Only show inbound stuff if service has permission

Only services that have inbound SMS turned on should be able to see the dashboard and ‘Received messages’ page. There’s probably a cleaner way (decorator) of doing this permissions stuff, but I think it can wait until we ship this.
2026-04-11 21:01:06 -04:00 · 2017-06-05 14:48:24 +01:00
parent 95e613c3f9
commit 85105fd6cd
4 changed files with 69 additions and 19 deletions
--- a/app/main/views/dashboard.py
+++ b/app/main/views/dashboard.py
@@ -12,6 +12,7 @@ from flask_login import login_required

 from app.main import main
 from app import (
+    current_service,
    job_api_client,
    service_api_client,
    template_statistics_client
@@ -139,6 +140,10 @@ def monthly(service_id):
@login_required
@user_has_permissions('manage_settings', admin_override=True)
 def inbox(service_id):
+
+    if 'inbound_sms' not in current_service['permissions']:
+        abort(403)
+
    return render_template(
        'views/dashboard/inbox.html',
        messages=service_api_client.get_inbound_sms(service_id),
@@ -178,7 +183,10 @@ def get_dashboard_partials(service_id):
        ),
        'inbox': render_template(
            'views/dashboard/_inbox.html',
-            inbound_sms_summary=service_api_client.get_inbound_sms_summary(service_id),
+            inbound_sms_summary=(
+                service_api_client.get_inbound_sms_summary(service_id)
+                if 'inbound_sms' in current_service['permissions'] else None
+            ),
        ),
        'totals': render_template(
            'views/dashboard/_totals.html',
--- a/app/templates/views/dashboard/_inbox.html
+++ b/app/templates/views/dashboard/_inbox.html
@@ -1,19 +1,21 @@
 {% from "components/big-number.html" import big_number, big_number_with_status %}

 <div class="ajax-block">
-  <div class="big-number-meta-wrapper">
-    {{
-      big_number_with_status(
-        inbound_sms_summary.count,
-        'text messages received',
-        link=url_for('.inbox', service_id=current_service.id),
-        show_failures=False
-      )
-    }}
-    <div class="big-number-meta">
-      {% if inbound_sms_summary.latest_message %}
-        latest message {{ inbound_sms_summary.latest_message | format_delta }}
-      {% endif %}
+  {% if inbound_sms_summary != None %}
+    <div class="big-number-meta-wrapper">
+      {{
+        big_number_with_status(
+          inbound_sms_summary.count,
+          'text messages received',
+          link=url_for('.inbox', service_id=current_service.id),
+          show_failures=False
+        )
+      }}
+      <div class="big-number-meta">
+        {% if inbound_sms_summary.latest_message %}
+          latest message {{ inbound_sms_summary.latest_message | format_delta }}
+        {% endif %}
+      </div>
    </div>
-  </div>
+  {% endif %}
 </div>
--- a/tests/init.py
+++ b/tests/init.py
@@ -55,10 +55,12 @@ def service_json(
    branding='govuk',
    created_at=None,
    letter_contact_block=None,
-    permissions=[]
+    permissions=None,
 ):
    if users is None:
        users = []
+    if permissions is None:
+        permissions = []
    return {
        'id': id_,
        'name': name,
--- a/tests/app/main/views/test_dashboard.py
+++ b/tests/app/main/views/test_dashboard.py
@@ -79,6 +79,27 @@ def test_get_started_is_hidden_once_templates_exist(
    assert 'Get started' not in response.get_data(as_text=True)


+def test_inbound_messages_not_visible_to_service_without_permissions(
+    logged_in_client,
+    service_one,
+    mock_get_service_templates_when_no_templates_exist,
+    mock_get_jobs,
+    mock_get_detailed_service,
+    mock_get_template_statistics,
+    mock_get_usage,
+    mock_get_inbound_sms_summary,
+):
+
+    service_one['permissions'] = []
+
+    response = logged_in_client.get(url_for('main.service_dashboard', service_id=SERVICE_ONE_ID))
+    page = BeautifulSoup(response.data.decode('utf-8'), 'html.parser')
+
+    assert response.status_code == 200
+    assert not page.select('.big-number-meta-wrapper')
+    assert mock_get_inbound_sms_summary.called is False
+
+
@pytest.mark.parametrize('inbound_summary_mock, expected_text', [
    (mock_get_inbound_sms_summary_with_no_messages, '0 text messages received'),
    (mock_get_inbound_sms_summary, '99 text messages received latest message just now'),
@@ -86,6 +107,7 @@ def test_get_started_is_hidden_once_templates_exist(
 def test_inbound_messages_shows_count_of_messages(
    logged_in_client,
    mocker,
+    service_one,
    mock_get_service_templates_when_no_templates_exist,
    mock_get_jobs,
    mock_get_detailed_service,
@@ -95,6 +117,7 @@ def test_inbound_messages_shows_count_of_messages(
    expected_text,
 ):

+    service_one['permissions'] = ['inbound_sms']
    inbound_summary_mock(mocker)

    response = logged_in_client.get(url_for('main.service_dashboard', service_id=SERVICE_ONE_ID))
@@ -116,7 +139,7 @@ def test_inbound_messages_shows_count_of_messages(
 ]))
 def test_inbox_showing_inbound_messages(
    logged_in_client,
-    mocker,
+    service_one,
    mock_get_service_templates_when_no_templates_exist,
    mock_get_jobs,
    mock_get_detailed_service,
@@ -127,6 +150,8 @@ def test_inbox_showing_inbound_messages(
    expected_row,
 ):

+    service_one['permissions'] = ['inbound_sms']
+
    response = logged_in_client.get(url_for('main.inbox', service_id=SERVICE_ONE_ID))
    page = BeautifulSoup(response.data.decode('utf-8'), 'html.parser')

@@ -138,7 +163,7 @@ def test_inbox_showing_inbound_messages(

 def test_empty_inbox(
    logged_in_client,
-    mocker,
+    service_one,
    mock_get_service_templates_when_no_templates_exist,
    mock_get_jobs,
    mock_get_detailed_service,
@@ -147,6 +172,8 @@ def test_empty_inbox(
    mock_get_inbound_sms_with_no_messages,
 ):

+    service_one['permissions'] = ['inbound_sms']
+
    response = logged_in_client.get(url_for('main.inbox', service_id=SERVICE_ONE_ID))
    page = BeautifulSoup(response.data.decode('utf-8'), 'html.parser')

@@ -156,6 +183,16 @@ def test_empty_inbox(
    )


+def test_inbox_not_accessible_to_service_without_permissions(
+    logged_in_client,
+    service_one,
+):
+    service_one['permissions'] = []
+    response = logged_in_client.get(url_for('main.inbox', service_id=SERVICE_ONE_ID))
+
+    assert response.status_code == 403
+
+
 def test_should_show_recent_templates_on_dashboard(
    logged_in_client,
    mocker,
@@ -759,11 +796,12 @@ def test_should_show_all_jobs_with_valid_statuses(
    logged_in_client,
    mock_get_template_statistics,
    mock_get_detailed_service,
+    mock_get_service_templates_when_no_templates_exist,
    mock_get_jobs,
    mock_get_usage,
    mock_get_inbound_sms_summary,
 ):
-    get_dashboard_partials(service_id=SERVICE_ONE_ID)
+    logged_in_client.get(url_for('main.service_dashboard', service_id=SERVICE_ONE_ID))

    first_call = mock_get_jobs.call_args_list[0]
    # first call - scheduled jobs only