Merge pull request #3502 from alphagov/serivce-permission-decorator

Add service permission decorator
2026-05-28 09:59:59 -04:00 · 2020-07-03 14:31:15 +01:00
parent bad1e69cc3 dd2b737d24
commit 9ff7b85d04
3 changed files with 18 additions and 3 deletions
--- a/app/main/views/dashboard.py
+++ b/app/main/views/dashboard.py
@@ -33,6 +33,7 @@ from app.utils import (
    generate_next_dict,
    generate_previous_dict,
    get_current_financial_year,
+    service_has_permission,
    user_has_permissions,
 )

@@ -170,6 +171,7 @@ def monthly(service_id):

@main.route("/services/<uuid:service_id>/inbox")
@user_has_permissions('view_activity')
+@service_has_permission('inbound_sms')
 def inbox(service_id):

    return render_template(
@@ -181,6 +183,7 @@ def inbox(service_id):

@main.route("/services/<uuid:service_id>/inbox.json")
@user_has_permissions('view_activity')
+@service_has_permission('inbound_sms')
 def inbox_updates(service_id):

    return jsonify(get_inbox_partials(service_id))
@@ -212,9 +215,6 @@ def inbox_download(service_id):

 def get_inbox_partials(service_id):
    page = int(request.args.get('page', 1))
-    if not current_service.has_permission('inbound_sms'):
-        abort(403)
-
    inbound_messages_data = service_api_client.get_most_recent_inbound_sms(service_id, page=page)
    inbound_messages = inbound_messages_data['data']
    if not inbound_messages:
--- a/app/utils.py
+++ b/app/utils.py
@@ -82,6 +82,20 @@ def user_has_permissions(*permissions, **permission_kwargs):
    return wrap


+def service_has_permission(permission):
+
+    from app import current_service
+
+    def wrap(func):
+        @wraps(func)
+        def wrap_func(*args, **kwargs):
+            if not current_service or not current_service.has_permission(permission):
+                abort(403)
+            return func(*args, **kwargs)
+        return wrap_func
+    return wrap
+
+
 def user_is_gov_user(f):
    @wraps(f)
    def wrapped(*args, **kwargs):
--- a/tests/app/main/views/test_dashboard.py
+++ b/tests/app/main/views/test_dashboard.py
@@ -396,6 +396,7 @@ def test_view_inbox_updates(
    mocker,
    mock_get_most_recent_inbound_sms_with_no_messages,
 ):
+    service_one['permissions'] += ['inbound_sms']

    mock_get_partials = mocker.patch(
        'app.main.views.dashboard.get_inbox_partials',