From 94c4151640e3306ae878725456b09d045c323253 Mon Sep 17 00:00:00 2001
From: Pea Tyczynska <pea.tyczynska@digital.cabinet-office.gov.uk>
Date: Thu, 21 Feb 2019 13:03:06 +0000
Subject: [PATCH] Edit user permissions page shows redacted phone number and
 Change link

Also make plan for story development
---
 app/main/views/manage_users.py                | 16 +++++--
 app/navigation.py                             |  4 ++
 .../views/edit-user-permissions.html          |  6 ++-
 .../views/manage-users/permissions.html       |  2 +-
 app/utils.py                                  | 14 ++++--
 tests/app/main/views/test_manage_users.py     | 48 +++++++++++++++++++
 6 files changed, 82 insertions(+), 8 deletions(-)

diff --git a/app/main/views/manage_users.py b/app/main/views/manage_users.py
index ada8dcb16..c0b85ab99 100644
--- a/app/main/views/manage_users.py
+++ b/app/main/views/manage_users.py
@@ -24,7 +24,7 @@ from app.main.forms import (
     SearchUsersForm,
 )
 from app.models.user import permissions
-from app.utils import user_has_permissions
+from app.utils import redact_mobile_number, user_has_permissions
 
 
 @main.route("/services/<service_id>/users")
@@ -78,7 +78,10 @@ def invite_user(service_id):
 def edit_user_permissions(service_id, user_id):
     service_has_email_auth = current_service.has_permission('email_auth')
     user = current_service.get_team_member(user_id)
-    user_has_no_mobile_number = user.mobile_number is None
+
+    mobile_number = None
+    if user.mobile_number:
+        mobile_number = redact_mobile_number(user.mobile_number)
 
     form = PermissionsForm.from_user(user, service_id)
 
@@ -96,7 +99,7 @@ def edit_user_permissions(service_id, user_id):
         user=user,
         form=form,
         service_has_email_auth=service_has_email_auth,
-        user_has_no_mobile_number=user_has_no_mobile_number
+        mobile_number=mobile_number
     )
 
 
@@ -200,6 +203,13 @@ def confirm_edit_user_email(service_id, user_id):
     )
 
 
+@main.route("/services/<service_id>/users/<user_id>/edit-phone-number", methods=['GET', 'POST'])
+@login_required
+@user_has_permissions('manage_service')
+def edit_user_phone_number(service_id, user_id):
+    return True
+
+
 @main.route("/services/<service_id>/cancel-invited-user/<uuid:invited_user_id>", methods=['GET'])
 @user_has_permissions('manage_service')
 def cancel_invited_user(service_id, invited_user_id):
diff --git a/app/navigation.py b/app/navigation.py
index 125c81bc3..7def9b505 100644
--- a/app/navigation.py
+++ b/app/navigation.py
@@ -159,6 +159,7 @@ class HeaderNavigation(Navigation):
         'edit_template_postage',
         'edit_user_org_permissions',
         'edit_user_email',
+        'edit_user_phone_number',
         'edit_user_permissions',
         'email_not_received',
         'email_template',
@@ -328,6 +329,7 @@ class MainNavigation(Navigation):
         'team-members': {
             'confirm_edit_user_email',
             'edit_user_email',
+            'edit_user_phone_number',
             'edit_user_permissions',
             'invite_user',
             'manage_users',
@@ -609,6 +611,7 @@ class CaseworkNavigation(Navigation):
         'edit_service_template',
         'edit_template_postage',
         'edit_user_email',
+        'edit_user_phone_number',
         'edit_user_org_permissions',
         'edit_user_permissions',
         'email_branding',
@@ -847,6 +850,7 @@ class OrgNavigation(Navigation):
         'edit_service_template',
         'edit_template_postage',
         'edit_user_email',
+        'edit_user_phone_number',
         'edit_user_permissions',
         'email_branding',
         'email_not_received',
diff --git a/app/templates/views/edit-user-permissions.html b/app/templates/views/edit-user-permissions.html
index 4bd585d96..84b92ba27 100644
--- a/app/templates/views/edit-user-permissions.html
+++ b/app/templates/views/edit-user-permissions.html
@@ -16,7 +16,11 @@
   <p>
     {{ user.email_address }}&emsp;<a href="{{ url_for('.edit_user_email', service_id=current_service.id, user_id=user.id)}}">Change</a>
   </p>
-
+  {% if mobile_number %}
+    <p id="user_phone_number">
+      {{ mobile_number }}&emsp;<a href="{{ url_for('.edit_user_phone_number', service_id=current_service.id, user_id=user.id)}}">Change</a>
+    </p>
+  {% endif %}
   <div class="grid-row">
     {% call form_wrapper(class="column-three-quarters") %}
 
