Commit Graph

3502 Commits

Author SHA1 Message Date
Pea Tyczynska
00a629befc Link to downloadable report for org usage
Link is sticky so that it is easy to spot even when
an org has many services.
2021-11-17 17:58:06 +00:00
Chris Hill-Scott
ccebae6c75 Merge pull request #4055 from alphagov/fix-headings-choose-account
Fix headings on choose account page
2021-11-09 16:25:37 +00:00
Chris Hill-Scott
d0cab60885 Merge pull request #4064 from alphagov/fix-autofocus-in-some-places
Fix autofocus in places where it wasn’t working
2021-11-09 15:04:41 +00:00
David McDonald
56d6b3e533 Merge pull request #4059 from alphagov/bump-utils-to-fix-non-break-space
Upgrade utils to 48.0.0
2021-11-05 15:13:48 +00:00
Chris Hill-Scott
67d7399018 Merge pull request #4047 from alphagov/reference-new-alert
Change ‘title’ to ‘reference’ when writing alert
2021-11-05 10:01:53 +00:00
Chris Hill-Scott
e3089af1ef Add test coverage for configuration of autofocus
This commits adds test coverage for ther HTML in several of the forms
which had broken autofocus.

It means that if we make changes to the HTML which triggers autofocus in
the future it should be more obvious that something is depending on the
attributes being added/removed.
2021-11-04 17:34:41 +00:00
David McDonald
c532e57751 Dry up and standardise GET test for edit email reply to address
This moves things out of the parametrization that didn't need to be
in there and also makes the test match the test below,
test_shows_delete_link_for_error_on_post_request_for_edit_email_reply_to_address,
more closely.
2021-11-04 11:28:32 +00:00
David McDonald
b4b124d681 Fix bug with reply to email addresses
https://www.pivotaltracker.com/story/show/180026726

There was a bug where if you enter an invalid email address in
to the edit reply to email address form and click save, the
form you get shown with your error message will always contain
the field to set as default the reply to and also delete. This should
not have been the case. If you make an error on the form when
changing a reply to that is already a default, then you should not
be given the chance to change it to not default, nor should you
be able to delete it.

This commit fixes that bug by making sure the additional form fields
are only shown if the reply to being changed is not the default.
2021-11-04 11:21:58 +00:00
Tom Byers
9d59edb3ce Replace 'x' psuedo element with SVG
The current link button for removing an area is
created using a psuedo element with an 'x' as
content.

The inline box for the 'x' overlapped its parent.
This is visible in high contrast mode, breaking the
parent's border. Despite existing in CSS, the 'x'
is also announced by screen readers, which is not
what we want.

This changes it to be an inline SVG with a role of
image. It doesn't require as large an inline box
so doesn't cause visual issues in high contrast
modes. It also means we can set it's label similar to
how you would an image's alt text, giving us
control over what is announced by screen readers.

This commit also includes some extra CSS,
targeting high contrast modes, giving the
link button the following when viewed in those
modes:
- a complete border so it is
  distinguishable from the list item
- a focus style
2021-11-02 11:51:44 +00:00
David McDonald
c6b884dcef Upgrade utils to 48.0.0
Fixes a bug with non breaking spaces being removed from templates
2021-11-01 10:22:58 +00:00
Chris Hill-Scott
bc06b47a92 Delete unexpected test case 2021-10-28 10:31:02 +01:00
Chris Hill-Scott
ca3d696bc1 Delete unexpected test case 2021-10-28 10:24:41 +01:00
Chris Hill-Scott
cd86035588 :Use more realistic test data 2021-10-28 10:24:40 +01:00
Chris Hill-Scott
1334538cad Prefer cap_event to reference when referring to an alert
`reference` isn’t very human-friendly – the Environment Agency just
supply a UUID in this field.

The Environment Agency also populate the `<event>`` field with some
human readable text, for example:

> 013 Issue Severe Flood Warning EA

(013 is an ‘area code’ which will be meaningful to the Flood Warning Service team)

This commit changes the frontend to display the value of the `cap_event`
field, if it’s present, which is where the API stores the value of the
`<event>` field from the original CAP XML.

***

Depends on:
- [x] https://github.com/alphagov/notifications-api/pull/3344/files
2021-10-28 10:24:32 +01:00
Chris Hill-Scott
151a61f7d3 Fix headings on choose account page
You’re supposed to see the two column layout on this page if you have
multiple categories of things to show.

