app/utils/user.py

from functools import wraps

from flask import abort, current_app
from flask_login import current_user, login_required

from app import config

user_is_logged_in = login_required


def user_has_permissions(*permissions, **permission_kwargs):
    def wrap(func):
        @wraps(func)
        def wrap_func(*args, **kwargs):
            if not current_user.is_authenticated:
                return current_app.login_manager.unauthorized()
            if not current_user.has_permissions(*permissions, **permission_kwargs):
                abort(403)
            return func(*args, **kwargs)

        return wrap_func

    return wrap


def user_is_gov_user(f):
    @wraps(f)
    def wrapped(*args, **kwargs):
        if not current_user.is_authenticated:
            return current_app.login_manager.unauthorized()
        if not current_user.is_gov_user:
            abort(403)
        return f(*args, **kwargs)

    return wrapped


def user_is_platform_admin(f):
    @wraps(f)
    def wrapped(*args, **kwargs):
        if not current_user.is_authenticated:
            return current_app.login_manager.unauthorized()
        if not current_user.platform_admin:
            abort(403)
        return f(*args, **kwargs)

    return wrapped


def is_gov_user(email_address):
    return _email_address_ends_with(
        email_address, config.Config.GOVERNMENT_EMAIL_DOMAIN_NAMES
    )  # or _email_address_ends_with(email_address, organizations_client.get_domains())


def _email_address_ends_with(email_address, known_domains):
    return any(
        email_address.lower().endswith(
            (
                "@{}".format(known),
                ".{}".format(known),
            )
        )
        for known in known_domains
    )


# def normalise_email_address_aliases(email_address):
#     local_part, domain = email_address.split('@')
#     local_part = local_part.split('+')[0].replace('.', '')

#     return f'{local_part}@{domain}'.lower()


# def distinct_email_addresses(*args):
#     return len(args) == len(set(map(normalise_email_address_aliases, args)))
Extract user utility code into own module This provides more room for expansion, and reduces the amount of arbitrary code in the __init__.py file for the new package. 2021-06-09 13:19:05 +01:00			`from functools import wraps`

			`from flask import abort, current_app`
			`from flask_login import current_user, login_required`

notify-245 update the allowlist for user domains (#510) Co-authored-by: Kenneth Kehl <@kkehl@flexion.us> 2023-05-19 13:54:27 -07:00			`from app import config`
Extract user utility code into own module This provides more room for expansion, and reduces the amount of arbitrary code in the __init__.py file for the new package. 2021-06-09 13:19:05 +01:00
			`user_is_logged_in = login_required`


			`def user_has_permissions(permissions, *permission_kwargs):`
			`def wrap(func):`
			`@wraps(func)`
			`def wrap_func(args, *kwargs):`
			`if not current_user.is_authenticated:`
			`return current_app.login_manager.unauthorized()`
			`if not current_user.has_permissions(permissions, *permission_kwargs):`
			`abort(403)`
			`return func(args, *kwargs)`
notify-api-412 use black to enforce python coding style 2023-08-25 09:12:23 -07:00
Extract user utility code into own module This provides more room for expansion, and reduces the amount of arbitrary code in the __init__.py file for the new package. 2021-06-09 13:19:05 +01:00			`return wrap_func`
notify-api-412 use black to enforce python coding style 2023-08-25 09:12:23 -07:00
Extract user utility code into own module This provides more room for expansion, and reduces the amount of arbitrary code in the __init__.py file for the new package. 2021-06-09 13:19:05 +01:00			`return wrap`


			`def user_is_gov_user(f):`
			`@wraps(f)`
			`def wrapped(args, *kwargs):`
			`if not current_user.is_authenticated:`
			`return current_app.login_manager.unauthorized()`
			`if not current_user.is_gov_user:`
			`abort(403)`
			`return f(args, *kwargs)`
notify-api-412 use black to enforce python coding style 2023-08-25 09:12:23 -07:00
Extract user utility code into own module This provides more room for expansion, and reduces the amount of arbitrary code in the __init__.py file for the new package. 2021-06-09 13:19:05 +01:00			`return wrapped`


