);
+                Consent = CookiesHelper.OptionalCookiesAreAccepted(httpContextAccessor.HttpContext!, TempData);
             }
 
             return Page();
@@ -58,7 +53,7 @@ private void ApplyCookieConsent()
         {
             CookieOptions cookieOptions = new()
                 { Expires = DateTime.UtcNow.AddYears(1), Secure = true, HttpOnly = true };
-            _httpContextAccessor.HttpContext!.Response.Cookies.Append(CookiesHelper.ConsentCookieName,
+            httpContextAccessor.HttpContext!.Response.Cookies.Append(FiatCookies.CookieConsent,
                 Consent.Value.ToString(), cookieOptions);
             TempData[CookiesHelper.CookieChangedTempDataName] = true;
         }
@@ -77,7 +72,7 @@ private void DeleteAppInsightsCookies()
         var optionalCookiePrefixes = new[] { "ai_session", "ai_user", "ai_authUser" };
         var cookiesToDelete = GetMatchingCookies(optionalCookiePrefixes);
 
-        cookiesToDelete.ForEach(cookie => _httpContextAccessor.HttpContext!.Response.Cookies.Delete(cookie));
+        cookiesToDelete.ForEach(cookie => httpContextAccessor.HttpContext!.Response.Cookies.Delete(cookie));
     }
 
     private void DeleteGoogleAnalyticsCookies()
@@ -90,15 +85,15 @@ private void DeleteGoogleAnalyticsCookies()
             // Need to delete cookies that exists outside of our current host
             // Can't delete cookies unless the domain is specified, by default it will be the current host
             // Issue was it worked on localhost but not on dev, test or prod, because google analytics cookies are set on a different domain
-            _httpContextAccessor.HttpContext!.Response.Cookies.Delete(cookie);
-            _httpContextAccessor.HttpContext!.Response.Cookies.Delete(cookie,
+            httpContextAccessor.HttpContext!.Response.Cookies.Delete(cookie);
+            httpContextAccessor.HttpContext!.Response.Cookies.Delete(cookie,
                 new CookieOptions { Domain = ".education.gov.uk" });
         });
     }
 
     private List<string> GetMatchingCookies(string[] optionalCookiePrefixes)
     {
-        var currentCookies = _httpContextAccessor.HttpContext!.Request.Cookies.Keys;
+        var currentCookies = httpContextAccessor.HttpContext!.Request.Cookies.Keys;
 
         var cookiesToDelete = currentCookies
             .Where(currentCookie => optionalCookiePrefixes.Any(prefix => currentCookie.StartsWith(prefix)))
@@ -121,6 +116,6 @@ private void ValidateReturnPath()
 
     private bool CookiesPreferencesHaveBeenSet()
     {
-        return _httpContextAccessor.HttpContext!.Request.Cookies.ContainsKey(CookiesHelper.ConsentCookieName);
+        return httpContextAccessor.HttpContext!.Request.Cookies.ContainsKey(FiatCookies.CookieConsent);
     }
 }
diff --git a/DfE.FindInformationAcademiesTrusts/Program.cs b/DfE.FindInformationAcademiesTrusts/Program.cs
index 8308efce3..805c3eaaf 100644
--- a/DfE.FindInformationAcademiesTrusts/Program.cs
+++ b/DfE.FindInformationAcademiesTrusts/Program.cs
@@ -1,3 +1,6 @@
+using System.Data;
+using System.Diagnostics.CodeAnalysis;
+using System.Reflection;
 using Azure.Identity;
 using DfE.FindInformationAcademiesTrusts.Authorization;
 using DfE.FindInformationAcademiesTrusts.Configuration;
@@ -28,9 +31,6 @@
 using Microsoft.FeatureManagement;
 using Microsoft.Identity.Web;
 using Serilog;
-using System.Data;
-using System.Diagnostics.CodeAnalysis;
-using System.Reflection;
 
 namespace DfE.FindInformationAcademiesTrusts;
 
@@ -266,7 +266,7 @@ private static void AddAuthenticationServices(WebApplicationBuilder builder)
             CookieAuthenticationDefaults.AuthenticationScheme,
             options =>
             {
-                options.Cookie.Name = ".FindInformationAcademiesTrusts.Login";
+                options.Cookie.Name = FiatCookies.Login;
                 options.Cookie.HttpOnly = true;
                 options.Cookie.IsEssential = true;
                 options.Cookie.SameSite = SameSiteMode.None;
@@ -275,7 +275,7 @@ private static void AddAuthenticationServices(WebApplicationBuilder builder)
                 options.AccessDeniedPath = "/no-access";
             });
 
-        builder.Services.AddAntiforgery(opts => { opts.Cookie.Name = ".FindInformationAcademiesTrusts.Antiforgery"; });
+        builder.Services.AddAntiforgery(opts => { opts.Cookie.Name = FiatCookies.Antiforgery; });
     }
 
     private static void AddDataProtectionServices(WebApplicationBuilder builder)
diff --git a/tests/DfE.FindInformationAcademiesTrusts.UnitTests/Mocks/MockHttpContext.cs b/tests/DfE.FindInformationAcademiesTrusts.UnitTests/Mocks/MockHttpContext.cs
index 20079a044..cec9d37fa 100644
--- a/tests/DfE.FindInformationAcademiesTrusts.UnitTests/Mocks/MockHttpContext.cs
+++ b/tests/DfE.FindInformationAcademiesTrusts.UnitTests/Mocks/MockHttpContext.cs
@@ -1,4 +1,5 @@
 using System.Security.Claims;
+using DfE.FindInformationAcademiesTrusts.Configuration;
 using Microsoft.AspNetCore.Diagnostics;
 using Microsoft.AspNetCore.Http;
 using Microsoft.AspNetCore.Http.Features;
@@ -26,8 +27,8 @@ public MockHttpContext()
         _mockRequest.Setup(m => m.Query[It.IsAny<string>()]).Returns("");
 
         _mockRequestCookies.Setup(m => m[It.IsAny<string>()]).Returns("False");
-        _mockRequestCookies.Setup(m => m.ContainsKey(".FindInformationAcademiesTrusts.Login")).Returns(true);
-        _mockRequestCookies.Setup(m => m[".FindInformationAcademiesTrusts.Login"]).Returns("You are logged in");
+        _mockRequestCookies.Setup(m => m.ContainsKey(FiatCookies.Login)).Returns(true);
+        _mockRequestCookies.Setup(m => m[FiatCookies.Login]).Returns("You are logged in");
         _mockRequestCookies.Setup(m => m.Keys).Returns(new List<string>());
 
         Setup(m => m.Request).Returns(_mockRequest.Object);
@@ -61,16 +62,16 @@ public void SetupConsentCookie(bool? accepted)
 
     public void SetupAcceptedCookie()
     {
-        _mockRequestCookies.Setup(m => m.Keys).Returns(new List<string> { CookiesHelper.ConsentCookieName });
-        _mockRequestCookies.Setup(m => m.ContainsKey(CookiesHelper.ConsentCookieName)).Returns(true);
-        _mockRequestCookies.Setup(m => m[CookiesHelper.ConsentCookieName]).Returns("True");
+        _mockRequestCookies.Setup(m => m.Keys).Returns(new List<string> { FiatCookies.CookieConsent });
+        _mockRequestCookies.Setup(m => m.ContainsKey(FiatCookies.CookieConsent)).Returns(true);
+        _mockRequestCookies.Setup(m => m[FiatCookies.CookieConsent]).Returns("True");
     }
 
     public void SetupRejectedCookie()
     {
         _mockRequestCookies.Setup(m => m.Keys).Returns(new List<string>());
-        _mockRequestCookies.Setup(m => m.ContainsKey(CookiesHelper.ConsentCookieName)).Returns(true);
-        _mockRequestCookies.Setup(m => m[CookiesHelper.ConsentCookieName]).Returns("False");
+        _mockRequestCookies.Setup(m => m.ContainsKey(FiatCookies.CookieConsent)).Returns(true);
+        _mockRequestCookies.Setup(m => m[FiatCookies.CookieConsent]).Returns("False");
     }
 
     public void SetupOptionalCookies()
diff --git a/tests/DfE.FindInformationAcademiesTrusts.UnitTests/Pages/CookiesModelTests.cs b/tests/DfE.FindInformationAcademiesTrusts.UnitTests/Pages/CookiesModelTests.cs
index 142efa195..5697d982c 100644
--- a/tests/DfE.FindInformationAcademiesTrusts.UnitTests/Pages/CookiesModelTests.cs
+++ b/tests/DfE.FindInformationAcademiesTrusts.UnitTests/Pages/CookiesModelTests.cs
@@ -1,3 +1,4 @@
+using DfE.FindInformationAcademiesTrusts.Configuration;
 using DfE.FindInformationAcademiesTrusts.Pages;
 using DfE.FindInformationAcademiesTrusts.UnitTests.Mocks;
 using Microsoft.AspNetCore.Http;
@@ -183,7 +184,7 @@ public void OnGet_adds_consent_cookie_when_consent_is_given(bool consent, string
     {
         _sut.Consent = consent;
         _sut.OnGet();
-        _mockHttpContext.VerifySecureCookieAdded(CookiesHelper.ConsentCookieName, value);
+        _mockHttpContext.VerifySecureCookieAdded(FiatCookies.CookieConsent, value);
     }
 
