Merge pull request #3557 from alphagov/view-only-broadcast-page

Let users without `send_messages` view broadcasts
2026-02-25 12:51:05 -05:00 · 2020-08-12 15:16:39 +01:00
parent 0b206e3c0f e47dbc0caa
commit 781847d32c
3 changed files with 113 additions and 3 deletions
--- a/app/main/views/broadcast.py
+++ b/app/main/views/broadcast.py
@@ -228,7 +228,7 @@ def preview_broadcast_message(service_id, broadcast_message_id):


@main.route('/services/<uuid:service_id>/broadcast/<uuid:broadcast_message_id>')
-@user_has_permissions('send_messages')
+@user_has_permissions()
@service_has_permission('broadcast')
 def view_broadcast_message(service_id, broadcast_message_id):
    broadcast_message = BroadcastMessage.from_id(
--- a/app/templates/views/broadcast/view-message.html
+++ b/app/templates/views/broadcast/view-message.html
@@ -18,7 +18,7 @@
  ) }}

  {% if broadcast_message.status == 'pending-approval' %}
-    {% if broadcast_message.created_by == current_user %}
+    {% if broadcast_message.created_by == current_user and current_user.has_permissions('send_messages') %}
      <div class="banner govuk-!-margin-bottom-6">
        <h2 class="govuk-heading-s govuk-!-margin-bottom-3">Your broadcast is waiting for approval from another member of your team</h2>
        <p class="govuk-body">Once approved it will be live until
@@ -29,7 +29,7 @@
          delete_link_text='Withdraw this broadcast'
        ) }}
      </div>
-    {% else %}
+    {% elif current_user.has_permissions('send_messages') %}
      {% call form_wrapper(class="banner govuk-!-margin-bottom-6") %}
        <p class="govuk-body govuk-!-margin-top-0 govuk-!-margin-bottom-3">
          {{ broadcast_message.created_by.name }} wants to broadcast this
@@ -41,6 +41,13 @@
          delete_link_text='Reject this broadcast'
        ) }}
      {% endcall %}
+    {% else %}
+      <div class="banner govuk-!-margin-bottom-6">
+        <h2 class="govuk-heading-s govuk-!-margin-bottom-3">This broadcast is waiting for approval</h2>
+        <p class="govuk-body">
+          You don’t have permission to approve broadcasts.
+        </p>
+      </div>
    {% endif %}
  {% else %}
    <p class="govuk-body govuk-!-margin-bottom-3">
--- a/tests/app/main/views/test_broadcast.py
+++ b/tests/app/main/views/test_broadcast.py
@@ -76,6 +76,63 @@ def test_broadcast_pages_403_without_permission(
    )


+@pytest.mark.parametrize('endpoint, extra_args, expected_get_status, expected_post_status', (
+    (
+        '.broadcast',
+        {'template_id': sample_uuid},
+        403, 405,
+    ),
+    (
+        '.preview_broadcast_areas', {'broadcast_message_id': sample_uuid},
+        403, 405,
+    ),
+    (
+        '.choose_broadcast_library', {'broadcast_message_id': sample_uuid},
+        403, 405,
+    ),
+    (
+        '.choose_broadcast_area', {'broadcast_message_id': sample_uuid, 'library_slug': 'countries'},
+        403, 403,
+    ),
+    (
+        '.remove_broadcast_area', {'broadcast_message_id': sample_uuid, 'area_slug': 'england'},
+        403, 405,
+    ),
+    (
+        '.preview_broadcast_message', {'broadcast_message_id': sample_uuid},
+        403, 403,
+    ),
+    (
+        '.cancel_broadcast_message', {'broadcast_message_id': sample_uuid},
+        403, 403,
+    ),
+))
+def test_broadcast_pages_403_for_user_without_permission(
+    mocker,
+    client_request,
+    service_one,
+    active_user_view_permissions,
+    endpoint,
+    extra_args,
+    expected_get_status,
+    expected_post_status,
+):
+    service_one['permissions'] += ['broadcast']
+    mocker.patch('app.user_api_client.get_user', return_value=active_user_view_permissions)
+    client_request.get(
+        endpoint,
+        service_id=SERVICE_ONE_ID,
+        _expected_status=expected_get_status,
+        **extra_args
+    )
+    client_request.post(
+        endpoint,
+        service_id=SERVICE_ONE_ID,
+        _expected_status=expected_post_status,
+        **extra_args
+    )
+
+
 def test_dashboard_redirects_to_broadcast_dashboard(
    client_request,
    service_one,
@@ -95,6 +152,7 @@ def test_dashboard_redirects_to_broadcast_dashboard(
 def test_empty_broadcast_dashboard(
    client_request,
    service_one,
+    active_user_view_permissions,
    mock_get_no_broadcast_messages,
    mock_get_service_templates_when_no_templates_exist,
 ):
@@ -158,6 +216,7 @@ def test_broadcast_dashboard(
 def test_broadcast_dashboard_json(
    logged_in_client,
    service_one,
+    active_user_view_permissions,
    mock_get_broadcast_messages,
 ):
    service_one['permissions'] += ['broadcast']
@@ -783,6 +842,50 @@ def test_cant_approve_own_broadcast(
    )


+@freeze_time('2020-02-22T22:22:22.000000')
+def test_view_only_user_cant_approve_broadcast(
+    mocker,
+    client_request,
+    service_one,
+    active_user_with_permissions,
+    active_user_view_permissions,
+    mock_get_broadcast_template,
+    fake_uuid,
+):
+    mocker.patch(
+        'app.broadcast_message_api_client.get_broadcast_message',
+        return_value=broadcast_message_json(
+            id_=fake_uuid,
+            service_id=SERVICE_ONE_ID,
+            template_id=fake_uuid,
+            created_by_id=fake_uuid,
+            finishes_at='2020-02-23T23:23:23.000000',
+            status='pending-approval',
+        ),
+    )
+    mocker.patch('app.user_api_client.get_user', side_effect=[
+        active_user_view_permissions,  # Current user
+        active_user_with_permissions,  # User who created broadcast
+    ])
+    service_one['permissions'] += ['broadcast']
+
+    page = client_request.get(
+        '.view_broadcast_message',
+        service_id=SERVICE_ONE_ID,
+        broadcast_message_id=fake_uuid,
+    )
+
+    assert (
+        normalize_spaces(page.select_one('.banner').text)
+    ) == (
+        'This broadcast is waiting for approval '
+        'You don’t have permission to approve broadcasts.'
+    )
+
+    assert not page.select_one('form')
+    assert not page.select_one('.banner a')
+
+
@pytest.mark.parametrize('initial_status, expected_approval', (
    ('draft', False,),
    ('pending-approval', True),