Hide template and folder action links if user doesn't have folder access

Hides action links ('Send', 'Edit', 'Delete' and 'Redact' fro templates and 'Manage' for template folders) and buttons ('New template', 'New folder') if the user doesn't have permission to view current folder or template's parent folder.
2026-06-26 02:11:49 -04:00 · 2019-03-20 17:27:22 +00:00
parent bfe6768796
commit 355927d091
4 changed files with 20 additions and 4 deletions
--- a/app/main/views/templates.py
+++ b/app/main/views/templates.py
@@ -51,6 +51,12 @@ form_objects = {
@user_has_permissions()
 def view_template(service_id, template_id):
    template = current_service.get_template(template_id)
+    template_folder = current_service.get_template_folder(template['folder'])
+
+    if not current_service.has_permission("edit_folder_permissions"):
+        user_has_template_permission = True
+    else:
+        user_has_template_permission = current_user.has_template_folder_permission(template_folder)

    if should_skip_template_page(template['template_type']):
        return redirect(url_for(
@@ -79,6 +85,7 @@ def view_template(service_id, template_id):
            page_count=get_page_count_for_letter(template),
        ),
        template_postage=template["postage"],
+        user_has_template_permission=user_has_template_permission,
        default_letter_contact_block_id=default_letter_contact_block_id,
    )

@@ -111,6 +118,12 @@ def start_tour(service_id, template_id):
@login_required
@user_has_permissions()
 def choose_template(service_id, template_type='all', template_folder_id=None):
+    template_folder = current_service.get_template_folder(template_folder_id)
+
+    if not current_service.has_permission("edit_folder_permissions"):
+        user_has_template_folder_permission = True
+    else:
+        user_has_template_folder_permission = current_user.has_template_folder_permission(template_folder)

    template_list = TemplateList(current_service, template_type, template_folder_id, current_user)

@@ -155,6 +168,7 @@ def choose_template(service_id, template_type='all', template_folder_id=None):
        search_form=SearchByNameForm(),
        templates_and_folders_form=templates_and_folders_form,
        move_to_children=templates_and_folders_form.move_to.children(),
+        user_has_template_folder_permission=user_has_template_folder_permission,
        option_hints=option_hints
    )

@@ -702,6 +716,7 @@ def delete_service_template(service_id, template_id):
            ),
            show_recipient=True,
        ),
+        user_has_template_permission=True,
    )


@@ -725,6 +740,7 @@ def confirm_redact_template(service_id, template_id):
            ),
            show_recipient=True,
        ),
+        user_has_template_permission=True,
        show_redaction_message=True,
    )

--- a/app/templates/views/templates/_template.html
+++ b/app/templates/views/templates/_template.html
@@ -5,7 +5,7 @@
    <p class="hint">
      This template was deleted {{ template._template.updated_at|format_datetime_relative }}.
    </p>
-  {% elif not current_user.has_permissions('send_messages', 'manage_api_keys', 'manage_templates', 'manage_service') %}
+  {% elif not current_user.has_permissions('send_messages', 'manage_api_keys', 'manage_templates', 'manage_service') or not user_has_template_permission %}
    <p class="top-gutter-1-3 {% if template.template_type != 'sms' %}bottom-gutter{% endif %}">
      If you need to send this
      {{ message_count_label(1, template.template_type, suffix='') }}
--- a/app/templates/views/templates/choose.html
+++ b/app/templates/views/templates/choose.html
@@ -57,7 +57,7 @@
          show_fallback_page_title=not current_service.all_template_folders
        ) }}
      </div>
-      {% if current_user.has_permissions('manage_templates') and current_template_folder_id %}
+      {% if current_user.has_permissions('manage_templates') and current_template_folder_id and user_has_template_folder_permission %}
        <div class="column-one-sixth">
          <a href="{{ url_for('.manage_template_folder', service_id=current_service.id, template_folder_id=current_template_folder_id) }}" class="folder-heading-manage-link">Manage</a>
        </div>
@@ -72,7 +72,7 @@

    {{ live_search(target_selector='#template-list .template-list-item', show=show_search_box, form=search_form) }}

-    {% if current_user.has_permissions('manage_templates') %}
+    {% if current_user.has_permissions('manage_templates') and user_has_template_folder_permission %}
      {% call form_wrapper(
          class='sticky-scroll-area',
          module='template-folder-form',
--- a/app/templates/views/templates/template.html
+++ b/app/templates/views/templates/template.html
@@ -64,7 +64,7 @@
      &emsp;
      <br/>
    {% endif %}
-    {% if current_user.has_permissions('manage_templates') %}
+    {% if current_user.has_permissions('manage_templates') and user_has_template_permission %}
      {% if not template._template.archived %}
        <span class="page-footer-delete-link page-footer-delete-link-without-button bottom-gutter-2-3">
          <a href="{{ url_for('.delete_service_template', service_id=current_service.id, template_id=template.id) }}">Delete this template</a>