     [Theory]
@@ -193,7 +194,7 @@ public void OnPost_adds_consent_cookie_when_consent_is_given(bool consent, strin
     {
         _sut.Consent = consent;
         _sut.OnPost();
-        _mockHttpContext.VerifySecureCookieAdded(CookiesHelper.ConsentCookieName, value);
+        _mockHttpContext.VerifySecureCookieAdded(FiatCookies.CookieConsent, value);
     }
 
     // (Cookie appended Delete called if needed/TempData is not null)

From 1f430a875d2cc17354035e88d056732b038a6da6 Mon Sep 17 00:00:00 2001
From: Sara Gowen <9001998+dynamictulip@users.noreply.github.com>
Date: Mon, 21 Oct 2024 15:28:56 +0100
Subject: [PATCH 10/17] Change `SameSite` setting for the login cookie to
 current Microsoft recommendation of `Lax`

It can't be `Strict` because auth is done externally to the application
---
 DfE.FindInformationAcademiesTrusts/Program.cs | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/DfE.FindInformationAcademiesTrusts/Program.cs b/DfE.FindInformationAcademiesTrusts/Program.cs
index 805c3eaaf..b6eb88789 100644
--- a/DfE.FindInformationAcademiesTrusts/Program.cs
+++ b/DfE.FindInformationAcademiesTrusts/Program.cs
@@ -269,7 +269,7 @@ private static void AddAuthenticationServices(WebApplicationBuilder builder)
                 options.Cookie.Name = FiatCookies.Login;
                 options.Cookie.HttpOnly = true;
                 options.Cookie.IsEssential = true;
-                options.Cookie.SameSite = SameSiteMode.None;
+                options.Cookie.SameSite = SameSiteMode.Lax;
                 options.Cookie.SecurePolicy = CookieSecurePolicy.Always;
 
                 options.AccessDeniedPath = "/no-access";

From 8e46bd0bcb6b631f19ac27d398baddafc91594eb Mon Sep 17 00:00:00 2001
From: Sara Gowen <9001998+dynamictulip@users.noreply.github.com>
Date: Fri, 25 Oct 2024 18:00:11 +0100
Subject: [PATCH 11/17] Add more flexible mock user authentication setup

---
 .../Mocks/MockHttpContext.cs                  | 67 +++++++++++++------
 .../Pages/Shared/BasePageModelTests.cs        |  4 +-
 .../Pages/Shared/ContentPageModelTests.cs     |  4 +-
 3 files changed, 51 insertions(+), 24 deletions(-)

diff --git a/tests/DfE.FindInformationAcademiesTrusts.UnitTests/Mocks/MockHttpContext.cs b/tests/DfE.FindInformationAcademiesTrusts.UnitTests/Mocks/MockHttpContext.cs
index cec9d37fa..338ad8ad4 100644
--- a/tests/DfE.FindInformationAcademiesTrusts.UnitTests/Mocks/MockHttpContext.cs
+++ b/tests/DfE.FindInformationAcademiesTrusts.UnitTests/Mocks/MockHttpContext.cs
@@ -13,6 +13,7 @@ public class MockHttpContext : Mock<HttpContext>
     private readonly Mock<HttpRequest> _mockRequest = new();
     private readonly Mock<IFeatureCollection> _mockFeatureCollection = new();
     private readonly ClaimsIdentity _claimsIdentity = new();
+    private readonly Dictionary<string, string> _requestCookies = new();
 
     public MockHttpContext()
     {
@@ -21,26 +22,58 @@ public MockHttpContext()
 
         ClaimsPrincipal user = new();
         user.AddIdentity(_claimsIdentity);
-        AddUserClaim(_claimsIdentity.RoleClaimType, "User.Role.Authorised");
 
         _mockRequest.Setup(m => m.Cookies).Returns(_mockRequestCookies.Object);
         _mockRequest.Setup(m => m.Query[It.IsAny<string>()]).Returns("");
 
-        _mockRequestCookies.Setup(m => m[It.IsAny<string>()]).Returns("False");
-        _mockRequestCookies.Setup(m => m.ContainsKey(FiatCookies.Login)).Returns(true);
-        _mockRequestCookies.Setup(m => m[FiatCookies.Login]).Returns("You are logged in");
-        _mockRequestCookies.Setup(m => m.Keys).Returns(new List<string>());
+        _mockRequestCookies.Setup(m => m.Keys).Returns(_requestCookies.Keys);
+        _mockRequestCookies.Setup(m => m.ContainsKey(It.IsAny<string>()))
+            .Returns((string key) => _requestCookies.ContainsKey(key));
+        _mockRequestCookies.Setup(m => m[It.IsAny<string>()])
+            .Returns((string key) => _requestCookies.TryGetValue(key, out var value) ? value : null);
 
         Setup(m => m.Request).Returns(_mockRequest.Object);
         Setup(m => m.Response).Returns(mockResponse.Object);
         Setup(m => m.Features).Returns(_mockFeatureCollection.Object);
         Setup(m => m.User).Returns(user);
+
+        SetUserTo(UserAuthState.Authorised);
+    }
+
+    public void AddRequestCookie(string key, string value)
+    {
+        _requestCookies.Add(key, value);
     }
 
-    public void SetupUnauthorizedUser()
+    public enum UserAuthState
     {
-        var roleClaim = _claimsIdentity.Claims.Single(c => c.Type == _claimsIdentity.RoleClaimType);
-        _claimsIdentity.RemoveClaim(roleClaim);
+        Authorised,
+        Unauthorised,
+        Unauthenticated
+    }
+
+    public void SetUserTo(UserAuthState value)
+    {
+        //Reset user state
+        var roleClaim = _claimsIdentity.Claims.SingleOrDefault(c => c.Type == _claimsIdentity.RoleClaimType);
+        if (roleClaim is not null) _claimsIdentity.RemoveClaim(roleClaim);
+        _requestCookies.Remove(FiatCookies.Login);
+
+        // Set user to correct state
+        switch (value)
+        {
+            case UserAuthState.Authorised:
+                AddUserClaim(_claimsIdentity.RoleClaimType, "User.Role.Authorised");
+                AddRequestCookie(FiatCookies.Login, "You are logged in");
+                break;
+            case UserAuthState.Unauthorised:
+                AddRequestCookie(FiatCookies.Login, "You are logged in");
+                break;
+            case UserAuthState.Unauthenticated:
+                break;
+            default:
+                throw new ArgumentOutOfRangeException(nameof(value), value, null);
+        }
     }
 
     public void AddUserClaim(string type, string value)
@@ -62,26 +95,20 @@ public void SetupConsentCookie(bool? accepted)
 
     public void SetupAcceptedCookie()
     {
-        _mockRequestCookies.Setup(m => m.Keys).Returns(new List<string> { FiatCookies.CookieConsent });
-        _mockRequestCookies.Setup(m => m.ContainsKey(FiatCookies.CookieConsent)).Returns(true);
-        _mockRequestCookies.Setup(m => m[FiatCookies.CookieConsent]).Returns("True");
+        AddRequestCookie(FiatCookies.CookieConsent, "True");
     }
 
     public void SetupRejectedCookie()
     {
-        _mockRequestCookies.Setup(m => m.Keys).Returns(new List<string>());
-        _mockRequestCookies.Setup(m => m.ContainsKey(FiatCookies.CookieConsent)).Returns(true);
-        _mockRequestCookies.Setup(m => m[FiatCookies.CookieConsent]).Returns("False");
+        AddRequestCookie(FiatCookies.CookieConsent, "False");
     }
 
     public void SetupOptionalCookies()
     {
-        _mockRequestCookies.Setup(m => m.Keys).Returns(new List<string> { "ai_user", "ai_session", "_gid", "_ga" });
-
-        _mockRequestCookies.Setup(m => m.ContainsKey("ai_user")).Returns(true);
-        _mockRequestCookies.Setup(m => m["ai_user"]).Returns("True");
-        _mockRequestCookies.Setup(m => m.ContainsKey("ai_session")).Returns(true);
-        _mockRequestCookies.Setup(m => m["ai_session"]).Returns("True");
+        AddRequestCookie("ai_user", "True");
+        AddRequestCookie("ai_session", "True");
+        AddRequestCookie("_gid", "True");
+        AddRequestCookie("_ga", "True");
     }
 
