From 3f6930d1767c9f0f9f4faec8e94d0afc0a6401e2 Mon Sep 17 00:00:00 2001 From: Rebecca Law Date: Mon, 3 Jul 2017 16:39:57 +0100 Subject: [PATCH 1/2] Fix permissions for sending one off notifications. --- app/main/views/send.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/app/main/views/send.py b/app/main/views/send.py index 9c8060d31..39c6effe1 100644 --- a/app/main/views/send.py +++ b/app/main/views/send.py @@ -591,7 +591,7 @@ def get_back_link(service_id, template_id, step_index): @main.route("/services//template//notification/check", methods=['GET']) @login_required -@user_has_permissions('manage_templates') +@user_has_permissions('send_texts', 'send_emails', 'send_letters') def check_notification(service_id, template_id): return _check_notification(service_id, template_id) @@ -648,7 +648,7 @@ def get_template_error_dict(exception): @main.route("/services//template//notification/check", methods=['POST']) @login_required -@user_has_permissions('manage_templates') +@user_has_permissions('send_texts', 'send_emails', 'send_letters') def send_notification(service_id, template_id): if {'recipient', 'placeholders'} - set(session.keys()): return redirect(url_for( From fb256b4147f7678555c879c379644a594ff2dc59 Mon Sep 17 00:00:00 2001 From: Rebecca Law Date: Mon, 3 Jul 2017 17:21:44 +0100 Subject: [PATCH 2/2] Add unit test --- tests/__init__.py | 35 +++++++++++++++++++++++++++++ tests/app/main/views/test_send.py | 37 ++++++++++++++++++++++++++++++- 2 files changed, 71 insertions(+), 1 deletion(-) diff --git a/tests/__init__.py b/tests/__init__.py index 0864c373f..33a46087d 100644 --- a/tests/__init__.py +++ b/tests/__init__.py @@ -353,3 +353,38 @@ def validate_route_permission(mocker, print(resp.status_code) pytest.fail("Invalid permissions set for endpoint {}".format(route)) return resp + + +def validate_route_permission_with_client(mocker, + client, + method, + response_code, + route, + permissions, + usr, + service): + usr._permissions[str(service['id'])] = permissions + mocker.patch( + 'app.user_api_client.check_verify_code', + return_value=(True, '')) + mocker.patch( + 'app.service_api_client.get_services', + return_value={'data': []}) + mocker.patch('app.service_api_client.update_service', return_value=service) + mocker.patch('app.service_api_client.update_service_with_properties', return_value=service) + mocker.patch('app.user_api_client.get_user', return_value=usr) + mocker.patch('app.user_api_client.get_user_by_email', return_value=usr) + mocker.patch('app.service_api_client.get_service', return_value={'data': service}) + mocker.patch('app.user_api_client.get_users_for_service', return_value=[usr]) + client.login(usr) + resp = None + if method == 'GET': + resp = client.get(route) + elif method == 'POST': + resp = client.post(route) + else: + pytest.fail("Invalid method call {}".format(method)) + if resp.status_code != response_code: + print(resp.status_code) + pytest.fail("Invalid permissions set for endpoint {}".format(route)) + return resp diff --git a/tests/app/main/views/test_send.py b/tests/app/main/views/test_send.py index 4ba74c179..7cd082d44 100644 --- a/tests/app/main/views/test_send.py +++ b/tests/app/main/views/test_send.py @@ -14,7 +14,7 @@ from notifications_python_client.errors import HTTPError from notifications_utils.template import LetterPreviewTemplate, LetterImageTemplate from notifications_utils.recipients import RecipientCSV -from tests import validate_route_permission +from tests import validate_route_permission, validate_route_permission_with_client from tests.app.test_utils import normalize_spaces from tests.conftest import ( mock_get_service_template, @@ -1238,6 +1238,41 @@ def test_route_permissions( service_one) +@pytest.mark.parametrize('route, response_code, method', [ + ('main.check_notification', 200, 'GET'), + ('main.send_notification', 302, 'POST') +]) +def test_route_permissions_send_check_notifications( + mocker, + app_, + client, + api_user_active, + service_one, + mock_send_notification, + mock_get_service_template, + fake_uuid, + route, + response_code, + method +): + with client.session_transaction() as session: + session['recipient'] = '07700900001' + session['placeholders'] = {'name': 'a'} + validate_route_permission_with_client( + mocker, + client, + method, + response_code, + url_for( + route, + service_id=service_one['id'], + template_id=fake_uuid + ), + ['send_texts', 'send_emails', 'send_letters'], + api_user_active, + service_one) + + @pytest.mark.parametrize('route', [ 'main.choose_template', 'main.send_messages',