			`def user_is_platform_admin(f):`
			`@wraps(f)`
			`def wrapped(args, *kwargs):`
			`if not current_user.is_authenticated:`
			`return current_app.login_manager.unauthorized()`
			`if not current_user.platform_admin:`
			`abort(403)`
			`return f(args, *kwargs)`
notify-api-412 use black to enforce python coding style 2023-08-25 09:12:23 -07:00
Extract user utility code into own module This provides more room for expansion, and reduces the amount of arbitrary code in the __init__.py file for the new package. 2021-06-09 13:19:05 +01:00			`return wrapped`


			`def is_gov_user(email_address):`
			`return _email_address_ends_with(`
notify-245 update the allowlist for user domains (#510) Co-authored-by: Kenneth Kehl <@kkehl@flexion.us> 2023-05-19 13:54:27 -07:00			`email_address, config.Config.GOVERNMENT_EMAIL_DOMAIN_NAMES`
code review feedback 2024-05-20 12:09:49 -07:00			`) # or _email_address_ends_with(email_address, organizations_client.get_domains())`
Extract user utility code into own module This provides more room for expansion, and reduces the amount of arbitrary code in the __init__.py file for the new package. 2021-06-09 13:19:05 +01:00

			`def _email_address_ends_with(email_address, known_domains):`
			`return any(`
notify-api-412 use black to enforce python coding style 2023-08-25 09:12:23 -07:00			`email_address.lower().endswith(`
			`(`
			`"@{}".format(known),`
			`".{}".format(known),`
			`)`
			`)`
Extract user utility code into own module This provides more room for expansion, and reduces the amount of arbitrary code in the __init__.py file for the new package. 2021-06-09 13:19:05 +01:00			`for known in known_domains`
			`)`
Be strict about similar email addresses for alerts We don’t want a single person to have two accounts on an emergency alerts service because it would let them circumvent the two eyes approval process. We can go some way to mitigating against this by stopping people using common methods that email providers use to alias email addresses. These are: - being case insensitive - being insensitive to the position or number of dots in the local part of an email address - using ‘plus addressing’ We already prevent the first one, this commit adds normalisation which strip out the second two before doing the comparision with the current user’s email address. 2021-07-13 15:26:19 +01:00

remove broadcast-related code 2022-10-04 03:04:13 +00:00			`# def normalise_email_address_aliases(email_address):`
			`# local_part, domain = email_address.split('@')`
			`# local_part = local_part.split('+')[0].replace('.', '')`
Be strict about similar email addresses for alerts We don’t want a single person to have two accounts on an emergency alerts service because it would let them circumvent the two eyes approval process. We can go some way to mitigating against this by stopping people using common methods that email providers use to alias email addresses. These are: - being case insensitive - being insensitive to the position or number of dots in the local part of an email address - using ‘plus addressing’ We already prevent the first one, this commit adds normalisation which strip out the second two before doing the comparision with the current user’s email address. 2021-07-13 15:26:19 +01:00
remove broadcast-related code 2022-10-04 03:04:13 +00:00			`# return f'{local_part}@{domain}'.lower()`
Be strict about similar email addresses for alerts We don’t want a single person to have two accounts on an emergency alerts service because it would let them circumvent the two eyes approval process. We can go some way to mitigating against this by stopping people using common methods that email providers use to alias email addresses. These are: - being case insensitive - being insensitive to the position or number of dots in the local part of an email address - using ‘plus addressing’ We already prevent the first one, this commit adds normalisation which strip out the second two before doing the comparision with the current user’s email address. 2021-07-13 15:26:19 +01:00

remove broadcast-related code 2022-10-04 03:04:13 +00:00			`# def distinct_email_addresses(*args):`
			`# return len(args) == len(set(map(normalise_email_address_aliases, args)))`