     public void SetQueryReturnPath(string path)
diff --git a/tests/DfE.FindInformationAcademiesTrusts.UnitTests/Pages/Shared/BasePageModelTests.cs b/tests/DfE.FindInformationAcademiesTrusts.UnitTests/Pages/Shared/BasePageModelTests.cs
index a8ca03bb3..de5e72882 100644
--- a/tests/DfE.FindInformationAcademiesTrusts.UnitTests/Pages/Shared/BasePageModelTests.cs
+++ b/tests/DfE.FindInformationAcademiesTrusts.UnitTests/Pages/Shared/BasePageModelTests.cs
@@ -47,7 +47,7 @@ public void ShowHeaderSearch_should_retain_setting_for_authorized_user(bool valu
     [Fact]
     public void ShowHeaderSearch_should_default_to_false_for_unauthorized_user()
     {
-        _mockHttpContext.SetupUnauthorizedUser();
+        _mockHttpContext.SetUserTo(MockHttpContext.UserAuthState.Unauthorised);
         var sut = new BasePageModelImplementation
         {
             PageContext = _pageContext,
@@ -62,7 +62,7 @@ public void ShowHeaderSearch_should_default_to_false_for_unauthorized_user()
     [InlineData(false)]
     public void ShowHeaderSearch_should_be_always_be_false_for_unauthorized_user(bool value)
     {
-        _mockHttpContext.SetupUnauthorizedUser();
+        _mockHttpContext.SetUserTo(MockHttpContext.UserAuthState.Unauthorised);
         var sut = new BasePageModelImplementation
         {
             PageContext = _pageContext,
diff --git a/tests/DfE.FindInformationAcademiesTrusts.UnitTests/Pages/Shared/ContentPageModelTests.cs b/tests/DfE.FindInformationAcademiesTrusts.UnitTests/Pages/Shared/ContentPageModelTests.cs
index 8d99e0a7f..21c9275c0 100644
--- a/tests/DfE.FindInformationAcademiesTrusts.UnitTests/Pages/Shared/ContentPageModelTests.cs
+++ b/tests/DfE.FindInformationAcademiesTrusts.UnitTests/Pages/Shared/ContentPageModelTests.cs
@@ -40,7 +40,7 @@ public void ShowBreadcrumb_should_retain_setting_when_set_to_true_for_authorized
     [Fact]
     public void ShowBreadcrumb_should_default_to_false_for_unauthorized_user()
     {
-        _mockHttpContext.SetupUnauthorizedUser();
+        _mockHttpContext.SetUserTo(MockHttpContext.UserAuthState.Unauthorised);
         _sut.ShowBreadcrumb.Should().BeFalse();
     }
 
@@ -49,7 +49,7 @@ public void ShowBreadcrumb_should_default_to_false_for_unauthorized_user()
     [InlineData(false)]
     public void ShowBreadcrumb_should_be_always_be_false_for_unauthorized_user(bool value)
     {
-        _mockHttpContext.SetupUnauthorizedUser();
+        _mockHttpContext.SetUserTo(MockHttpContext.UserAuthState.Unauthorised);
         _sut.ShowBreadcrumb = value;
         _sut.ShowBreadcrumb.Should().BeFalse();
     }

From c4dc96aa0614eb0886eded1ac03d03a1386a395e Mon Sep 17 00:00:00 2001
From: Sara Gowen <9001998+dynamictulip@users.noreply.github.com>
Date: Mon, 28 Oct 2024 17:20:23 +0000
Subject: [PATCH 12/17] Split out cookie mocks

---
 .../CookiesHelperTests.cs                     | 10 +--
 .../Mocks/MockHttpContext.cs                  | 75 ++-----------------
 .../Mocks/MockRequestCookies.cs               | 46 ++++++++++++
 .../Mocks/MockResponseCookies.cs              | 33 ++++++++
 .../Pages/CookiesModelTests.cs                | 38 +++++-----
 5 files changed, 110 insertions(+), 92 deletions(-)
 create mode 100644 tests/DfE.FindInformationAcademiesTrusts.UnitTests/Mocks/MockRequestCookies.cs
 create mode 100644 tests/DfE.FindInformationAcademiesTrusts.UnitTests/Mocks/MockResponseCookies.cs

diff --git a/tests/DfE.FindInformationAcademiesTrusts.UnitTests/CookiesHelperTests.cs b/tests/DfE.FindInformationAcademiesTrusts.UnitTests/CookiesHelperTests.cs
index c6e269fee..803065492 100644
--- a/tests/DfE.FindInformationAcademiesTrusts.UnitTests/CookiesHelperTests.cs
+++ b/tests/DfE.FindInformationAcademiesTrusts.UnitTests/CookiesHelperTests.cs
@@ -16,7 +16,7 @@ private void SetTempDataCookieDeleted()
     [Fact]
     public void OptionalCookiesAreAccepted_is_true_when_Accepted_cookie_exists()
     {
-        _mockContext.SetupAcceptedCookie();
+        _mockContext.MockRequestCookies.SetupAcceptedCookie();
         var result = CookiesHelper.OptionalCookiesAreAccepted(_mockContext.Object, _mockTempData.Object);
         result.Should().BeTrue();
     }
@@ -24,7 +24,7 @@ public void OptionalCookiesAreAccepted_is_true_when_Accepted_cookie_exists()
     [Fact]
     public void OptionalCookiesAreAccepted_is_false_when_Rejected_cookie_exists()
     {
-        _mockContext.SetupRejectedCookie();
+        _mockContext.MockRequestCookies.SetupRejectedCookie();
         var result = CookiesHelper.OptionalCookiesAreAccepted(_mockContext.Object, _mockTempData.Object);
         result.Should().BeFalse();
     }
@@ -35,7 +35,7 @@ public void OptionalCookiesAreAccepted_is_false_when_Rejected_cookie_exists()
     [InlineData(null)]
     public void OptionalCookiesAreAccepted_is_false_when_DeleteCookieTempData_exists(bool? cookieAccepted)
     {
-        _mockContext.SetupConsentCookie(cookieAccepted);
+        _mockContext.MockRequestCookies.SetupConsentCookie(cookieAccepted);
 
         SetTempDataCookieDeleted();
         var result = CookiesHelper.OptionalCookiesAreAccepted(_mockContext.Object, _mockTempData.Object);
@@ -81,7 +81,7 @@ public void ShowCookieBanner_is_true_when_consent_cookie_does_not_exist_and_temp
     [InlineData(false)]
     public void ShowCookieBanner_is_false_when_consent_cookie_exists_and_temp_data_does_not_exist(bool cookieAccepted)
     {
-        _mockContext.SetupConsentCookie(cookieAccepted);
+        _mockContext.MockRequestCookies.SetupConsentCookie(cookieAccepted);
 
         var result = CookiesHelper.ShowCookieBanner(_mockContext.Object, _mockTempData.Object);
         result.Should().BeFalse();
@@ -100,7 +100,7 @@ public void ShowCookieBanner_is_false_when_consent_cookie_does_not_exist_and_tem
     [InlineData(false)]
     public void ShowCookieBanner_is_false_when_consent_cookie_exists_and_temp_data_exists(bool cookieAccepted)
     {
-        _mockContext.SetupConsentCookie(cookieAccepted);
+        _mockContext.MockRequestCookies.SetupConsentCookie(cookieAccepted);
 
         SetTempDataCookieDeleted();
         var result = CookiesHelper.ShowCookieBanner(_mockContext.Object, _mockTempData.Object);
diff --git a/tests/DfE.FindInformationAcademiesTrusts.UnitTests/Mocks/MockHttpContext.cs b/tests/DfE.FindInformationAcademiesTrusts.UnitTests/Mocks/MockHttpContext.cs
index 338ad8ad4..163b00563 100644
--- a/tests/DfE.FindInformationAcademiesTrusts.UnitTests/Mocks/MockHttpContext.cs
+++ b/tests/DfE.FindInformationAcademiesTrusts.UnitTests/Mocks/MockHttpContext.cs
@@ -8,30 +8,23 @@ namespace DfE.FindInformationAcademiesTrusts.UnitTests.Mocks;
 
 public class MockHttpContext : Mock<HttpContext>
 {
-    private readonly Mock<IResponseCookies> _mockResponseCookies = new();
-    private readonly Mock<IRequestCookieCollection> _mockRequestCookies = new();
+    public MockResponseCookies MockResponseCookies { get; } = new();
+    public MockRequestCookies MockRequestCookies { get; } = new();
     private readonly Mock<HttpRequest> _mockRequest = new();
     private readonly Mock<IFeatureCollection> _mockFeatureCollection = new();
     private readonly ClaimsIdentity _claimsIdentity = new();
-    private readonly Dictionary<string, string> _requestCookies = new();
 
     public MockHttpContext()
     {
         Mock<HttpResponse> mockResponse = new();
-        mockResponse.Setup(m => m.Cookies).Returns(_mockResponseCookies.Object);
+        mockResponse.Setup(m => m.Cookies).Returns(MockResponseCookies.Object);
 