We weren’t counting the ‘platform admin’ section as one of these
categories so platform admin users with only live services or only trial
mode services were inadvertenly seeing a mixture of the one column and
two column layout.

Also this logic around the headings wasn’t tested before – now it is.
2021-10-26 15:06:43 +01:00
Leo Hemsted
5e36061df6 fix link in delivery status page 2021-10-20 11:39:05 +01:00
Tom Byers
b968c0299e Change map key items from list to paragraphs
I recently found that there is a problem with the
overuse of lists online for sequences of content
that don't need to be in a list. I think that's
what we're doing with our map key.

The problem is large enough that browsers include
heuristics to determine if lists should be
presented as such to the accessibility API (and so
to assistive tech' like screen readers). This
thread contains more details:

https://twitter.com/cookiecrook/status/1337226933822603270

Based on the metric described in the thread:

'If all of the styles that make it “list-like”
have been removed, it’s no longer relevant to
convey it as a list.'

...or

'if a sighted user doesn’t need to know it’s a
list, why would a screen reader user need to know
or want to know?'

Based on that, I think the items in our map key
should be paragraphs, not items in a list.

Also, they read really well as sentences when
announced by a screen reader, partly because of
the extra (hidden) info @quis added to them.
This also doesn't change their visual appearance.
2021-10-19 11:09:39 +01:00
Chris Hill-Scott
af7a0a52ab Change ‘title’ to ‘reference’ when writing alert
On the screen where you write an alert without a template Andy pointed
out that ‘title’ feels  bit out of place.

We chose this because ‘Template name’ definitely didn’t fit, but I agree
that reference is better.

Via https://trello.com/c/EqUln5yD/60-changing-title-to-reference-for-alert-template-new-message
2021-10-18 15:43:01 +01:00
Chris Hill-Scott
d162d7264d Reduce scope of content assertion
This makes it clearer which part of the content we care about.
2021-10-15 09:31:48 +01:00
Chris Hill-Scott
12d5c4f900 Only use ‘on behalf of’ to refer to person
Since we’ve introduced the ‘on behalf of’ wording to the go live ticket
(to talk about who the agreement has been signed on behalf of) it’s
confusing to use the same terminology to talk about the organisation
for whom the agreement has been accepted.
2021-10-15 09:23:32 +01:00
Chris Hill-Scott
ec703c5998 Add details of MOU signatory to go live ticket
This will help us monitor organisations that have signed our MOU using a
shared inbox and prevent it happening in future.

https://www.pivotaltracker.com/story/show/179782040
2021-10-15 09:23:30 +01:00
Chris Hill-Scott
dd573fec87 Format organisation type nicely in go live requests 2021-10-15 09:23:30 +01:00
Chris Hill-Scott
c3bbc427e2 Check that user isn’t signed in before registering
Previously this test asserted on `current_user.is_authenticated`. That
isn’t possible now because the object imported into tests isn’t the same
one the app is using.

A different proxy for whether the user is signed in is whether they have
a user id in their session, because we set this every time they sign in:
ff32e73d9b/app/models/user.py (L162)
2021-10-13 11:31:27 +01:00
Chris Hill-Scott
c2d9a56ff4 Bump Werkzeug to version 2.0.2
This is the newest version.

Pyup is complaining about vulnerabilities in version 1.0.1, specifically
> Werkzeug version 2.0.2 improves the security of the debugger cookies.
> "SameSite" attribute is set to "Strict" instead of "None", and the
> secure flag is added when on HTTPS.

Previously we were using whatever version of Werkzeug that Flask
specified this pins it to get rid of the vulnerability without having to
upgrade everything at once.

This requires a few changes to tests which were relying on importing
`session` and `current_user` from Flask. Previously it seemed that
importing these in the tests referred to the same object that was being
used in the app. This appears to no longer be the case. This commit
works around that by:
- using a context manager to get the contents of the session, like we
  already do in most tests
- asserting that the mock which logs the user in is being called with
  the right values, rather than looking at the state of the
  `current_user` object (which was probably giving false certainty
  anyway)
2021-10-12 10:39:19 +01:00
Chris Hill-Scott
1cc087b8de Move end of tour route into tour.py
In https://github.com/alphagov/notifications-admin/pull/3663/files we
made specific routes for sending the ‘tour’ text message, rather than
sharing the ‘one-off’ routes in `send.py`.

