Commit Graph

8340 Commits

Author SHA1 Message Date
Chris Hill-Scott
0706664be4 Stop using logged_in_client fixture
We have a `client_request` fixture which does a bunch of useful stuff
like:
- checking the status code of the response
- returning a `BeautifulSoup` object

Lots of our tests still use an older fixture called `logged_in_client`.
This is not as good because:
- it returns a raw `Response` object
- doesn’t do the additional checks
- means our tests contain a lot of repetetive boilerplate like `page = BeautifulSoup(response.data.decode('utf-8'), 'html.parser')`

This commit converts all the tests using `logged_in_client` to:
use `client_request` instead.
2022-01-10 14:39:44 +00:00
Chris Hill-Scott
50eae6f935 Stop using platform_admin_client fixture
We have a `client_request` fixture which does a bunch of useful stuff
like:
- checking the status code of the response
- returning a `BeautifulSoup` object

For most tests of a platform admin view we used `platform_admin_client`
instead. This is not as good because it returns a raw `Response` object
and doesn’t do the additional checks.

This commit converts all the tests using `platform_admin_client` to:
use new `client_request` and log in as `platform_admin_user` before
making any requests.

This is also nice because it makes any test easy to parametrize with
additional users, for example to test differences in behaviour dependant
on being platform admin or not.
2022-01-10 14:39:40 +00:00
Chris Hill-Scott
0fd79bb500 Merge pull request #4122 from alphagov/no-text-in-svg
Don’t allow <text> elements in letter logos
2022-01-10 11:13:09 +00:00
Chris Hill-Scott
a6ae1aa218 Merge pull request #4124 from alphagov/format-inbound-sms-download
Format phone numbers with spaces in download of received text messages
2022-01-10 11:12:27 +00:00
Chris Hill-Scott
291906e9fd Don’t allow <text> elements in letter logos
To render text in an SVG consistently the system rendering the SVG must
have the fonts specified by the SVG installed.

If the fonts are not installed then the renderer will fall back to a
system font and the text will look different. This is especially bad
news for branding where the right font is an integral part of any brand.

To fix this, the text should instead be converted to `<path>` elements.
This process is sometimes called ‘outlining’.

A few of our logos had this problem, and I’ve fixed most of them by
hand. Adding this validation will stop the problem, coming up again.
2022-01-06 17:39:01 +00:00
Chris Hill-Scott
5558af2527 Refactor for reuse 2022-01-06 17:39:01 +00:00
Chris Hill-Scott
474d7dfda8 Format phone numbers with spaces in download of received text messages
Some users have reported a problem with the received text message
report:

> I have tested the reply service but in the excel report the mobile
> number is showing as 4.47900E+23. How can I change the format so that
> it is show the mobile number that has replied?

This is happening because Excel is interpreting a phone number in the
format `447900900123` as a number in
[scientific notation](https://en.wikipedia.org/wiki/Scientific_notation),
in other words 4.479 &times; 10<sup>23</sup>.

`447900900123` is the format that our provider is giving us the number
in – there’s no guarantee it will always be in this format.

We can prevent this behaviour by putting spaces in the numbers. Excel
and Google Sheets won’t try to convert a string with spaces into a
number.

I think we used to do this for the sent text messages report but
probably stopped because we decided it was better to keep the phone
number in the same format as it had been supplied to us for
reconcilliation purposes.
2022-01-06 16:41:41 +00:00
karlchillmaid
bd313e5e2a Add next review date 2022-01-06 15:41:36 +00:00
karlchillmaid
c08948ca3f Add next review date 2022-01-06 15:40:14 +00:00
Tom Byers
0fe03993cd Add content-metadata component to other pages 2022-01-05 15:22:59 +00:00
Tom Byers
4f10272b00 Add styles and Jinja for component
Most of these are cut-and-paste'd from the GOVUK
metadata component:

https://components.publishing.service.gov.uk/component-guide/metadata

...but stripped back to only include what we need
and a optional suffix paragraph added.