         ClaimsPrincipal user = new();
         user.AddIdentity(_claimsIdentity);
 
-        _mockRequest.Setup(m => m.Cookies).Returns(_mockRequestCookies.Object);
+        _mockRequest.Setup(m => m.Cookies).Returns(MockRequestCookies.Object);
         _mockRequest.Setup(m => m.Query[It.IsAny<string>()]).Returns("");
 
-        _mockRequestCookies.Setup(m => m.Keys).Returns(_requestCookies.Keys);
-        _mockRequestCookies.Setup(m => m.ContainsKey(It.IsAny<string>()))
-            .Returns((string key) => _requestCookies.ContainsKey(key));
-        _mockRequestCookies.Setup(m => m[It.IsAny<string>()])
-            .Returns((string key) => _requestCookies.TryGetValue(key, out var value) ? value : null);
-
         Setup(m => m.Request).Returns(_mockRequest.Object);
         Setup(m => m.Response).Returns(mockResponse.Object);
         Setup(m => m.Features).Returns(_mockFeatureCollection.Object);
@@ -40,11 +33,6 @@ public MockHttpContext()
         SetUserTo(UserAuthState.Authorised);
     }
 
-    public void AddRequestCookie(string key, string value)
-    {
-        _requestCookies.Add(key, value);
-    }
-
     public enum UserAuthState
     {
         Authorised,
@@ -57,17 +45,17 @@ public void SetUserTo(UserAuthState value)
         //Reset user state
         var roleClaim = _claimsIdentity.Claims.SingleOrDefault(c => c.Type == _claimsIdentity.RoleClaimType);
         if (roleClaim is not null) _claimsIdentity.RemoveClaim(roleClaim);
-        _requestCookies.Remove(FiatCookies.Login);
+        MockRequestCookies.Data.Remove(FiatCookies.Login);
 
         // Set user to correct state
         switch (value)
         {
             case UserAuthState.Authorised:
                 AddUserClaim(_claimsIdentity.RoleClaimType, "User.Role.Authorised");
-                AddRequestCookie(FiatCookies.Login, "You are logged in");
+                MockRequestCookies.Data.Add(FiatCookies.Login, "You are logged in");
                 break;
             case UserAuthState.Unauthorised:
-                AddRequestCookie(FiatCookies.Login, "You are logged in");
+                MockRequestCookies.Data.Add(FiatCookies.Login, "You are logged in");
                 break;
             case UserAuthState.Unauthenticated:
                 break;
@@ -81,36 +69,6 @@ public void AddUserClaim(string type, string value)
         _claimsIdentity.AddClaim(new Claim(type, value));
     }
 
-    public void SetupConsentCookie(bool? accepted)
-    {
-        if (accepted is true)
-        {
-            SetupAcceptedCookie();
-        }
-        else if (accepted is false)
-        {
-            SetupRejectedCookie();
-        }
-    }
-
-    public void SetupAcceptedCookie()
-    {
-        AddRequestCookie(FiatCookies.CookieConsent, "True");
-    }
-
-    public void SetupRejectedCookie()
-    {
-        AddRequestCookie(FiatCookies.CookieConsent, "False");
-    }
-
-    public void SetupOptionalCookies()
-    {
-        AddRequestCookie("ai_user", "True");
-        AddRequestCookie("ai_session", "True");
-        AddRequestCookie("_gid", "True");
-        AddRequestCookie("_ga", "True");
-    }
-
     public void SetQueryReturnPath(string path)
     {
         _mockRequest.Setup(m => m.Query[CookiesHelper.ReturnPathQuery]).Returns(path);
@@ -145,23 +103,4 @@ public void SetNotFoundUrl(string host, string path, string query)
 
         _mockRequest.Setup(m => m.Host).Returns(new HostString(host));
     }
-
-    public void VerifySecureCookieAdded(string key, string value)
-    {
-        _mockResponseCookies.Verify(
-            m => m.Append(key, value,
-                It.Is<CookieOptions>(c => c.Secure == true && c.HttpOnly == true)), Times.Once);
-    }
-
-    public void VerifyCookieDeleted(string key)
-    {
-        _mockResponseCookies.Verify(
-            m => m.Delete(key), Times.Once);
-    }
-
-    public void VerifyNoCookiesDeleted()
-    {
-        _mockResponseCookies.Verify(
-            m => m.Delete(It.IsAny<string>()), Times.Exactly(0));
-    }
 }
diff --git a/tests/DfE.FindInformationAcademiesTrusts.UnitTests/Mocks/MockRequestCookies.cs b/tests/DfE.FindInformationAcademiesTrusts.UnitTests/Mocks/MockRequestCookies.cs
new file mode 100644
index 000000000..9a00e925e
--- /dev/null
+++ b/tests/DfE.FindInformationAcademiesTrusts.UnitTests/Mocks/MockRequestCookies.cs
@@ -0,0 +1,46 @@
+using DfE.FindInformationAcademiesTrusts.Configuration;
+using Microsoft.AspNetCore.Http;
+
+namespace DfE.FindInformationAcademiesTrusts.UnitTests.Mocks;
+
+public class MockRequestCookies : Mock<IRequestCookieCollection>
+{
+    public Dictionary<string, string> Data { get; } = new();
+
+    public MockRequestCookies()
+    {
+        Setup(m => m.Keys).Returns(Data.Keys);
+        Setup(m => m.ContainsKey(It.IsAny<string>())).Returns((string key) => Data.ContainsKey(key));
+        Setup(m => m[It.IsAny<string>()]).Returns((string key) => Data.TryGetValue(key, out var value) ? value : null);
+    }
+
+    public void SetupConsentCookie(bool? accepted)
+    {
+        if (accepted is true)
+        {
+            SetupAcceptedCookie();
+        }
+        else if (accepted is false)
+        {
+            SetupRejectedCookie();
+        }
+    }
+
+    public void SetupAcceptedCookie()
+    {
+        Data.Add(FiatCookies.CookieConsent, "True");
+    }
+
+    public void SetupRejectedCookie()
+    {
+        Data.Add(FiatCookies.CookieConsent, "False");
+    }
+
+    public void SetupOptionalCookies()
+    {
+        Data.Add("ai_user", "True");
+        Data.Add("ai_session", "True");
+        Data.Add("_gid", "True");
+        Data.Add("_ga", "True");
+    }
+}
diff --git a/tests/DfE.FindInformationAcademiesTrusts.UnitTests/Mocks/MockResponseCookies.cs b/tests/DfE.FindInformationAcademiesTrusts.UnitTests/Mocks/MockResponseCookies.cs
new file mode 100644
index 000000000..467e3b87b
--- /dev/null
+++ b/tests/DfE.FindInformationAcademiesTrusts.UnitTests/Mocks/MockResponseCookies.cs
@@ -0,0 +1,33 @@
+using Microsoft.AspNetCore.Http;
+
+namespace DfE.FindInformationAcademiesTrusts.UnitTests.Mocks;
+
+public class MockResponseCookies : Mock<IResponseCookies>
+{
+    public void VerifySecureCookieAdded(string key, string value)
+    {
+        Verify(m => m.Append(key, value,
+            It.Is<CookieOptions>(c => c.Secure == true && c.HttpOnly == true)), Times.Once);
+    }
+
+    public void VerifyCookieDeleted(string key)
+    {
+        Verify(m => m.Delete(key), Times.Once);
+    }
+
+    public void VerifyCookieDeleted(string key, CookieOptions options)
+    {
+        Verify(m => m.Delete(key, It.Is<CookieOptions>(cookieOptions =>
+                cookieOptions.HttpOnly == options.HttpOnly
+                && cookieOptions.IsEssential == options.IsEssential
+                && cookieOptions.SameSite == options.SameSite
+                && cookieOptions.Secure == options.Secure
+            )),
+            Times.Once);
+    }
+
+    public void VerifyNoCookiesDeleted()
+    {
+        Verify(m => m.Delete(It.IsAny<string>()), Times.Exactly(0));
+    }
+}
diff --git a/tests/DfE.FindInformationAcademiesTrusts.UnitTests/Pages/CookiesModelTests.cs b/tests/DfE.FindInformationAcademiesTrusts.UnitTests/Pages/CookiesModelTests.cs
index 5697d982c..8bd0b2544 100644
--- a/tests/DfE.FindInformationAcademiesTrusts.UnitTests/Pages/CookiesModelTests.cs
+++ b/tests/DfE.FindInformationAcademiesTrusts.UnitTests/Pages/CookiesModelTests.cs
@@ -93,7 +93,7 @@ public void OnPost_should_replace_return_path_when_it_is_invalid(string? path)
     [InlineData(false, false)]
     public void OnGet_should_not_change_consent_when_it_is_provided(bool consent, bool? accepted)
     {
-        _mockHttpContext.SetupConsentCookie(accepted);
+        _mockHttpContext.MockRequestCookies.SetupConsentCookie(accepted);
         _sut.Consent = consent;
         _sut.OnGet();
         _sut.Consent.Should().Be(consent);
@@ -108,7 +108,7 @@ public void OnGet_should_not_change_consent_when_it_is_provided(bool consent, bo
     [InlineData(false, false)]
     public void OnPost_should_not_change_consent_when_it_is_provided(bool consent, bool? accepted)
     {
-        _mockHttpContext.SetupConsentCookie(accepted);
+        _mockHttpContext.MockRequestCookies.SetupConsentCookie(accepted);
         _sut.Consent = consent;
         _sut.OnPost();
         _sut.Consent.Should().Be(consent);
@@ -119,7 +119,7 @@ public void OnPost_should_not_change_consent_when_it_is_provided(bool consent, b
     [InlineData(false)]
     public void OnGet_should_set_consent_when_it_not_provided_and_the_cookie_has_been_set(bool accepted)
     {
-        _mockHttpContext.SetupConsentCookie(accepted);
+        _mockHttpContext.MockRequestCookies.SetupConsentCookie(accepted);
         _sut.OnGet();
         _sut.Consent.Should().Be(accepted);
     }
@@ -184,7 +184,7 @@ public void OnGet_adds_consent_cookie_when_consent_is_given(bool consent, string
     {
         _sut.Consent = consent;
         _sut.OnGet();
-        _mockHttpContext.VerifySecureCookieAdded(FiatCookies.CookieConsent, value);
+        _mockHttpContext.MockResponseCookies.VerifySecureCookieAdded(FiatCookies.CookieConsent, value);
     }
 
