Merge pull request #4472 from open-formulieren/feature/4246-adapt-pre…

…fill-to-auth-context

Adapt prefill to new auth context

src/openapi.yaml

@@ -8229,7 +8229,7 @@ components:
             In case that multiple identifiers are returned (in the case of eHerkenning bewindvoering and DigiD Machtigen), should the prefill data related to the main identifier be used, or that related to the authorised person?
 
             * `main` - Main
-            * `authorised_person` - Authorised person
+            * `authorizee` - Authorizee
         dataType:
           allOf:
           - $ref: '#/components/schemas/DataTypeEnum'
@@ -9310,11 +9310,11 @@ components:
     PrefillIdentifierRoleEnum:
       enum:
       - main
-      - authorised_person
+      - authorizee
       type: string
       description: |-
         * `main` - Main
-        * `authorised_person` - Authorised person
+        * `authorizee` - Authorizee
     PrefillPlugin:
       type: object
       properties:

src/openforms/formio/migration_converters.py

@@ -236,6 +236,15 @@ def ensure_addressnl_has_deriveAddress(component: Component) -> bool:
     return True
 
 
+def rename_identifier_role_authorizee(component: Component) -> bool:
+    if "prefill" not in component:
+        return False
+    if component["prefill"].get("identifierRole") != "authorised_person":
+        return False
+    component["prefill"]["identifierRole"] = "authorizee"
+    return True
+
+
 DEFINITION_CONVERTERS = [
     convert_simple_conditionals,
 ]
@@ -246,16 +255,19 @@ def ensure_addressnl_has_deriveAddress(component: Component) -> bool:
     "textfield": {
         "alter_prefill_default_values": alter_prefill_default_values,
         "fix_empty_validate_lengths": fix_empty_validate_lengths,
+        "rename_identifier_role_authorizee": rename_identifier_role_authorizee,
     },
     "email": {
         "fix_empty_validate_lengths": fix_empty_validate_lengths,
     },
     "date": {
         "alter_prefill_default_values": alter_prefill_default_values,
+        "rename_identifier_role_authorizee": rename_identifier_role_authorizee,
     },
     "datetime": {
         "alter_prefill_default_values": alter_prefill_default_values,
         "prevent_datetime_components_from_emptying_invalid_values": prevent_datetime_components_from_emptying_invalid_values,
+        "rename_identifier_role_authorizee": rename_identifier_role_authorizee,
     },
     "time": {
         "move_time_validators": move_time_validators,
@@ -267,6 +279,7 @@ def ensure_addressnl_has_deriveAddress(component: Component) -> bool:
         "alter_prefill_default_values": alter_prefill_default_values,
         "ensure_validate_pattern": ensure_postcode_validate_pattern,
         "fix_empty_validate_lengths": fix_empty_validate_lengths,
+        "rename_identifier_role_authorizee": rename_identifier_role_authorizee,
     },
     "file": {
         "fix_default_value": fix_file_default_value,
@@ -297,6 +310,7 @@ def ensure_addressnl_has_deriveAddress(component: Component) -> bool:
     "bsn": {
         "alter_prefill_default_values": alter_prefill_default_values,
         "fix_empty_validate_lengths": fix_empty_validate_lengths,
+        "rename_identifier_role_authorizee": rename_identifier_role_authorizee,
     },
     "cosign": {
         "fix_empty_validate_lengths": fix_empty_validate_lengths,

src/openforms/formio/typing/base.py

@@ -59,7 +59,7 @@ class OptionDict(TypedDict):
 class PrefillConfiguration(TypedDict):
     plugin: str
     attribute: str
-    identifierRole: Literal["main", "authorised_person"]
+    identifierRole: Literal["main", "authorizee"]
 
 
 class Component(TypedDict):

src/openforms/forms/migrations/0102_alter_formvariable_prefill_identifier_role.py