This commit moves the final route in the tour journey into `tour.py` as
well, which is where I expected to find it when I was looking for it
just now.
2021-10-06 13:57:03 +01:00
Katie Smith
a5723b64e3 Change mocks for the go live Zendesk tests
This updates the tests to use the same way of mocking the
`NotifySupportTicket` that we're now using in other tests.
2021-09-29 10:37:01 +01:00
Katie Smith
a54b3c9f77 Pass valid ticket type to Zendesk
The feedback endpoints use `ticket_type` to decide what to display and
whether or not a ticket should be escalated. We were using the
ticket_type as the value for the Zendesk ticket_type. However, the Zendesk
API accepts 4 values for its ticket_type and these are different from
the ticket_type values we use in our code.

This change converts the Notify ticket_type value to a valid Zendesk
ticket_type value when creating a Notify feedback ticket.
2021-09-29 10:37:01 +01:00
Katie Smith
437af32d82 Use Zendesk form for general enquiries 2021-09-29 10:30:32 +01:00
Katie Smith
e9948a0234 Use Zendesk form for branding requests
This changes the Zendesk tickets created when an email or letter
branding request is submitted to use the new Zendesk Form that was
introduced in https://github.com/alphagov/notifications-utils/pull/899
2021-09-29 10:30:32 +01:00
Katie Smith
39c26f5bfb Create go-live support tickets using the new way
The new way of creating support tickets can be seen in
[notifications-utils](https://github.com/alphagov/notifications-utils/pull/899).

This changes tickets created when making a request to go live to use
the new way, while other tickets stay the same for now.

The go live tags have been removed. Some of these had become
unneccessary since you can't make the request to go live unless they are
true (e.g. `notify_go_live_email_reply_to`). Others will always get
added by a Zendesk macro when the ticket is replied to, so we don't need
to add them here.
2021-09-22 12:00:05 +01:00
Leo Hemsted
2494d6ce31 move contact list json to a constructor
reduces some duplication
2021-09-15 15:57:49 +01:00
Leo Hemsted
9e915703fd fix contact list bst bug
the api returns UTC timestamps, we should keep them as UTC timestamps
until the very last moment, and only convert them into BST when we know
we want to return to a user (ie: in contact-list.html and other places
like that)
2021-09-15 15:12:13 +01:00
Leo Hemsted
a96bfdb16e remove server-side error messages for webauthn
since we are hard-coding a generic error message on the front-end, we
have no need to do anything on the back end. This is also nice as it
standardises the two flows to behave more like each other (rather than
previously where one would `flash` an error message and the other would
return CBOR for the js to decode).

Note that the register flow returns 400 while the auth flow returns 403.
The js for both just checks `response.ok` so will handle both. The JS
completely discards any body returned if the status isn't 200 now.
2021-09-15 11:43:41 +01:00
karlchillmaid
385a17ca8b Add additional instructions for the service name
Add additional instructions for the service name - this is more consistent with the local government version of this page

Also update tests to use the new content.
2021-09-14 12:10:14 +01:00
Leo Hemsted
a231738a16 Merge pull request #3989 from alphagov/update-pricing-pages
Add a billing details page
2021-09-08 16:31:38 +01:00
Leo Hemsted
a0adf3c63c add new billing details page
contains both signed in and signed out versions (when signed in you can
see bank details etc)
2021-09-08 10:19:42 +01:00
Leo Hemsted
85f6881a56 rename api key component to copy_to_clipboard
does what it says on the tin, and is also consistent with prior art:
https://components.publishing.service.gov.uk/component-guide/copy_to_clipboard
2021-09-08 10:18:17 +01:00
Ben Thorner
411fda81c0 Support custom broadcasts (without area IDs)
Custom broadcasts created directly via the API app won't have area
IDs since [1], where we started to distinguish between "names" (all
broadcasts have these) and IDs (for broadcasts created in this app).
We forgot to propagate the distinction into the code here.

This code fixes the bug for all broadcasts created after [1]. Any
custom broadcasts created before [1] will have their "ids" field set
instead of "names" so we won't show anything for them. This seems
reasonable as we don't support custom broadcasts yet.

[1]: 023a06d5fb
2021-09-06 12:40:30 +01:00
Ben Thorner
4bae4eec6c Start sending aggregate area names to API
The aggregate names don't need to be sorted, but it helps to do
this for the tests, since the implementation of sets may not be
stable between machines and lead to sporadic test failures.

I did also toy with sorting granular area names so they have a
similar ordering, but this would take them out-of-order with IDs
and really the important thing is that the ordering is stable.
2021-09-02 12:59:18 +01:00
Ben Thorner
cfdd244325 Complete migration to new "areas" API format
Depends on: https://github.com/alphagov/notifications-api/pull/3314

Previously:

- We introduced a new "areas_2" API field that's can
populate the "areas" column in the same way.