     [Theory]
@@ -194,7 +194,7 @@ public void OnPost_adds_consent_cookie_when_consent_is_given(bool consent, strin
     {
         _sut.Consent = consent;
         _sut.OnPost();
-        _mockHttpContext.VerifySecureCookieAdded(FiatCookies.CookieConsent, value);
+        _mockHttpContext.MockResponseCookies.VerifySecureCookieAdded(FiatCookies.CookieConsent, value);
     }
 
     // (Cookie appended Delete called if needed/TempData is not null)
@@ -205,10 +205,10 @@ public void OnPost_adds_consent_cookie_when_consent_is_given(bool consent, strin
     [InlineData("_gid")]
     public void OnGet_removes_optional_cookie_when_consent_is_false(string cookieName)
     {
-        _mockHttpContext.SetupOptionalCookies();
+        _mockHttpContext.MockRequestCookies.SetupOptionalCookies();
         _sut.Consent = false;
         _sut.OnGet();
-        _mockHttpContext.VerifyCookieDeleted(cookieName);
+        _mockHttpContext.MockResponseCookies.VerifyCookieDeleted(cookieName);
     }
 
     [Theory]
@@ -218,48 +218,48 @@ public void OnGet_removes_optional_cookie_when_consent_is_false(string cookieNam
     [InlineData("_gid")]
     public void OnPost_removes_optional_cookie_when_consent_is_false(string cookieName)
     {
-        _mockHttpContext.SetupOptionalCookies();
+        _mockHttpContext.MockRequestCookies.SetupOptionalCookies();
         _sut.Consent = false;
         _sut.OnPost();
-        _mockHttpContext.VerifyCookieDeleted(cookieName);
+        _mockHttpContext.MockResponseCookies.VerifyCookieDeleted(cookieName);
     }
 
     [Fact]
     public void OnGet_does_not_remove_cookies_when_consent_is_true()
     {
-        _mockHttpContext.SetupOptionalCookies();
-        _mockHttpContext.SetupAcceptedCookie();
+        _mockHttpContext.MockRequestCookies.SetupOptionalCookies();
+        _mockHttpContext.MockRequestCookies.SetupAcceptedCookie();
         _sut.Consent = true;
         _sut.OnGet();
-        _mockHttpContext.VerifyNoCookiesDeleted();
+        _mockHttpContext.MockResponseCookies.VerifyNoCookiesDeleted();
     }
 
     [Fact]
     public void OnPost_does_not_remove_cookies_when_consent_is_true()
     {
-        _mockHttpContext.SetupOptionalCookies();
-        _mockHttpContext.SetupAcceptedCookie();
+        _mockHttpContext.MockRequestCookies.SetupOptionalCookies();
+        _mockHttpContext.MockRequestCookies.SetupAcceptedCookie();
         _sut.Consent = true;
         _sut.OnPost();
-        _mockHttpContext.VerifyNoCookiesDeleted();
+        _mockHttpContext.MockResponseCookies.VerifyNoCookiesDeleted();
     }
 
     [Fact]
     public void OnGet_does_not_remove_cookies_when_there_are_no_optional_cookies_to_remove()
     {
-        _mockHttpContext.SetupRejectedCookie();
+        _mockHttpContext.MockRequestCookies.SetupRejectedCookie();
         _sut.Consent = false;
         _sut.OnGet();
-        _mockHttpContext.VerifyNoCookiesDeleted();
+        _mockHttpContext.MockResponseCookies.VerifyNoCookiesDeleted();
     }
 
     [Fact]
     public void OnPost_does_not_remove_cookies_when_there_are_no_optional_cookies_to_remove()
     {
-        _mockHttpContext.SetupRejectedCookie();
+        _mockHttpContext.MockRequestCookies.SetupRejectedCookie();
         _sut.Consent = false;
         _sut.OnPost();
-        _mockHttpContext.VerifyNoCookiesDeleted();
+        _mockHttpContext.MockResponseCookies.VerifyNoCookiesDeleted();
     }
 
     //TempData

From f9277c11917645513273f850cccb5505035e682f Mon Sep 17 00:00:00 2001
From: Sara Gowen <9001998+dynamictulip@users.noreply.github.com>
Date: Mon, 28 Oct 2024 17:21:33 +0000
Subject: [PATCH 13/17] Add redirect to no access page

This is to enable a log in retry for users who may have stale role claims in their auth cookie. ADR to follow
---
 .../Pages/NoAccess.cshtml.cs                  |  53 +++++++-
 .../Pages/NoAccessModelTests.cs               | 117 ++++++++++++++++++
 2 files changed, 169 insertions(+), 1 deletion(-)
 create mode 100644 tests/DfE.FindInformationAcademiesTrusts.UnitTests/Pages/NoAccessModelTests.cs

diff --git a/DfE.FindInformationAcademiesTrusts/Pages/NoAccess.cshtml.cs b/DfE.FindInformationAcademiesTrusts/Pages/NoAccess.cshtml.cs
index 5ae0609c8..beaaa7d8c 100644
--- a/DfE.FindInformationAcademiesTrusts/Pages/NoAccess.cshtml.cs
+++ b/DfE.FindInformationAcademiesTrusts/Pages/NoAccess.cshtml.cs
@@ -1,7 +1,58 @@
+using DfE.FindInformationAcademiesTrusts.Configuration;
+using DfE.FindInformationAcademiesTrusts.Extensions;
 using DfE.FindInformationAcademiesTrusts.Pages.Shared;
 using Microsoft.AspNetCore.Authorization;
+using Microsoft.AspNetCore.Mvc;
 
 namespace DfE.FindInformationAcademiesTrusts.Pages;
 