@@ -0,0 +1,24 @@
+# Generated by Django 4.2.11 on 2024-07-02 06:33
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("forms", "0101_objecttype_url_to_uuid"),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name="formvariable",
+            name="prefill_identifier_role",
+            field=models.CharField(
+                choices=[("main", "Main"), ("authorised_person", "Authorizee")],
+                default="main",
+                help_text="In case that multiple identifiers are returned (in the case of eHerkenning bewindvoering and DigiD Machtigen), should the prefill data related to the main identifier be used, or that related to the authorised person?",
+                max_length=100,
+                verbose_name="prefill identifier role",
+            ),
+        ),
+    ]

src/openforms/forms/migrations/0103_rename_identifier_role_prefill.py

@@ -0,0 +1,46 @@
+# Generated by Django 4.2.11 on 2024-07-02 09:03
+
+from django.db import migrations, models
+from django.db.migrations.state import StateApps
+
+from openforms.forms.migration_operations import ConvertComponentsOperation
+
+
+def rename_authorizee_enum(apps: StateApps, _):
+    FormVariable = apps.get_model("forms", "FormVariable")
+    FormVariable.objects.filter(prefill_identifier_role="authorised_person").update(
+        prefill_identifier_role="authorizee"
+    )
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("forms", "0102_alter_formvariable_prefill_identifier_role"),
+    ]
+
+    operations = [
+        migrations.RunPython(
+            rename_authorizee_enum,
+            # no point in adding a reverse operation when ConvertComponent doesn't
+            # support it - if it's wrong, we recommend restoring a backup.
+            migrations.RunPython.noop,
+        ),
+        # only lists the components that have prefill
+        ConvertComponentsOperation("textfield", "rename_identifier_role_authorizee"),
+        ConvertComponentsOperation("date", "rename_identifier_role_authorizee"),
+        ConvertComponentsOperation("datetime", "rename_identifier_role_authorizee"),
+        ConvertComponentsOperation("postcode", "rename_identifier_role_authorizee"),
+        ConvertComponentsOperation("bsn", "rename_identifier_role_authorizee"),
+        migrations.AlterField(
+            model_name="formvariable",
+            name="prefill_identifier_role",
+            field=models.CharField(
+                choices=[("main", "Main"), ("authorizee", "Authorizee")],
+                default="main",
+                help_text="In case that multiple identifiers are returned (in the case of eHerkenning bewindvoering and DigiD Machtigen), should the prefill data related to the main identifier be used, or that related to the authorised person?",
+                max_length=100,
+                verbose_name="prefill identifier role",
+            ),
+        ),
+    ]

src/openforms/forms/tests/test_migrations.py

@@ -518,3 +518,68 @@ def test_changes_objecttype_key_name(self) -> None:
             backend.options["objecttype"],
             "8e46e0a5-b1b4-449b-b9e9-fa3cea655f48",
         )
+
+
+class PrefillIdentifierRoleRename(TestMigrations):
+    app = "forms"
+    migrate_from = "0102_alter_formvariable_prefill_identifier_role"
+    migrate_to = "0103_rename_identifier_role_prefill"
+
+    def setUpBeforeMigration(self, apps: StateApps):
+        Form = apps.get_model("forms", "Form")
+        FormVariable = apps.get_model("forms", "FormVariable")
+        FormDefinition = apps.get_model("forms", "FormDefinition")
+
+        form = Form.objects.create(name="test form")
+
+        configuration = {
+            "components": [
+                {
+                    "type": "textfield",
+                    "key": "someTextField",
+                    "label": "Some textfield with prefill",
+                    "prefill": {
+                        "plugin": "demo",
+                        "attribute": "random_string",
+                        "identifierRole": "authorised_person",
+                    },
+                },
+                {"type": "number", "key": "number", "label": "no prefill configured"},
+                {
+                    "type": "bsn",
+                    "key": "other",
+                    "label": "Some bsn field with prefill",
+                    "prefill": {
+                        "plugin": "demo",
+                        "attribute": "random_string",
+                        "identifierRole": "main",
+                    },
+                },
+            ]
+        }
+        FormDefinition.objects.create(name="legacy", configuration=configuration)
+        FormVariable.objects.create(
+            form=form,
+            form_definition=None,
+            name="Prefill",
+            key="prefill",
+            source=FormVariableSources.user_defined,
+            prefill_plugin="demo",
+            prefill_attribute="random_string",
+            prefill_identifier_role="authorised_person",
+            data_type=FormVariableDataTypes.string,
+            initial_value="",
+        )
+
+    def test_identifier_role_updated_to_authorizee(self):
+        FormVariable = self.apps.get_model("forms", "FormVariable")
+        FormDefinition = self.apps.get_model("forms", "FormDefinition")
+
+        variable = FormVariable.objects.get()
+        self.assertEqual(variable.prefill_identifier_role, "authorizee")
+
+        fd = FormDefinition.objects.get()
+        component = fd.configuration["components"][0]
+        self.assertEqual(component["prefill"]["identifierRole"], "authorizee")
+        component3 = fd.configuration["components"][2]
+        self.assertEqual(component3["prefill"]["identifierRole"], "main")