Links to styles and ERB template
https://github.com/alphagov/govuk_publishing_components/blob/master/app/assets/stylesheets/govuk_publishing_components/components/_metadata.scss
https://github.com/alphagov/govuk_publishing_components/blob/master/app/views/govuk_publishing_components/components/_metadata.html.erb

Also adds it to the accessibility statement as an
example and updates the test that checks any
updates bump the date.
2022-01-05 15:21:37 +00:00
karlchillmaid
342fd35136 Remove dates from end of statement 2022-01-05 15:20:23 +00:00
karlchillmaid
483fcf1a3a Update content to fit new component 2022-01-05 15:20:22 +00:00
karlchillmaid
41fef84f8a Update content to fit new component 2022-01-05 15:20:21 +00:00
karlchillmaid
00355c405b Update content to fit new component 2022-01-05 15:20:20 +00:00
karlchillmaid
ed8efb6a37 Make wording consistent 2022-01-05 15:20:19 +00:00
karlchillmaid
a222891f19 Update ‘updated’ content 2022-01-05 15:20:18 +00:00
karlchillmaid
bb98078315 Update ‘updated’ content 2022-01-05 15:20:17 +00:00
karlchillmaid
ca11d87a57 Add ‘last updated’ section 2022-01-05 15:20:16 +00:00
David McDonald
04fa99b3dc Update get_notifications_for_service to make POST requests
This updates the `get_notifications_for_service` of the
`NotificationApiClient` to make POST request to the api when the `to`
field is provided. This is done so that we avoid logging personal
details such as email addreses.

If the `to` field is not present, the method will make a GET reqeust and
there will be no change to how it works.
2022-01-04 11:14:16 +00:00
Chris Hill-Scott
2f0e3f39d3 Hide ‘Download this report’ link when no services
If an organisation doesn’t have any live services then there’s no data
to download. To make things less confusing we should hide the link in
this case.

This commit also modifies the existing test so that the assertions are
consistent.
2021-12-30 14:09:42 +00:00
Leo Hemsted
295cd9bf8b remove rogue bullet point 2021-12-29 12:52:27 +00:00
Pea Tyczynska
58fe9d5b56 Revert "Remove free text allowance remaining column from organisation report" 2021-12-21 16:05:29 +00:00
Katie Smith
812aa3ffe8 Add hscni.net to list of allowed domains
We can't assign `hscni.net` to an organisation because it is used
by GP surgeries, so we don't always know which org it should be
associated with. This change allows people with the an `hscni.net`
email address to sign up and create a service.
2021-12-20 11:41:10 +00:00
karlchillmaid
56889a4ada Merge pull request #4082 from alphagov/clarify-free-text-message-allowance
Update text message pricing description
2021-12-17 11:46:07 +00:00
karlchillmaid
9b197e1e6c Make content consistent 2021-12-15 19:28:05 +00:00
Ben Thorner
50c3c3e10c Merge pull request #4095 from alphagov/remove-413-error-177535141
Remove redundant 413 error page
2021-12-15 10:32:53 +00:00
karlchillmaid
76161efe34 Update bullets to be more accurate 2021-12-14 18:09:05 +00:00
Katie Smith
2fe6c34730 Merge pull request #4098 from alphagov/form-bug-fixes
Fix two small bugs with forms
2021-12-13 11:19:11 +00:00
Katie Smith
e5df9614f7 Merge pull request #4101 from alphagov/billing-content
Fix billing page to show correct user who signed MOU
2021-12-13 11:19:04 +00:00
Katie Smith
30824b110c Fix billing page to show correct user who signed MOU
If the organisation table contains an entry for `agreement_signed_by_id`
and for `agreement_signed_on_behalf_of_name` then we should the person
who signed the MOU as being the `agreement_signed_on_behalf_of_name`.
This was wrongly showing the `agreement_signed_by_id` as the person who
signed the agreement.
2021-12-13 09:48:41 +00:00
Katie Smith
d8ebcdce22 Stop errors when changing an email address to an invalid one
We use the `ChangeEmailForm` if you want to change your own email
address or someone else's email address. This has various validators
which get run. We check if the email address is valid (by using a
function from utils) and if the email address is already in use
(by calling API).