 [AllowAnonymous]
-public class NoAccessModel : ContentPageModel;
+public class NoAccessModel : ContentPageModel
+{
+    private const string RetryingLogin = "RetryingLogin";
+
+    public ActionResult OnGet(string? returnUrl)
+    {
+        if (User.HasAccessToFiat())
+        {
+            return Url.IsLocalUrl(returnUrl) ? LocalRedirect(returnUrl) : Page();
+        }
+
+        // Users may be redirected to Access Denied because the login cookie stored in their browser contains
+        // stale information about their roles
+        // We can force an update of their role claims by removing this login cookie and redirecting them 
+        // back to their intended destination
+        if (NotRetriedLoginYet())
+        {
+            RemoveLoginCookie();
+
+            // We use temp data to ensure we don't end up in a redirect loop for genuine unauthorised users
+            TempData.Add(RetryingLogin, "true");
+
+            return Url.IsLocalUrl(returnUrl) ? LocalRedirect(returnUrl) : Page();
+        }
+
+        TempData.Remove(RetryingLogin);
+        return Page();
+    }
+
+    private bool NotRetriedLoginYet()
+    {
+        return !TempData.ContainsKey(RetryingLogin);
+    }
+
+    private void RemoveLoginCookie()
+    {
+        if (Request.Cookies.ContainsKey(FiatCookies.Login))
+        {
+            Response.Cookies.Delete(FiatCookies.Login,
+                new CookieOptions
+                {
+                    HttpOnly = true,
+                    IsEssential = true,
+                    SameSite = SameSiteMode.Strict,
+                    Secure = true
+                });
+        }
+    }
+}
diff --git a/tests/DfE.FindInformationAcademiesTrusts.UnitTests/Pages/NoAccessModelTests.cs b/tests/DfE.FindInformationAcademiesTrusts.UnitTests/Pages/NoAccessModelTests.cs
new file mode 100644
index 000000000..483e6f2e7
--- /dev/null
+++ b/tests/DfE.FindInformationAcademiesTrusts.UnitTests/Pages/NoAccessModelTests.cs
@@ -0,0 +1,117 @@
+using DfE.FindInformationAcademiesTrusts.Configuration;
+using DfE.FindInformationAcademiesTrusts.Pages;
+using DfE.FindInformationAcademiesTrusts.UnitTests.Mocks;
+using FluentAssertions.Execution;
+using Microsoft.AspNetCore.Http;
+using Microsoft.AspNetCore.Mvc;
+using Microsoft.AspNetCore.Mvc.RazorPages;
+using Microsoft.AspNetCore.Mvc.ViewFeatures;
+
+namespace DfE.FindInformationAcademiesTrusts.UnitTests.Pages;
+
+public class NoAccessModelTests
+{
+    private readonly MockHttpContext _mockHttpContext = new();
+    private readonly NoAccessModel _sut;
+    private readonly TempDataDictionary _tempDataDictionary;
+
+    private const string LocalUrl = "/search";
+    private const string ExternalUrl = "https://google.com";
+
+    public NoAccessModelTests()
+    {
+        var mockUrlHelper = new Mock<IUrlHelper>();
+        mockUrlHelper.Setup(u => u.IsLocalUrl(LocalUrl)).Returns(true);
+        mockUrlHelper.Setup(u => u.IsLocalUrl(ExternalUrl)).Returns(false);
+
+        _tempDataDictionary = new TempDataDictionary(_mockHttpContext.Object, Mock.Of<ITempDataProvider>());
+        _sut = new NoAccessModel
+        {
+            PageContext = new PageContext
+            {
+                HttpContext = _mockHttpContext.Object
+            },
+            TempData = _tempDataDictionary,
+            Url = mockUrlHelper.Object
+        };
+    }
+
+    [Fact]
+    public void OnGet_should_redirect_to_local_return_url_when_user_is_authorised()
+    {
+        var result = _sut.OnGet(LocalUrl);
+
+        result.Should().BeOfType<LocalRedirectResult>();
+        result.As<LocalRedirectResult>().Url.Should().Be(LocalUrl);
+    }
+
+    [Theory]
+    [InlineData(MockHttpContext.UserAuthState.Authorised)]
+    [InlineData(MockHttpContext.UserAuthState.Unauthenticated)]
+    [InlineData(MockHttpContext.UserAuthState.Unauthorised)]
+    public void OnGet_should_render_page_when_no_return_url_specified(MockHttpContext.UserAuthState authState)
+    {
+        _mockHttpContext.SetUserTo(authState);
+
+        var result = _sut.OnGet(null);
+
+        result.Should().BeOfType<PageResult>();
+    }
+
+    [Theory]
+    [InlineData(MockHttpContext.UserAuthState.Authorised)]
+    [InlineData(MockHttpContext.UserAuthState.Unauthenticated)]
+    [InlineData(MockHttpContext.UserAuthState.Unauthorised)]
+    public void OnGet_should_never_redirect_to_external_return_url(MockHttpContext.UserAuthState authState)
+    {
+        _mockHttpContext.SetUserTo(authState);
+
+        var result = _sut.OnGet(ExternalUrl);
+
+        result.Should().BeOfType<PageResult>();
+        result.Should().NotBeOfType<LocalRedirectResult>();
+    }
+
+    [Fact]
+    public void OnGet_should_prompt_login_when_user_is_unauthenticated()
+    {
+        _mockHttpContext.SetUserTo(MockHttpContext.UserAuthState.Unauthenticated);
+
+        var result = _sut.OnGet(LocalUrl);
+
+        using var scope = new AssertionScope();
+
+        result.Should().BeOfType<LocalRedirectResult>();
+        result.As<LocalRedirectResult>().Url.Should().Be(LocalUrl);
+        _tempDataDictionary.Should().ContainKey("RetryingLogin").WhoseValue.Should().Be("true");
+        _mockHttpContext.MockResponseCookies.VerifyNoOtherCalls();
+    }
+
+    [Fact]
+    public void OnGet_should_retry_login_when_user_is_unauthorised_and_not_retried_login()
+    {
+        _mockHttpContext.SetUserTo(MockHttpContext.UserAuthState.Unauthorised);
+
+        var result = _sut.OnGet(LocalUrl);
+
+        using var scope = new AssertionScope();
+
+        result.Should().BeOfType<LocalRedirectResult>();
+        result.As<LocalRedirectResult>().Url.Should().Be(LocalUrl);
+        _tempDataDictionary.Should().ContainKey("RetryingLogin").WhoseValue.Should().Be("true");
+        _mockHttpContext.MockResponseCookies.VerifyCookieDeleted(FiatCookies.Login,
+            new CookieOptions { HttpOnly = true, IsEssential = true, SameSite = SameSiteMode.Strict, Secure = true });
+    }
+
+    [Fact]
+    public void OnGet_should_return_no_access_page_when_user_is_unauthorised_and_has_retried_login()
+    {
+        _mockHttpContext.SetUserTo(MockHttpContext.UserAuthState.Unauthorised);
+        _tempDataDictionary.Add("RetryingLogin", "true");
+
+        var result = _sut.OnGet(LocalUrl);
+
+        result.Should().BeOfType<PageResult>();
+        _tempDataDictionary.Should().NotContainKey("RetryingLogin");
+    }
+}

From be02b00cc4f504c24e6915cddbb82837d9180441 Mon Sep 17 00:00:00 2001
From: Sara Gowen <9001998+dynamictulip@users.noreply.github.com>
Date: Tue, 29 Oct 2024 14:47:22 +0000
Subject: [PATCH 14/17] Reduce nested branching by checking for return url
 first

---
 .../Pages/NoAccess.cshtml.cs                        |  7 +++++--
 .../Pages/NoAccessModelTests.cs                     | 13 +++++++++++++
 2 files changed, 18 insertions(+), 2 deletions(-)

diff --git a/DfE.FindInformationAcademiesTrusts/Pages/NoAccess.cshtml.cs b/DfE.FindInformationAcademiesTrusts/Pages/NoAccess.cshtml.cs
index beaaa7d8c..c4a2b1aca 100644
--- a/DfE.FindInformationAcademiesTrusts/Pages/NoAccess.cshtml.cs
+++ b/DfE.FindInformationAcademiesTrusts/Pages/NoAccess.cshtml.cs
@@ -13,9 +13,12 @@ public class NoAccessModel : ContentPageModel
 
     public ActionResult OnGet(string? returnUrl)
     {
+        if (string.IsNullOrEmpty(returnUrl) || !Url.IsLocalUrl(returnUrl))
+            return Page();
+
         if (User.HasAccessToFiat())
         {
-            return Url.IsLocalUrl(returnUrl) ? LocalRedirect(returnUrl) : Page();
+            return LocalRedirect(returnUrl);
         }
 
         // Users may be redirected to Access Denied because the login cookie stored in their browser contains
@@ -29,7 +32,7 @@ public ActionResult OnGet(string? returnUrl)
             // We use temp data to ensure we don't end up in a redirect loop for genuine unauthorised users
             TempData.Add(RetryingLogin, "true");
 
-            return Url.IsLocalUrl(returnUrl) ? LocalRedirect(returnUrl) : Page();
+            return LocalRedirect(returnUrl);
         }
 
         TempData.Remove(RetryingLogin);
diff --git a/tests/DfE.FindInformationAcademiesTrusts.UnitTests/Pages/NoAccessModelTests.cs b/tests/DfE.FindInformationAcademiesTrusts.UnitTests/Pages/NoAccessModelTests.cs
index 483e6f2e7..21a891a13 100644
--- a/tests/DfE.FindInformationAcademiesTrusts.UnitTests/Pages/NoAccessModelTests.cs
+++ b/tests/DfE.FindInformationAcademiesTrusts.UnitTests/Pages/NoAccessModelTests.cs
@@ -58,6 +58,19 @@ public void OnGet_should_render_page_when_no_return_url_specified(MockHttpContex
         result.Should().BeOfType<PageResult>();
     }
 
