Stop non-gov user seeing/changing email and add test

2026-03-08 04:12:30 -04:00 · 2016-10-28 11:45:05 +01:00
parent e58b63f504
commit f3a4432ed7
3 changed files with 37 additions and 2 deletions
--- a/app/main/views/user_profile.py
+++ b/app/main/views/user_profile.py
@@ -1,6 +1,7 @@
 import json

 from flask import (
+    abort,
    render_template,
    redirect,
    url_for,
@@ -21,6 +22,8 @@ from app.main.forms import (
    ConfirmPasswordForm
 )

+from app.utils import is_gov_user
+
 from app import user_api_client

 NEW_EMAIL = 'new-email'
@@ -31,7 +34,10 @@ NEW_MOBILE_PASSWORD_CONFIRMED = 'new-mob-password-confirmed'
@main.route("/user-profile")
@login_required
 def user_profile():
-    return render_template('views/user-profile.html')
+    return render_template(
+        'views/user-profile.html',
+        can_see_edit=is_gov_user(current_user.email_address)
+    )


@main.route("/user-profile/name", methods=['GET', 'POST'])
@@ -56,6 +62,9 @@ def user_profile_name():
@login_required
 def user_profile_email():

+    if not is_gov_user(current_user.email_address):
+        abort(403)
+
    def _is_email_unique(email):
        return user_api_client.is_email_unique(email)
    form = ChangeEmailForm(_is_email_unique,
--- a/app/templates/views/user-profile.html
+++ b/app/templates/views/user-profile.html
@@ -28,7 +28,13 @@
      {{ item.value }}
    {% endcall %}
    {% call field(align='right') %}
-      <a href="{{ item.url }}">Change</a>
+      {% if item.label == 'Email address' %}
+        {% if can_see_edit %}
+          <a href="{{ item.url }}">Change</a>
+        {% endif %}
+      {% else %}
+          <a href="{{ item.url }}">Change</a>
+      {% endif %}
    {% endcall %}
  {% endcall %}

--- a/tests/app/main/views/test_user_profile.py
+++ b/tests/app/main/views/test_user_profile.py
@@ -266,3 +266,23 @@ def test_should_redirect_after_password_change(app_,
        assert response.status_code == 302
        assert response.location == url_for(
            'main.user_profile', _external=True)
+
+
+def test_non_gov_user_cannot_see_change_email_link(client,
+                                                   api_nongov_user_active,
+                                                   mock_login,
+                                                   mock_get_non_govuser):
+    client.login(api_nongov_user_active)
+    response = client.get(url_for('main.user_profile'))
+    assert '<a href="/user-profile/email">' not in response.get_data(as_text=True)
+    assert 'Your profile' in response.get_data(as_text=True)
+    assert response.status_code == 200
+
+
+def test_non_gov_user_cannot_access_change_email_page(client,
+                                                      api_nongov_user_active,
+                                                      mock_login,
+                                                      mock_get_non_govuser):
+    client.login(api_nongov_user_active)
+    response = client.get(url_for('main.user_profile_email'))
+    assert response.status_code == 403