Permissions added for templates and send_messages pages. All tests passing.

Fix up page heading.
2026-02-05 10:53:28 -05:00 · 2016-02-29 17:03:56 +00:00
parent 900f4cd7ff
commit ffe30c3070
11 changed files with 106 additions and 35 deletions
--- a/app/main/views/send.py
+++ b/app/main/views/send.py
@@ -26,11 +26,17 @@ from app.main.uploader import (
 from app.main.dao import templates_dao
 from app.main.dao import services_dao
 from app import job_api_client
-from app.utils import validate_recipient, InvalidPhoneError, InvalidEmailError
+from app.utils import (
+    validate_recipient, InvalidPhoneError, InvalidEmailError, user_has_permissions)

 page_headings = {
-    'email': 'Send emails',
-    'sms': 'Send text messages'
+    'manage_service': {
+        'email': 'Send emails',
+        'sms': 'Send text messages'},
+    'manage_templates': {
+        'email': 'Manage templates',
+        'sms': 'Manage templates'
+    }
 }


@@ -42,6 +48,8 @@ def letters_stub(service_id):


@main.route("/services/<service_id>/send/<template_type>", methods=['GET'])
+@login_required
+@user_has_permissions('send_messages', 'manage_templates', or_=True)
 def choose_template(service_id, template_type):

    service = services_dao.get_service_by_id_or_404(service_id)
@@ -55,6 +63,9 @@ def choose_template(service_id, template_type):
            abort(404)
        else:
            raise e
+    # TODO fix up how page_heading is loaded.
+    page_heading = page_headings['manage_service'][template_type] if current_user.has_permissions(session.get('service_id', ''), 'manage_service') else \
+        page_headings['manage_templates'][template_type]
    return render_template(
        'views/choose-template.html',
        templates=[
@@ -65,7 +76,7 @@ def choose_template(service_id, template_type):
            if template['template_type'] == template_type
        ],
        template_type=template_type,
-        page_heading=page_headings[template_type],
+        page_heading=page_heading,
        service=service,
        has_jobs=len(jobs),
        service_id=service_id
@@ -74,6 +85,7 @@ def choose_template(service_id, template_type):

@main.route("/services/<service_id>/send/<int:template_id>", methods=['GET', 'POST'])
@login_required
+@user_has_permissions('send_messages')
 def send_messages(service_id, template_id):

    form = CsvUploadForm()
@@ -110,6 +122,7 @@ def send_messages(service_id, template_id):

@main.route("/services/<service_id>/send/<template_id>.csv", methods=['GET'])
@login_required
+@user_has_permissions('send_messages', 'manage_templates', or_=True)
 def get_example_csv(service_id, template_id):
    template = templates_dao.get_service_template_or_404(service_id, template_id)['data']
    placeholders = list(Template(template).placeholders)
@@ -127,6 +140,7 @@ def get_example_csv(service_id, template_id):

@main.route("/services/<service_id>/send/<template_id>/to-self", methods=['GET'])
@login_required
+@user_has_permissions('send_messages')
 def send_message_to_self(service_id, template_id):
    template = templates_dao.get_service_template_or_404(service_id, template_id)['data']
    placeholders = list(Template(template).placeholders)
@@ -150,6 +164,7 @@ def send_message_to_self(service_id, template_id):
@main.route("/services/<service_id>/check/<upload_id>",
            methods=['GET', 'POST'])
@login_required
+@user_has_permissions('send_messages')
 def check_messages(service_id, upload_id):

    upload_data = session['upload_data']
--- a/app/main/views/service_settings.py
+++ b/app/main/views/service_settings.py
@@ -3,6 +3,7 @@ from flask import (
 from flask_login import (login_required, current_user)

 from app.main import main
+from app.utils import user_has_permissions
 from app.main.dao.services_dao import (
    get_service_by_id, delete_service, update_service)
 from app.main.dao.users_dao import verify_password
@@ -12,6 +13,7 @@ from notifications_python_client.errors import HTTPError

