mirror of
https://github.com/GSA/notifications-admin.git
synced 2026-07-13 09:50:08 -04:00
Abort 403 if nonwhitelist user tries to add service
This commit is contained in:
@@ -1,11 +1,19 @@
|
||||
import re
|
||||
|
||||
from flask import (
|
||||
render_template,
|
||||
redirect,
|
||||
session,
|
||||
url_for,
|
||||
current_app)
|
||||
current_app
|
||||
)
|
||||
|
||||
from flask_login import login_required
|
||||
from flask_login import (
|
||||
current_user,
|
||||
login_required
|
||||
)
|
||||
|
||||
from werkzeug.exceptions import abort
|
||||
|
||||
from app.main import main
|
||||
from app.main.forms import AddServiceForm
|
||||
@@ -16,7 +24,11 @@ from app import (
|
||||
user_api_client,
|
||||
service_api_client
|
||||
)
|
||||
from app.utils import email_safe
|
||||
|
||||
from app.utils import (
|
||||
email_safe,
|
||||
user_in_whitelist
|
||||
)
|
||||
|
||||
|
||||
@main.route("/add-service", methods=['GET', 'POST'])
|
||||
@@ -61,8 +73,11 @@ def add_service():
|
||||
help=1
|
||||
))
|
||||
else:
|
||||
return render_template(
|
||||
'views/add-service.html',
|
||||
form=form,
|
||||
heading=heading
|
||||
)
|
||||
if not user_in_whitelist(current_user.email_address):
|
||||
abort(403)
|
||||
else:
|
||||
return render_template(
|
||||
'views/add-service.html',
|
||||
form=form,
|
||||
heading=heading
|
||||
)
|
||||
|
||||
@@ -1,6 +1,7 @@
|
||||
from flask import url_for, session
|
||||
from unittest.mock import ANY
|
||||
import app
|
||||
from app.utils import user_in_whitelist
|
||||
|
||||
|
||||
def test_get_should_render_add_service_template(app_,
|
||||
@@ -101,3 +102,10 @@ def test_should_return_form_errors_with_duplicate_service_name_regardless_of_cas
|
||||
assert 'This service name is already in use' in response.get_data(as_text=True)
|
||||
app.service_api_client.find_all_service_email_from.assert_called_once_with()
|
||||
assert not mock_create_service.called
|
||||
|
||||
|
||||
def test_non_whitelist_user_cannot_add_service(app_, nonwhitelist_user, mocker, client):
|
||||
client.login(nonwhitelist_user, mocker)
|
||||
assert not user_in_whitelist(nonwhitelist_user.email_address)
|
||||
response = client.get(url_for('main.add_service'))
|
||||
assert response.status_code == 403
|
||||
|
||||
Reference in New Issue
Block a user