src/openforms/js/components/admin/form_design/variables/constants.js

@@ -101,12 +101,12 @@ const EMPTY_VARIABLE = {
 
 const IDENTIFIER_ROLE_CHOICES = {
   main: defineMessage({
-    description: 'Choices (main/authorised person) label',
-    defaultMessage: 'Main',
+    description: 'Identifier role (for mandate context) label for representee',
+    defaultMessage: 'Main/representee',
   }),
-  authorised_person: defineMessage({
-    description: 'Choices (main/authorised person) label',
-    defaultMessage: 'Authorised person',
+  authorizee: defineMessage({
+    description: 'Identifier role (for mandate context) label for authorizee',
+    defaultMessage: 'Authorizee',
   }),
 };
 

src/openforms/js/components/admin/form_design/variables/types.js

@@ -8,7 +8,7 @@ const Variable = PropTypes.shape({
   source: PropTypes.string,
   prefillPlugin: PropTypes.string,
   prefillAttribute: PropTypes.string,
-  prefillIdentifierRole: PropTypes.oneOf(['main', 'authorised_person']),
+  prefillIdentifierRole: PropTypes.oneOf(['main', 'authorizee']),
   dataType: PropTypes.string,
   dataFormat: PropTypes.string,
   isSensitiveData: PropTypes.bool,

src/openforms/js/lang/en.json

@@ -244,11 +244,6 @@
     "description": "Version of the object type in the Object Types API",
     "originalDefault": "Objects API - objecttype version"
   },
-  "5ZI59Y": {
-    "defaultMessage": "Main",
-    "description": "Choices (main/authorised person) label",
-    "originalDefault": "Main"
-  },
   "5uaKBM": {
     "defaultMessage": "minus",
     "description": "\"-\" operator description",
@@ -1169,11 +1164,6 @@
     "description": "Auth plugin provided attributes suffix",
     "originalDefault": "(provides {attrs})"
   },
-  "Q7oBP/": {
-    "defaultMessage": "Authorised person",
-    "description": "Choices (main/authorised person) label",
-    "originalDefault": "Authorised person"
-  },
   "Q8WgtE": {
     "defaultMessage": "Output mapping",
     "description": "Output mapping title",
@@ -1214,6 +1204,11 @@
     "description": "Indication of the level to which extend the dossier of the ZAAK is meant to be public",
     "originalDefault": "Confidentiality"
   },
+  "R7XVbR": {
+    "defaultMessage": "Main/representee",
+    "description": "Identifier role (for mandate context) label for representee",
+    "originalDefault": "Main/representee"
+  },
   "R8/zGm": {
     "defaultMessage": "Form variable",
     "description": "Accessible label for (form) variable dropdown",
@@ -2509,6 +2504,11 @@
     "description": "select definition icon title",
     "originalDefault": "Select definition"
   },
+  "yIPUtA": {
+    "defaultMessage": "Authorizee",
+    "description": "Identifier role (for mandate context) label for authorizee",
+    "originalDefault": "Authorizee"
+  },
   "yTpHh0": {
     "defaultMessage": "(unset)",
     "description": "JSON variable type unset representation",

