Merge pull request #1352 from alphagov/fix-permission

Fix permissions for sending one off notifications.
This commit is contained in:
Rebecca Law
2017-07-03 17:41:04 +01:00
committed by GitHub
3 changed files with 73 additions and 3 deletions

View File

@@ -591,7 +591,7 @@ def get_back_link(service_id, template_id, step_index):
@main.route("/services/<service_id>/template/<template_id>/notification/check", methods=['GET'])
@login_required
@user_has_permissions('manage_templates')
@user_has_permissions('send_texts', 'send_emails', 'send_letters')
def check_notification(service_id, template_id):
return _check_notification(service_id, template_id)
@@ -648,7 +648,7 @@ def get_template_error_dict(exception):
@main.route("/services/<service_id>/template/<template_id>/notification/check", methods=['POST'])
@login_required
@user_has_permissions('manage_templates')
@user_has_permissions('send_texts', 'send_emails', 'send_letters')
def send_notification(service_id, template_id):
if {'recipient', 'placeholders'} - set(session.keys()):
return redirect(url_for(

View File

@@ -353,3 +353,38 @@ def validate_route_permission(mocker,
print(resp.status_code)
pytest.fail("Invalid permissions set for endpoint {}".format(route))
return resp
def validate_route_permission_with_client(mocker,
client,
method,
response_code,
route,
permissions,
usr,
service):
usr._permissions[str(service['id'])] = permissions
mocker.patch(
'app.user_api_client.check_verify_code',
return_value=(True, ''))
mocker.patch(
'app.service_api_client.get_services',
return_value={'data': []})
mocker.patch('app.service_api_client.update_service', return_value=service)
mocker.patch('app.service_api_client.update_service_with_properties', return_value=service)
mocker.patch('app.user_api_client.get_user', return_value=usr)
mocker.patch('app.user_api_client.get_user_by_email', return_value=usr)
mocker.patch('app.service_api_client.get_service', return_value={'data': service})
mocker.patch('app.user_api_client.get_users_for_service', return_value=[usr])
client.login(usr)
resp = None
if method == 'GET':
resp = client.get(route)
elif method == 'POST':
resp = client.post(route)
else:
pytest.fail("Invalid method call {}".format(method))
if resp.status_code != response_code:
print(resp.status_code)
pytest.fail("Invalid permissions set for endpoint {}".format(route))
return resp

View File

@@ -14,7 +14,7 @@ from notifications_python_client.errors import HTTPError
from notifications_utils.template import LetterPreviewTemplate, LetterImageTemplate
from notifications_utils.recipients import RecipientCSV
from tests import validate_route_permission
from tests import validate_route_permission, validate_route_permission_with_client
from tests.app.test_utils import normalize_spaces
from tests.conftest import (
mock_get_service_template,
@@ -1238,6 +1238,41 @@ def test_route_permissions(
service_one)
@pytest.mark.parametrize('route, response_code, method', [
('main.check_notification', 200, 'GET'),
('main.send_notification', 302, 'POST')
])
def test_route_permissions_send_check_notifications(
mocker,
app_,
client,
api_user_active,
service_one,
mock_send_notification,
mock_get_service_template,
fake_uuid,
route,
response_code,
method
):
with client.session_transaction() as session:
session['recipient'] = '07700900001'
session['placeholders'] = {'name': 'a'}
validate_route_permission_with_client(
mocker,
client,
method,
response_code,
url_for(
route,
service_id=service_one['id'],
template_id=fake_uuid
),
['send_texts', 'send_emails', 'send_letters'],
api_user_active,
service_one)
@pytest.mark.parametrize('route', [
'main.choose_template',
'main.send_messages',