+    [Theory]
+    [InlineData(MockHttpContext.UserAuthState.Authorised)]
+    [InlineData(MockHttpContext.UserAuthState.Unauthenticated)]
+    [InlineData(MockHttpContext.UserAuthState.Unauthorised)]
+    public void OnGet_should_render_page_when_return_url_is_empty(MockHttpContext.UserAuthState authState)
+    {
+        _mockHttpContext.SetUserTo(authState);
+
+        var result = _sut.OnGet(string.Empty);
+
+        result.Should().BeOfType<PageResult>();
+    }
+
     [Theory]
     [InlineData(MockHttpContext.UserAuthState.Authorised)]
     [InlineData(MockHttpContext.UserAuthState.Unauthenticated)]

From 211d0b13967e5086ab50b3277f15305c60b35902 Mon Sep 17 00:00:00 2001
From: Sara Gowen <9001998+dynamictulip@users.noreply.github.com>
Date: Mon, 28 Oct 2024 13:24:29 +0000
Subject: [PATCH 15/17] Add ADR

---
 ...le-users-authorisation-state-with-roles.md | 113 ++++++++++++++++++
 1 file changed, 113 insertions(+)
 create mode 100644 docs/adrs/0020-handle-users-authorisation-state-with-roles.md

diff --git a/docs/adrs/0020-handle-users-authorisation-state-with-roles.md b/docs/adrs/0020-handle-users-authorisation-state-with-roles.md
new file mode 100644
index 000000000..7e54ed9a7
--- /dev/null
+++ b/docs/adrs/0020-handle-users-authorisation-state-with-roles.md
@@ -0,0 +1,113 @@
+# 20. Handle users authorisation state with roles
+
+**Date**: 2024-10-28
+
+## Status
+
+Accepted
+
+## Context
+
+Currently, when a new user tries to access FIAT without having been added to the correct Azure AD group, they encounter a daunting default error page from Mucrosoft which tells them to contact their "admin".
+
+We want to create a better user experience for people trying to get access to FIAT by redirecting unauthorised users to a page with helpful information.
+
+We were entirely delegating both the **authorisation** and **authentication** to the Microsoft Azure Enterprise application which meant that we were unable to redirect on login failure. Some other applications in the program have enabled a no access page redirect by assigning Roles to user groups in the Microsoft Azure Enterprise application and then moving **authorisation** into the actual web application's codebase.
+
+## Decision
+
+We want to keep consistency with other products in RSD and we also couldn't see another way to enable a redirect to one of our own pages so we decided to adopt the same approach.
+
+- Users permitted to use FIAT will still be onboarded in the same way by being added to the correct Microsoft Entra group.
+- **Authentication** is still managed by `Microsoft.Identity.Web` and Microsoft Entra.
+- **Authorisation** will be managed by role claims configured in the Microsoft Azure Enterprise application and then evaluated by the FIAT application.
+
+This requires some changes to the authorisation process in FIAT and has implications for security.
+
+- By default every page and route in FIAT will be secured and require the correct user role claim to access.
+- The no-access, accessibility, cookies and privacy pages will be specifically opened to unauthorised users.
+- The cookies banner should still function for unauthorised users.
+- The header and footer will not render components which link to protected areas of the site (such as the Home breadcrumb or header trust search box) for unauthorised users.
+
+## Consequences
+
+There is a disconnect between how we persist login information (in a cookie) and what a user's most up to date role information may be.
+
+When we release the role based authorisation some current users of the may have outdated role claims in their login cookie - we don't want these existing users to face any change or interruption to their use of the application so we mapped out the different states a user can be in at the point they try to access a page on FIAT and whether or not they should be able to access secured pages.
+
+| Example user                                                                                                                                              | Has login cookie   | Has FIAT user role claim in login cookie | Has FIAT user role in azure | Should have access to secured FIAT pages?         |
+| --------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------ | ---------------------------------------- | --------------------------- | ------------------------------------------------- |
+| A long-term FIAT user                                                                                                                                     | :heavy_check_mark: | :heavy_check_mark:                       | :heavy_check_mark:          | :muscle: has access                               |
+| FIAT User that has just had permissions revoked                                                                                                           | :heavy_check_mark: | :heavy_check_mark:                       | :x:                         | :warning: has access until end of browser session |
+| User that followed the get access link on the no access page and has just had access granted (also existing users at the time of release of this feature) | :heavy_check_mark: | :x:                                      | :heavy_check_mark:          | :muscle: has access                               |
+| User that has not been setup to use FIAT but has tried to access FIAT before                                                                              | :heavy_check_mark: | :x:                                      | :x:                         | :no_entry: no access                              |
+| Invalid state - a cookie can't contain a role if the cookie does not exist                                                                                | ~~:x:~~            | ~~:heavy_check_mark:~~                   | ~~:heavy_check_mark:~~      | n/a                                               |
+| Invalid state - a cookie can't contain a role if the cookie does not exist                                                                                | ~~:x:~~            | ~~:heavy_check_mark:~~                   | ~~:x:~~                     | n/a                                               |
+| Brand new User that has just been told they have access                                                                                                   | :x:                | :x:                                      | :heavy_check_mark:          | :muscle: has access                               |
+| Brand new User that has not been setup to use FIAT                                                                                                        | :x:                | :x:                                      | :x:                         | :no_entry: no access                              |
+
+This exercise allows us to ensure that we cover all permutations of user state to ensure that the user journey for each user is as simple and intuitive as possible for both new and existing users.
+
+We also found that there were several different types of journey that an authorised or unauthorised user might want to make and we needed to behave differently for each
+
+| Request                                                         | Authorised FIAT user outcome | Unauthorised user outcome                                                            |
+| --------------------------------------------------------------- | ---------------------------- | ------------------------------------------------------------------------------------ |
+| Is navigating to a standard fiat page (like home or a trust)    | Should go to intended page   | Should be redirected to no-access with return url of page they were trying to access |
+| Is navigating to an always accessible fiat page (like cookies)  | Should go to intended page   | Should go to intended page                                                           |
+| Is navigating to no-access with return url                      | Should go to return url      | Should go to no-access page with return url                                          |
+| Is navigating to no-access on purpose (i.e. without return url) | Should go to no-access page  | Should go to no-access page                                                          |
+
+## Implementation
+
+We created a new flow triggered upon navigation to the "No Access" page to ensure that a user's role is up to date and we're not relying on stale claims in a cookie:
+
+```mermaid
+---
+title: Flow upon navigating to "No Access" page 
+---
+flowchart TB
+    %% ~~~~~ Node declarations ~~~~~
+    %% Entry nodes
+    auth-fail-redirect(["**Entry point**: ASP.NET core framework redirecting to no-access due to auth failure (original path included as return url)"])
+    direct-nav-with-return(["**Entry point**: Direct visit to no-access page with return url (e.g. page refresh)"])
+    direct-nav-no-return(["**Entry point**: Direct visit to no-access page without return url"])
+
+    %% Main nodes
+    local-return-url{Is there a local return url?}
+    on-get[On GET for no-access page]
+    has-role{"`Does user have FIAT user role claim? 
+            (Note that claims are persisted in the login cookie and will not be retrieved from Azure)`"}
+    refresh-login-cookie["Force re-login by removing login cookie (if it exists)"]
+    login-retry["Mark in TempData that we're 'RetryingLogin'"]
+    login-redirect-return-url[Redirect to local return url]
+    login-retry-auth-fail-redirect[ASP.NET core framework redirects back to no-access page]
+    login-user-logs-in[User logins in]
+    already-retried-login{Does TempData show that we've already retried the login to update the role claims?}
+    remove-tempdata["Remove 'RetryingLogin' from TempData"]
+    redirect-return-url[Redirect to local return url]
+
+    %% Exit nodes
+    render-no-access([Render no-access page])
+    render-requested-page([Render requested page])
+
+    %% ~~~~~ Chart links ~~~~~
+    auth-fail-redirect --> on-get
+    direct-nav-with-return --> on-get
+    direct-nav-no-return --> on-get
+
+    on-get --> local-return-url
+    local-return-url -- yes --> has-role
+    local-return-url -- no --> render-no-access
+
+    has-role -- yes - auth success --> redirect-return-url --> render-requested-page
+    has-role -- no --> already-retried-login
+
+    already-retried-login -- no - cookie might be stale --> refresh-login-cookie --> login-retry
+    already-retried-login -- yes - auth has failed --> remove-tempdata --> render-no-access
+    
+    login-retry --> login-redirect-return-url --> login-user-logs-in
+    login-user-logs-in -- auth success --> render-requested-page
+    login-user-logs-in -- auth failure --> login-retry-auth-fail-redirect --> on-get
+```
+
+Triggering this flow on the `OnGet` of the no access page (rather than by using an authentication handler or cookie authentication events) ensures that we're only doing this extra work in the exceptional circumstance of a user auth failure and gives us easy access to the intended route and the Tempdata. It also allows us to handle cases such as when auth succeeds for a new user but they're just refreshing an old browser tab which had previously redirected to the no-access page.

