Merge pull request #2665 from alphagov/fix-showing-name-of-service-you-dont-belong-to

Hide ‘back to …’ link if it’s not your service
2026-05-05 16:38:59 -04:00 · 2019-01-16 11:35:53 +00:00
parent 72c60ea9a4 558ae87baa
commit 94cb5429e6
4 changed files with 57 additions and 3 deletions
--- a/app/models/user.py
+++ b/app/models/user.py
@@ -151,8 +151,11 @@ class User(UserMixin):
    def has_permission_for_service(self, service_id, permission):
        return permission in self._permissions.get(service_id, [])

+    def belongs_to_service(self, service_id):
+        return str(service_id) in self.services
+
    def belongs_to_service_or_403(self, service_id):
-        if str(service_id) not in self.services:
+        if not self.belongs_to_service(service_id):
            abort(403)

    def is_locked(self):
--- a/app/templates/withoutnav_template.html
+++ b/app/templates/withoutnav_template.html
@@ -2,7 +2,7 @@

 {% block fullwidth_content %}
  <div id="content">
-    {% if current_service and current_user.is_authenticated %}
+    {% if current_service and current_user.is_authenticated and current_user.belongs_to_service(current_service.id) %}
    <div class="navigation-service">
      <a href="{{ url_for('main.show_accounts_or_dashboard') }}">Back to {{ current_service.name }}</a>
    </div>