Merge pull request #325 from alphagov/view_only_team_members

View only team members
2026-02-05 02:42:26 -05:00 · 2016-03-22 15:53:02 +00:00
parent 0449a0bd4b 42eac5c359
commit bb168c5e8d
5 changed files with 38 additions and 9 deletions
--- a/app/main/views/manage_users.py
+++ b/app/main/views/manage_users.py
@@ -24,7 +24,6 @@ from app.utils import user_has_permissions

@main.route("/services/<service_id>/users")
@login_required
-@user_has_permissions('manage_users', admin_override=True)
 def manage_users(service_id):
    users = user_api_client.get_users_for_service(service_id=service_id)
    invited_users = invite_api_client.get_invites_for_service(service_id=service_id)
--- a/app/templates/main_nav.html
+++ b/app/templates/main_nav.html
@@ -21,6 +21,10 @@
    <li><a href="{{ url_for('.manage_users', service_id=service_id) }}">Manage team</a></li>
    <li><a href="{{ url_for('.service_settings', service_id=service_id) }}">Manage settings</a></li>
  </ul>
+  {% else %}
+  <ul>
+    <li><a href="{{ url_for('.manage_users', service_id=service_id) }}">View team members</a></li>
+  </ul>
  {% endif %}
  {% if current_user.has_permissions(['manage_api_keys', 'access_developer_docs']) %}
  <ul>
--- a/app/templates/views/manage-users.html
+++ b/app/templates/views/manage-users.html
@@ -19,12 +19,18 @@ Manage users – GOV.UK Notify
  <div class="grid-row">
    <div class="column-two-thirds">
      <h1 class="heading-large">
-        Manage team
+        {% if current_user.has_permissions(['manage_users']) %}
+          Manage team
+        {% else %}
+          View team members
+        {% endif %}
      </h1>
    </div>
-    <div class="column-one-third">
-      <a href="{{ url_for('.invite_user', service_id=service_id) }}" class="button align-with-heading">Invite team member</a>
-    </div>
+    {% if current_user.has_permissions(['manage_users']) %}
+      <div class="column-one-third">
+        <a href="{{ url_for('.invite_user', service_id=service_id) }}" class="button align-with-heading">Invite team member</a>
+      </div>
+    {% endif %}
  </div>

  {% call(item) list_table(
@@ -37,8 +43,10 @@ Manage users – GOV.UK Notify
    {{ boolean_field(item.has_permissions(permissions=['manage_users', 'manage_templates', 'manage_settings'])) }}
    {{ boolean_field(item.has_permissions(permissions=['manage_api_keys', 'access_developer_docs'])) }}
    {% call field(align='right') %}
-      {% if current_user.id != item.id %}
-        <a href="{{ url_for('.edit_user_permissions', service_id=service_id, user_id=item.id)}}">Edit permission</a>
+      {% if current_user.has_permissions(['manage_users']) %}
+        {% if current_user.id != item.id %}
+          <a href="{{ url_for('.edit_user_permissions', service_id=service_id, user_id=item.id)}}">Edit permission</a>
+        {% endif %}
      {% endif %}
    {% endcall %}
  {% endcall %}
--- a/tests/app/main/views/test_dashboard.py
+++ b/tests/app/main/views/test_dashboard.py
@@ -57,7 +57,7 @@ def test_menu_send_messages(mocker, app_, api_user_active, service_one, mock_get
            service_id=service_one['id'],
            template_type='sms')in page

-        assert url_for('main.manage_users', service_id=service_one['id']) not in page
+        assert url_for('main.manage_users', service_id=service_one['id']) in page
        assert url_for('main.service_settings', service_id=service_one['id']) not in page

        assert url_for('main.api_keys', service_id=service_one['id']) not in page
@@ -108,7 +108,7 @@ def test_menu_manage_api_keys(mocker, app_, api_user_active, service_one, mock_g
            service_id=service_one['id'],
            template_type='sms') in page

-        assert url_for('main.manage_users', service_id=service_one['id']) not in page
+        assert url_for('main.manage_users', service_id=service_one['id']) in page
        assert url_for('main.service_settings', service_id=service_one['id']) not in page
        assert url_for('main.show_all_services') not in page

--- a/tests/app/main/views/test_manage_users.py
+++ b/tests/app/main/views/test_manage_users.py
@@ -278,3 +278,21 @@ def test_user_cant_invite_themselves(
        assert page.h1.string.strip() == 'Invite a team member'
        form_error = page.find('span', class_='error-message').string.strip()
        assert form_error == "You can't send an invitation to yourself"
+
+
+def test_no_permission_manage_users_page(app_,
+                                         service_one,
+                                         api_user_active,
+                                         mock_login,
+                                         mock_get_user,
+                                         mock_get_service,
+                                         mock_get_users_by_service,
+                                         mock_get_invites_for_service):
+    with app_.test_request_context():
+        with app_.test_client() as client:
+            client.login(api_user_active)
+            response = client.get(url_for('main.manage_users', service_id=service_one['id']))
+            resp_text = response.get_data(as_text=True)
+            assert url_for('.invite_user', service_id=service_one['id']) not in resp_text
+            assert "Edit permission" not in resp_text
+            assert "Manage team" not in resp_text