diff --git a/app/templates/views/manage-users/permissions.html b/app/templates/views/manage-users/permissions.html
index 2c3414caf..fab879e4f 100644
--- a/app/templates/views/manage-users/permissions.html
+++ b/app/templates/views/manage-users/permissions.html
@@ -15,7 +15,7 @@
 </p>
 
 {% if service_has_email_auth %}
-  {% if user_has_no_mobile_number %}
+  {% if not mobile_number %}
     {{ radios(
       form.login_authentication,
       disable=['sms_auth'],
diff --git a/app/utils.py b/app/utils.py
index e9615c725..d29f21f63 100644
--- a/app/utils.py
+++ b/app/utils.py
@@ -650,9 +650,9 @@ def guess_name_from_email_address(email_address):
 
 def should_skip_template_page(template_type):
     return (
-        current_user.has_permissions('send_messages') and
-        not current_user.has_permissions('manage_templates', 'manage_api_keys') and
-        template_type != 'letter'
+        current_user.has_permissions('send_messages')
+        and not current_user.has_permissions('manage_templates', 'manage_api_keys')
+        and template_type != 'letter'
     )
 
 
@@ -671,3 +671,11 @@ def printing_today_or_tomorrow():
         return 'today'
     else:
         return 'tomorrow'
+
+
+def redact_mobile_number(mobile_number):
+    indices = [-4, -5, -6, -7]
+    mobile_number_list = list(mobile_number.replace(" ", ""))
+    for i in indices:
+        mobile_number_list[i] = "*"
+    return "".join(mobile_number_list)
diff --git a/tests/app/main/views/test_manage_users.py b/tests/app/main/views/test_manage_users.py
index 11e87b737..a1244dae9 100644
--- a/tests/app/main/views/test_manage_users.py
+++ b/tests/app/main/views/test_manage_users.py
@@ -1005,3 +1005,51 @@ def test_confirm_edit_user_email_doesnt_change_user_email_for_non_team_member(
         user_id=USER_ONE_ID,
         _expected_status=404,
     )
+
+
+def test_confirm_edit_user_email_with_no_permission_aborts():
+    pass
+
+
+def test_edit_user_permissions_page_displays_redacted_phone_number_and_change_link(
+    client_request,
+    active_user_with_permissions,
+    service_one,
+    mocker
+):
+    user = active_user_with_permissions
+    mocker.patch('app.user_api_client.get_user', return_value=user)
+
+    page = client_request.get(
+        'main.edit_user_permissions',
+        service_id=service_one['id'],
+        user_id=user.id
+    )
+
+    assert user.name in page.find('h1').text
+    phone_number_paragraph = page.select('p[id=user_phone_number]')[0]
+    assert '0770****762' in phone_number_paragraph.text
+    change_link = phone_number_paragraph.findChild()
+    assert change_link.attrs['href'] == '/services/{}/users/{}/edit-phone-number'.format(
+        service_one['id'], user.id
+    )
+
+
+def test_edit_user_phone_number_page():
+    pass
+
+
+def test_edit_user_phone_number_redirects_to_confirmation():
+    pass
+
+
+def test_confirm_edit_user_phone_number_page():
+    pass
+
+
+def test_confirm_edit_user_phone_number_changes_user_mobile_number():
+    pass
+
+
+def test_confirm_edit_user_phone_number_with_no_permission_aborts():
+    pass