From 84762edef48164531249f421a9fa3b838d1e0d97 Mon Sep 17 00:00:00 2001 From: Imdad Ahad Date: Tue, 25 Oct 2016 18:11:37 +0100 Subject: [PATCH] Abort 403 if nonwhitelist user tries to add service --- app/main/views/add_service.py | 31 ++++++++++++++++++------ tests/app/main/views/test_add_service.py | 8 ++++++ 2 files changed, 31 insertions(+), 8 deletions(-) diff --git a/app/main/views/add_service.py b/app/main/views/add_service.py index 7fa36a05d..7cc588e54 100644 --- a/app/main/views/add_service.py +++ b/app/main/views/add_service.py @@ -1,11 +1,19 @@ +import re + from flask import ( render_template, redirect, session, url_for, - current_app) + current_app +) -from flask_login import login_required +from flask_login import ( + current_user, + login_required +) + +from werkzeug.exceptions import abort from app.main import main from app.main.forms import AddServiceForm @@ -16,7 +24,11 @@ from app import ( user_api_client, service_api_client ) -from app.utils import email_safe + +from app.utils import ( + email_safe, + user_in_whitelist +) @main.route("/add-service", methods=['GET', 'POST']) @@ -61,8 +73,11 @@ def add_service(): help=1 )) else: - return render_template( - 'views/add-service.html', - form=form, - heading=heading - ) + if not user_in_whitelist(current_user.email_address): + abort(403) + else: + return render_template( + 'views/add-service.html', + form=form, + heading=heading + ) diff --git a/tests/app/main/views/test_add_service.py b/tests/app/main/views/test_add_service.py index 564181830..6743febf3 100644 --- a/tests/app/main/views/test_add_service.py +++ b/tests/app/main/views/test_add_service.py @@ -1,6 +1,7 @@ from flask import url_for, session from unittest.mock import ANY import app +from app.utils import user_in_whitelist def test_get_should_render_add_service_template(app_, @@ -101,3 +102,10 @@ def test_should_return_form_errors_with_duplicate_service_name_regardless_of_cas assert 'This service name is already in use' in response.get_data(as_text=True) app.service_api_client.find_all_service_email_from.assert_called_once_with() assert not mock_create_service.called + + +def test_non_whitelist_user_cannot_add_service(app_, nonwhitelist_user, mocker, client): + client.login(nonwhitelist_user, mocker) + assert not user_in_whitelist(nonwhitelist_user.email_address) + response = client.get(url_for('main.add_service')) + assert response.status_code == 403