@main.route("/services/<service_id>/service-settings")
@login_required
+@user_has_permissions('manage_service')
 def service_settings(service_id):
    try:
        service = get_service_by_id(service_id)['data']
@@ -29,6 +31,7 @@ def service_settings(service_id):

@main.route("/services/<service_id>/service-settings/name", methods=['GET', 'POST'])
@login_required
+@user_has_permissions('manage_service')
 def service_name_change(service_id):
    try:
        service = get_service_by_id(service_id)['data']
@@ -53,6 +56,7 @@ def service_name_change(service_id):

@main.route("/services/<service_id>/service-settings/name/confirm", methods=['GET', 'POST'])
@login_required
+@user_has_permissions('manage_service')
 def service_name_change_confirm(service_id):
    try:
        service = get_service_by_id(service_id)['data']
@@ -82,6 +86,7 @@ def service_name_change_confirm(service_id):

@main.route("/services/<service_id>/service-settings/request-to-go-live", methods=['GET', 'POST'])
@login_required
+@user_has_permissions('manage_service')
 def service_request_to_go_live(service_id):
    try:
        service = get_service_by_id(service_id)['data']
@@ -104,6 +109,7 @@ def service_request_to_go_live(service_id):

@main.route("/services/<service_id>/service-settings/status", methods=['GET', 'POST'])
@login_required
+@user_has_permissions('manage_service')
 def service_status_change(service_id):
    try:
        service = get_service_by_id(service_id)['data']
@@ -125,6 +131,7 @@ def service_status_change(service_id):

@main.route("/services/<service_id>/service-settings/status/confirm", methods=['GET', 'POST'])
@login_required
+@user_has_permissions('manage_service')
 def service_status_change_confirm(service_id):
    try:
        service = get_service_by_id(service_id)['data']
@@ -153,6 +160,7 @@ def service_status_change_confirm(service_id):

@main.route("/services/<service_id>/service-settings/delete", methods=['GET', 'POST'])
@login_required
+@user_has_permissions('manage_service')
 def service_delete(service_id):
    try:
        service = get_service_by_id(service_id)['data']
@@ -174,6 +182,7 @@ def service_delete(service_id):

@main.route("/services/<service_id>/service-settings/delete/confirm", methods=['GET', 'POST'])
@login_required
+@user_has_permissions('manage_service')
 def service_delete_confirm(service_id):
    try:
        service = get_service_by_id(service_id)['data']
--- a/app/main/views/templates.py
+++ b/app/main/views/templates.py
@@ -5,6 +5,7 @@ from notifications_python_client.errors import HTTPError
 from utils.template import Template

 from app.main import main
+from app.utils import user_has_permissions
 from app.main.forms import SMSTemplateForm, EmailTemplateForm
 from app import job_api_client
 from app.main.dao.services_dao import get_service_by_id_or_404
@@ -20,6 +21,7 @@ form_objects = {

@main.route("/services/<service_id>/templates/add-<template_type>", methods=['GET', 'POST'])
@login_required
+@user_has_permissions('manage_templates')
 def add_service_template(service_id, template_type):

    service = sdao.get_service_by_id_or_404(service_id)
@@ -51,6 +53,7 @@ def add_service_template(service_id, template_type):

@main.route("/services/<service_id>/templates/<int:template_id>", methods=['GET', 'POST'])
@login_required
+@user_has_permissions('manage_templates')
 def edit_service_template(service_id, template_id):
    template = tdao.get_service_template_or_404(service_id, template_id)['data']
    template['template_content'] = template['content']
@@ -78,6 +81,7 @@ def edit_service_template(service_id, template_id):

@main.route("/services/<service_id>/templates/<int:template_id>/delete", methods=['GET', 'POST'])
@login_required
+@user_has_permissions('manage_templates')
 def delete_service_template(service_id, template_id):
    template = tdao.get_service_template_or_404(service_id, template_id)['data']