From 0eaa92f625ecd859e7454503cccd0379968ec164 Mon Sep 17 00:00:00 2001
From: Sara Gowen <9001998+dynamictulip@users.noreply.github.com>
Date: Wed, 30 Oct 2024 11:54:22 +0000
Subject: [PATCH 16/17] Share an anonymous page model between always accessible
 pages

Reduces code, makes it easier to see which pages have anonymous access and aggregates the behavior into one place
---
 .../Pages/Accessibility.cshtml                             | 2 +-
 .../Pages/Accessibility.cshtml.cs                          | 7 -------
 DfE.FindInformationAcademiesTrusts/Pages/Cookies.cshtml.cs | 4 +---
 .../Pages/NoAccess.cshtml.cs                               | 4 +---
 DfE.FindInformationAcademiesTrusts/Pages/Privacy.cshtml    | 2 +-
 DfE.FindInformationAcademiesTrusts/Pages/Privacy.cshtml.cs | 7 -------
 .../Pages/Shared/AnonymousPageModel.cs                     | 6 ++++++
 7 files changed, 10 insertions(+), 22 deletions(-)
 delete mode 100644 DfE.FindInformationAcademiesTrusts/Pages/Accessibility.cshtml.cs
 delete mode 100644 DfE.FindInformationAcademiesTrusts/Pages/Privacy.cshtml.cs
 create mode 100644 DfE.FindInformationAcademiesTrusts/Pages/Shared/AnonymousPageModel.cs

diff --git a/DfE.FindInformationAcademiesTrusts/Pages/Accessibility.cshtml b/DfE.FindInformationAcademiesTrusts/Pages/Accessibility.cshtml
index b70d3363d..a18db62ff 100644
--- a/DfE.FindInformationAcademiesTrusts/Pages/Accessibility.cshtml
+++ b/DfE.FindInformationAcademiesTrusts/Pages/Accessibility.cshtml
@@ -1,5 +1,5 @@
 @page
-@model AccessibilityModel
+@model DfE.FindInformationAcademiesTrusts.Pages.Shared.AnonymousPageModel
 
 @{
   Layout = "_ContentLayout";
diff --git a/DfE.FindInformationAcademiesTrusts/Pages/Accessibility.cshtml.cs b/DfE.FindInformationAcademiesTrusts/Pages/Accessibility.cshtml.cs
deleted file mode 100644
index 1afbe906a..000000000
--- a/DfE.FindInformationAcademiesTrusts/Pages/Accessibility.cshtml.cs
+++ /dev/null
@@ -1,7 +0,0 @@
-using DfE.FindInformationAcademiesTrusts.Pages.Shared;
-using Microsoft.AspNetCore.Authorization;
-
-namespace DfE.FindInformationAcademiesTrusts.Pages;
-
-[AllowAnonymous]
-public class AccessibilityModel : ContentPageModel;
diff --git a/DfE.FindInformationAcademiesTrusts/Pages/Cookies.cshtml.cs b/DfE.FindInformationAcademiesTrusts/Pages/Cookies.cshtml.cs
index ebc3f1b69..0491faba1 100644
--- a/DfE.FindInformationAcademiesTrusts/Pages/Cookies.cshtml.cs
+++ b/DfE.FindInformationAcademiesTrusts/Pages/Cookies.cshtml.cs
@@ -1,13 +1,11 @@
 using DfE.FindInformationAcademiesTrusts.Configuration;
 using DfE.FindInformationAcademiesTrusts.Pages.Shared;
-using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Mvc;
 using Microsoft.IdentityModel.Tokens;
 
 namespace DfE.FindInformationAcademiesTrusts.Pages;
 
-[AllowAnonymous]
-public class CookiesModel(IHttpContextAccessor httpContextAccessor) : ContentPageModel
+public class CookiesModel(IHttpContextAccessor httpContextAccessor) : AnonymousPageModel
 {
     public bool DisplayCookieChangedMessageOnCookiesPage { get; set; }
     [BindProperty(SupportsGet = true)] public string? ReturnPath { get; set; }
diff --git a/DfE.FindInformationAcademiesTrusts/Pages/NoAccess.cshtml.cs b/DfE.FindInformationAcademiesTrusts/Pages/NoAccess.cshtml.cs
index c4a2b1aca..798731df5 100644
--- a/DfE.FindInformationAcademiesTrusts/Pages/NoAccess.cshtml.cs
+++ b/DfE.FindInformationAcademiesTrusts/Pages/NoAccess.cshtml.cs
@@ -1,13 +1,11 @@
 using DfE.FindInformationAcademiesTrusts.Configuration;
 using DfE.FindInformationAcademiesTrusts.Extensions;
 using DfE.FindInformationAcademiesTrusts.Pages.Shared;
-using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Mvc;
 
 namespace DfE.FindInformationAcademiesTrusts.Pages;
 
-[AllowAnonymous]
-public class NoAccessModel : ContentPageModel
+public class NoAccessModel : AnonymousPageModel
 {
     private const string RetryingLogin = "RetryingLogin";
 
diff --git a/DfE.FindInformationAcademiesTrusts/Pages/Privacy.cshtml b/DfE.FindInformationAcademiesTrusts/Pages/Privacy.cshtml
index 6b1e88804..da571f498 100644
--- a/DfE.FindInformationAcademiesTrusts/Pages/Privacy.cshtml
+++ b/DfE.FindInformationAcademiesTrusts/Pages/Privacy.cshtml
@@ -1,5 +1,5 @@
 @page
-@model PrivacyModel
+@model DfE.FindInformationAcademiesTrusts.Pages.Shared.AnonymousPageModel
 
 @{
   Layout = "_ContentLayout";
diff --git a/DfE.FindInformationAcademiesTrusts/Pages/Privacy.cshtml.cs b/DfE.FindInformationAcademiesTrusts/Pages/Privacy.cshtml.cs
deleted file mode 100644
index d0af908cf..000000000
--- a/DfE.FindInformationAcademiesTrusts/Pages/Privacy.cshtml.cs
+++ /dev/null
@@ -1,7 +0,0 @@
-using DfE.FindInformationAcademiesTrusts.Pages.Shared;
-using Microsoft.AspNetCore.Authorization;
-
-namespace DfE.FindInformationAcademiesTrusts.Pages;
-
-[AllowAnonymous]
-public class PrivacyModel : ContentPageModel;
diff --git a/DfE.FindInformationAcademiesTrusts/Pages/Shared/AnonymousPageModel.cs b/DfE.FindInformationAcademiesTrusts/Pages/Shared/AnonymousPageModel.cs
new file mode 100644
index 000000000..9c6a52430
--- /dev/null
+++ b/DfE.FindInformationAcademiesTrusts/Pages/Shared/AnonymousPageModel.cs
@@ -0,0 +1,6 @@
+using Microsoft.AspNetCore.Authorization;
+
+namespace DfE.FindInformationAcademiesTrusts.Pages.Shared;
+
+[AllowAnonymous]
+public class AnonymousPageModel : ContentPageModel;

From e9db4df2eff3dd8e63376074fd51042fe1fdcf98 Mon Sep 17 00:00:00 2001
From: Sara Gowen <9001998+dynamictulip@users.noreply.github.com>
Date: Wed, 30 Oct 2024 17:42:16 +0000
Subject: [PATCH 17/17] Update changelog with no-access page changes

---
 CHANGELOG.md | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 17f90f814..cc53a7fcd 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -6,6 +6,10 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 
 ## [Unreleased][unreleased]
 
+### Added
+
+- Redirect unauthorised users to a new "no access" page giving them directions on how to get access to FIAT
+
 ### Changed
 
 - Updated the contacts page to include disclaimer text for the trust contacts
@@ -14,6 +18,11 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 - Updated the landing page to add more information and links to other services
 - Renamed the anti forgery cookie to a static name
 - Updated wording for links on the landing page to tell users they open in new tabs
+- Make cookies, accessibility statement and privacy notice pages available to users without FIAT access
+- Hide header and footer areas on pages available to users without FIAT access
+- Fix Privacy page having incorrect width
+- Improve security by changing SameSite setting for the login cookie to current Microsoft recommendation of Lax
+- Update name of cookie consent cookie to be consistent with application name and what is displayed in the Cookie UI
 
 ## [Release-11][release-11] (production-2024-10-17.3654)