- We updated the Admin app to use the new field, so that
the old "areas" and "simple_polygons" API fields are unused.

- We repurposed the unused "areas" API field to use
the new "areas_2" format.

This PR:

- We can switch the Admin app back to the "areas" field,
but in the new format.

Future PRs:

- Remove support for the unused "areas_2" field (migration complete)
2021-08-27 14:34:49 +01:00
Ben Thorner
7dbe3afa19 Include area names in data we send to API
These will be used as a fallback for display in gov.uk/alerts. It
also helps to have them in the DB to aid in quickly identifying
where an alert was sent, which is hard from the IDs.

We will look at backfilling names for past alerts in future work.
2021-08-26 12:49:54 +01:00
Ben Thorner
11cbee5843 Switch to using temporary "areas_2" API field
Depends on: https://github.com/alphagov/notifications-api/pull/3312

This is part of a multi-stage migration where we want to repurpose
the "areas" field in the existing API to something like "areas_2".
2021-08-26 11:01:56 +01:00
Ben Thorner
de9d1f991b Stop saying "areas" when we mean "area_ids"
"areas" normally means an instance of BroadcastArea or similar, so
we should be more accurate to avoid confusion.
2021-08-26 11:01:35 +01:00
Chris Hill-Scott
5c1920fc20 Remove old method of updating email_access_validated_at
Previously we were passing a flag to the API which handled this. Now
we are doing it at the time of clicking the link, not at the time of
storing the new password. We don’t need to update the timestamp twice,
so this commit removes the code which tells the API to do it.
2021-08-19 11:14:47 +01:00
Chris Hill-Scott
8355abeaf2 Update email_access_validated_at on invite
Accepting an invite means that you’ve just clicked a link in your email
inbox. This shows that you have access to your email.

We can make a record of this, thereby extending the time before we ask
you to revalidate your email address.
2021-08-19 11:14:47 +01:00
Chris Hill-Scott
cb59413581 Update email_access_validated_at on link click
When someone uses a fresh password reset link they have proved that they
have access to their inbox.

At the moment, when revalidating a user’s email address we wait until
after they’ve put in the 2FA code before updating the timestamp which
records when they last validated their email address[1].

We can’t think of a good reason that we need the extra assurance of a
valid 2FA code to assert that the user has access to their email –
they’ve done that just by clicking the link. When the user clicks the
link we already update their failed login count before they 2fa. Think
it makes sense to handle `email_access_validated_at` then too.

As a bonus, the functional tests never go as far as getting a 2FA code
after a password reset[2], so the functional test user never gets its
timestamp updated. This causes the functional tests start failing after
90 days. By moving the update to this point we ensure that the
functional tests will keep passing indefinitely.

1. This code in the API (91542ad33e/app/dao/users_dao.py (L131))
   which is called by this code in the admin app (9ba37249a4/app/utils/login.py (L26))
2. 5837eb01dc/tests/functional/preview_and_dev/test_email_auth.py (L43-L46)
2021-08-19 11:14:47 +01:00
Chris Hill-Scott
ff12ba689d Merge pull request #3993 from alphagov/4-hours-expiry-test-channels
Expire test and operator alerts after 4 hours
2021-08-18 10:12:26 +01:00
Leo Hemsted
71d3aa13d7 follow sign_in redirect even if you're already signed in 2021-08-17 14:44:09 +01:00
Chris Hill-Scott
db0738ac39 Format 1000s properly on returned letters pages
Our style is to comma-separate numbers in the 1000s for easier reading.
2021-08-12 15:51:22 +01:00
Chris Hill-Scott
196da2b1b7 Reduce expiry time to 22 hours 30 minutes
Theoretically the maximum expiry time of a broadcast should be 24 hours.
If it goes over 24 hours there can be problems.

However we want to make it more conservative to mitigate two potential
issues:

1. The CBC has a repetition period (eg 60 seconds) and a count (eg
   1,440). If these were slightly innaccurate or generous it could take
   us over 24 hours. For this reason we should give ourselves half an
   hour of buffer.
2. It’s possibly that the CBC could interpret a UTC time as BST or vice
   versa. Until we’re sure that it’s using UTC everywhere, we need to
   remove another whole hour as buffer.

In total this means we remove 1 hour 30 minutes from 24 hours, giving an
expiry time of 22 hours 30 minutes.
2021-08-10 13:41:03 +01:00