From a482fac02a3af10d66fa24ad9b2bd537934b66e9 Mon Sep 17 00:00:00 2001
From: Nicholas Staples <nicholas.staples@solution-tribute.com>
Date: Mon, 21 Mar 2016 15:25:19 +0000
Subject: [PATCH] Manage team, now has a view only version of the page which
 requires no permissions.

---
 app/main/views/manage_users.py            |  1 -
 app/templates/main_nav.html               |  4 ++++
 app/templates/views/manage-users.html     | 20 ++++++++++++++------
 tests/app/main/views/test_dashboard.py    |  4 ++--
 tests/app/main/views/test_manage_users.py | 18 ++++++++++++++++++
 5 files changed, 38 insertions(+), 9 deletions(-)

diff --git a/app/main/views/manage_users.py b/app/main/views/manage_users.py
index e42fbb9f5..f80f4776b 100644
--- a/app/main/views/manage_users.py
+++ b/app/main/views/manage_users.py
@@ -24,7 +24,6 @@ from app.utils import user_has_permissions
 
 @main.route("/services/<service_id>/users")
 @login_required
-@user_has_permissions('manage_users', 'manage_templates', 'manage_settings')
 def manage_users(service_id):
     users = user_api_client.get_users_for_service(service_id=service_id)
     invited_users = invite_api_client.get_invites_for_service(service_id=service_id)
diff --git a/app/templates/main_nav.html b/app/templates/main_nav.html
index 03b0e87fc..851ca51b3 100644
--- a/app/templates/main_nav.html
+++ b/app/templates/main_nav.html
@@ -18,6 +18,10 @@
     <li><a href="{{ url_for('.manage_users', service_id=service_id) }}">Manage team</a></li>
     <li><a href="{{ url_for('.service_settings', service_id=service_id) }}">Manage settings</a></li>
   </ul>
+  {% else %}
+  <ul>
+    <li><a href="{{ url_for('.manage_users', service_id=service_id) }}">Team members</a></li>
+  </ul>
   {% endif %}
   {% if current_user.has_permissions(['manage_api_keys', 'access_developer_docs']) %}
   <ul>
diff --git a/app/templates/views/manage-users.html b/app/templates/views/manage-users.html
index e0f7fe1a5..9aaa7df67 100644
--- a/app/templates/views/manage-users.html
+++ b/app/templates/views/manage-users.html
@@ -19,12 +19,18 @@ Manage users – GOV.UK Notify
   <div class="grid-row">
     <div class="column-two-thirds">
       <h1 class="heading-large">
-        Manage team
+        {% if current_user.has_permissions(['manage_users']) %}
+          Manage team
+        {% else %}
+          Team members
+        {% endif %}
       </h1>
     </div>
-    <div class="column-one-third">
-      <a href="{{ url_for('.invite_user', service_id=service_id) }}" class="button align-with-heading">Invite team member</a>
-    </div>
+    {% if current_user.has_permissions(['manage_users']) %}
+      <div class="column-one-third">
+        <a href="{{ url_for('.invite_user', service_id=service_id) }}" class="button align-with-heading">Invite team member</a>
+      </div>
+    {% endif %}
   </div>
 
   {% call(item) list_table(
@@ -37,8 +43,10 @@ Manage users – GOV.UK Notify
     {{ boolean_field(item.has_permissions(['manage_users', 'manage_templates', 'manage_settings'], service_id=service_id)) }}
     {{ boolean_field(item.has_permissions(['manage_api_keys', 'access_developer_docs'], service_id=service_id)) }}
     {% call field(align='right') %}
-      {% if current_user.id != item.id %}
-        <a href="{{ url_for('.edit_user_permissions', service_id=service_id, user_id=item.id)}}">Edit permission</a>
+      {% if current_user.has_permissions(['manage_users']) %}
+        {% if current_user.id != item.id %}
+          <a href="{{ url_for('.edit_user_permissions', service_id=service_id, user_id=item.id)}}">Edit permission</a>
+        {% endif %}
       {% endif %}
     {% endcall %}
   {% endcall %}
diff --git a/tests/app/main/views/test_dashboard.py b/tests/app/main/views/test_dashboard.py
index 9fc3df630..76bc2efe1 100644
--- a/tests/app/main/views/test_dashboard.py
+++ b/tests/app/main/views/test_dashboard.py
@@ -58,7 +58,7 @@ def test_menu_send_messages(mocker, app_, api_user_active, service_one, mock_get
             service_id=service_one['id'],
             template_type='sms')in page
 
-        assert url_for('main.manage_users', service_id=service_one['id']) not in page
+        assert url_for('main.manage_users', service_id=service_one['id']) in page
         assert url_for('main.service_settings', service_id=service_one['id']) not in page
 
         assert url_for('main.api_keys', service_id=service_one['id']) not in page
@@ -106,7 +106,7 @@ def test_menu_manage_api_keys(mocker, app_, api_user_active, service_one, mock_g
             service_id=service_one['id'],
             template_type='sms') in page
 
-        assert url_for('main.manage_users', service_id=service_one['id']) not in page
+        assert url_for('main.manage_users', service_id=service_one['id']) in page
         assert url_for('main.service_settings', service_id=service_one['id']) not in page
 
         assert url_for('main.api_keys', service_id=service_one['id']) in page
diff --git a/tests/app/main/views/test_manage_users.py b/tests/app/main/views/test_manage_users.py
index d0ed7e571..a649861ae 100644
--- a/tests/app/main/views/test_manage_users.py
+++ b/tests/app/main/views/test_manage_users.py
@@ -280,3 +280,21 @@ def test_user_cant_invite_themselves(
         assert page.h1.string.strip() == 'Invite a team member'
         form_error = page.find('span', class_='error-message').string.strip()
         assert form_error == "You can't send an invitation to yourself"
+
+
+def test_no_permission_manage_users_page(app_,
+                                         service_one,
+                                         api_user_active,
+                                         mock_login,
+                                         mock_get_user,
+                                         mock_get_service,
+                                         mock_get_users_by_service,
+                                         mock_get_invites_for_service):
+    with app_.test_request_context():
+        with app_.test_client() as client:
+            client.login(api_user_active)
+            response = client.get(url_for('main.manage_users', service_id=service_one['id']))
+            resp_text = response.get_data(as_text=True)
+            assert url_for('.invite_user', service_id=service_one['id']) not in resp_text
+            assert "Edit permission" not in resp_text
+            assert "Manage team" not in resp_text