src/openforms/js/lang/nl.json

@@ -245,11 +245,6 @@
     "description": "Version of the object type in the Object Types API",
     "originalDefault": "Objects API - objecttype version"
   },
-  "5ZI59Y": {
-    "defaultMessage": "Main/machtiger",
-    "description": "Choices (main/authorised person) label",
-    "originalDefault": "Main"
-  },
   "5uaKBM": {
     "defaultMessage": "minus",
     "description": "\"-\" operator description",
@@ -1179,11 +1174,6 @@
     "description": "Auth plugin provided attributes suffix",
     "originalDefault": "(provides {attrs})"
   },
-  "Q7oBP/": {
-    "defaultMessage": "Gemachtigde",
-    "description": "Choices (main/authorised person) label",
-    "originalDefault": "Authorised person"
-  },
   "Q8WgtE": {
     "defaultMessage": "Uitvoerparameters",
     "description": "Output mapping title",
@@ -1224,6 +1214,11 @@
     "description": "Indication of the level to which extend the dossier of the ZAAK is meant to be public",
     "originalDefault": "Confidentiality"
   },
+  "R7XVbR": {
+    "defaultMessage": "Main/representee",
+    "description": "Identifier role (for mandate context) label for representee",
+    "originalDefault": "Main/representee"
+  },
   "R8/zGm": {
     "defaultMessage": "Form variable",
     "description": "Accessible label for (form) variable dropdown",
@@ -2526,6 +2521,11 @@
     "description": "select definition icon title",
     "originalDefault": "Select definition"
   },
+  "yIPUtA": {
+    "defaultMessage": "Authorizee",
+    "description": "Identifier role (for mandate context) label for authorizee",
+    "originalDefault": "Authorizee"
+  },
   "yTpHh0": {
     "defaultMessage": "(niet ingesteld)",
     "description": "JSON variable type unset representation",

src/openforms/prefill/__init__.py

@@ -170,7 +170,7 @@ def prefill_variables(submission: Submission, register: Registry | None = None)
 
     # grouped_fields is a dict of the following shape:
     # {"plugin_id": {"identifier_role": ["attr_1", "attr_2"]}}
-    # "identifier_role" is either "main" or "authorised_person"
+    # "identifier_role" is either "main" or "authorizee"
     grouped_fields: defaultdict[str, defaultdict[str, list[str]]] = defaultdict(
         lambda: defaultdict(list)
     )

src/openforms/prefill/constants.py

@@ -4,4 +4,4 @@
 
 class IdentifierRoles(models.TextChoices):
     main = "main", _("Main")
-    authorised_person = "authorised_person", _("Authorised person")
+    authorizee = "authorizee", _("Authorizee")

src/openforms/prefill/contrib/haalcentraal_brp/plugin.py

@@ -90,8 +90,19 @@ def get_identifier_value(
         ):
             return submission.auth_info.value
 
-        if identifier_role == IdentifierRoles.authorised_person:
-            return submission.auth_info.machtigen.get("identifier_value")
+        if identifier_role == IdentifierRoles.authorizee:
+            legacy_fallback = submission.auth_info.machtigen.get("identifier_value")
+            auth_context = submission.auth_info.to_auth_context_data()
+            # check if we have new-style authentication context capturing, and favour
+            # that over the legacy format
+            legal_subject = auth_context["authorizee"]["legalSubject"]
+            # this only works if the identifier is a BSN
+            if (
+                "representee" not in auth_context
+                or legal_subject["identifierType"] != "bsn"
+            ):
+                return legacy_fallback
+            return legal_subject["identifier"] or legacy_fallback
 
     @classmethod
     def get_prefill_values(