From 355927d091cfac8a5b5afda0f4179eb55c181b16 Mon Sep 17 00:00:00 2001 From: Alexey Bezhan Date: Wed, 20 Mar 2019 17:27:22 +0000 Subject: [PATCH] Hide template and folder action links if user doesn't have folder access Hides action links ('Send', 'Edit', 'Delete' and 'Redact' fro templates and 'Manage' for template folders) and buttons ('New template', 'New folder') if the user doesn't have permission to view current folder or template's parent folder. --- app/main/views/templates.py | 16 ++++++++++++++++ app/templates/views/templates/_template.html | 2 +- app/templates/views/templates/choose.html | 4 ++-- app/templates/views/templates/template.html | 2 +- 4 files changed, 20 insertions(+), 4 deletions(-) diff --git a/app/main/views/templates.py b/app/main/views/templates.py index 5221c0631..19af79fc7 100644 --- a/app/main/views/templates.py +++ b/app/main/views/templates.py @@ -51,6 +51,12 @@ form_objects = { @user_has_permissions() def view_template(service_id, template_id): template = current_service.get_template(template_id) + template_folder = current_service.get_template_folder(template['folder']) + + if not current_service.has_permission("edit_folder_permissions"): + user_has_template_permission = True + else: + user_has_template_permission = current_user.has_template_folder_permission(template_folder) if should_skip_template_page(template['template_type']): return redirect(url_for( @@ -79,6 +85,7 @@ def view_template(service_id, template_id): page_count=get_page_count_for_letter(template), ), template_postage=template["postage"], + user_has_template_permission=user_has_template_permission, default_letter_contact_block_id=default_letter_contact_block_id, ) @@ -111,6 +118,12 @@ def start_tour(service_id, template_id): @login_required @user_has_permissions() def choose_template(service_id, template_type='all', template_folder_id=None): + template_folder = current_service.get_template_folder(template_folder_id) + + if not current_service.has_permission("edit_folder_permissions"): + user_has_template_folder_permission = True + else: + user_has_template_folder_permission = current_user.has_template_folder_permission(template_folder) template_list = TemplateList(current_service, template_type, template_folder_id, current_user) @@ -155,6 +168,7 @@ def choose_template(service_id, template_type='all', template_folder_id=None): search_form=SearchByNameForm(), templates_and_folders_form=templates_and_folders_form, move_to_children=templates_and_folders_form.move_to.children(), + user_has_template_folder_permission=user_has_template_folder_permission, option_hints=option_hints ) @@ -702,6 +716,7 @@ def delete_service_template(service_id, template_id): ), show_recipient=True, ), + user_has_template_permission=True, ) @@ -725,6 +740,7 @@ def confirm_redact_template(service_id, template_id): ), show_recipient=True, ), + user_has_template_permission=True, show_redaction_message=True, ) diff --git a/app/templates/views/templates/_template.html b/app/templates/views/templates/_template.html index 5e63935cd..1812c424b 100644 --- a/app/templates/views/templates/_template.html +++ b/app/templates/views/templates/_template.html @@ -5,7 +5,7 @@

This template was deleted {{ template._template.updated_at|format_datetime_relative }}.

- {% elif not current_user.has_permissions('send_messages', 'manage_api_keys', 'manage_templates', 'manage_service') %} + {% elif not current_user.has_permissions('send_messages', 'manage_api_keys', 'manage_templates', 'manage_service') or not user_has_template_permission %}

If you need to send this {{ message_count_label(1, template.template_type, suffix='') }} diff --git a/app/templates/views/templates/choose.html b/app/templates/views/templates/choose.html index 4f999bb23..8fe4a7e0c 100644 --- a/app/templates/views/templates/choose.html +++ b/app/templates/views/templates/choose.html @@ -57,7 +57,7 @@ show_fallback_page_title=not current_service.all_template_folders ) }} - {% if current_user.has_permissions('manage_templates') and current_template_folder_id %} + {% if current_user.has_permissions('manage_templates') and current_template_folder_id and user_has_template_folder_permission %}

Manage
@@ -72,7 +72,7 @@ {{ live_search(target_selector='#template-list .template-list-item', show=show_search_box, form=search_form) }} - {% if current_user.has_permissions('manage_templates') %} + {% if current_user.has_permissions('manage_templates') and user_has_template_folder_permission %} {% call form_wrapper( class='sticky-scroll-area', module='template-folder-form', diff --git a/app/templates/views/templates/template.html b/app/templates/views/templates/template.html index 8aabb6eae..00ace816e 100644 --- a/app/templates/views/templates/template.html +++ b/app/templates/views/templates/template.html @@ -64,7 +64,7 @@  
{% endif %} - {% if current_user.has_permissions('manage_templates') %} + {% if current_user.has_permissions('manage_templates') and user_has_template_permission %} {% if not template._template.archived %} Delete this template