If the email address is not valid, we should not call API to see if it's
already in use because this will cause an exception in API leading to a
`500` in admin. We now only call API if there were no other errors with
the email address.

(The `test_should_redirect_after_name_change` test didn't need the
`mock_email_is_not_already_in_use` fixture, so this has been removed.)
2021-12-10 17:11:46 +00:00
Ben Thorner
7ebf60845f Bump utils to 51.2.1
This brings a few performance improvements for RecipientCSV, which
we use to preview and process CSVs. One change also renames one of
the attributes for the class to "guestlist".
2021-12-10 16:35:40 +00:00
Katie Smith
1da285cf52 Only show one error for radio field and check boxes
We don't currently have any radio fields or check boxes where it's
possible to get more than one validation error. However, since we
never want to show more than one error at a time for a field, this
changes the error messages for the relevant widgets to only show the
first error if there ever were multiple.
2021-12-10 15:24:16 +00:00
Katie Smith
e42853205c Update govuk_text_input_field_widget to only show one error
If there were multiple errors, this widget was joining the messages
together and displaying all error messages. If a text input field does
have more than one validation error, we only want to show one.
2021-12-10 14:59:18 +00:00
Katie Smith
58532ee4ca Merge pull request #4092 from alphagov/org-billing
Add new 'Billing' page for organisations
2021-12-10 12:48:37 +00:00
Katie Smith
aef83ad261 Add link to user page to go live tickets
This adds a link to the user profile of the person who requested to go
live for "Request to go live" Zendesk tickets. Viewing a user's profile
page helps us to check for duplicate organisations and services from
that user.
2021-12-10 11:51:04 +00:00
Katie Smith
66c50abc38 Add new 'Billing' page for organisations
We want organisation team members to be able to see the MOU details for
their organisation. This change creates a new page called billing, which
contains these details. It's only visible to platform admin users now -
the plan is to add more information to this page, then to make it visible
to all organisation users.

The page showing the MOU covers the case of when agreement_signed is
True, when an agreement_signed is False, and when agreement_signed is
None. The case when an agreement_signed is None is very rare - it
signifies that the agreement is not signed but that we have some
service-specific agreements in place. We only have a few organisations
in this state, so it's unlikely that the content for this scenario will
be seen.

When an organisation has signed the agreement we may know the full
details (signing date, version signed, the person who signed it or who it
was signed on behalf of), or we may only have the name of the person who
signed the agreement. We show the more detailed content if possible, and
a less detailed version of the content if not.

There's a new route for downloading the agreement which is almost
identical to the existing `.service_download_agreement` route (plus the
test is almost the same), except that it takes an organisation ID
instead of a service ID.
2021-12-10 08:46:24 +00:00
Tom Byers
14e249a2d9 Merge pull request #4093 from alphagov/update-alert-mock-up-icon
Update alert mock up icon
2021-12-09 15:25:58 +00:00
Ben Thorner
39e03cee50 Remove redundant 413 error page
This was used when there was an Nginx instance sitting in front of
Admin [1], but nowadays traffic goes through CloudFront, where we
decided not to implement the same protection:

- The likelihood of large requests being a security threat is small
because it's a difficult attack vector.

- We have put in place specific limits on routes where we the size
of the request is actually important [2].

Note that the other error pages can all still be used based on the
response code we get from API requests [3]. Also worth noting we've
had 0 413 response codes for Admin in the last month.

[1]: https://github.com/alphagov/notifications-aws/blob/master/ansible/roles/nginx/templates/nginx.conf.j2#L29-L30
[2]: https://github.com/alphagov/notifications-admin/pull/4090
[3]: b3c0abc496/app/__init__.py (L407-L416)
2021-12-09 14:48:34 +00:00
David McDonald
7e26cb5baf Quick fix to redis DEFAULT_TTL type bug
In
a9617d4df6
we upgraded the version of utils to 49.1 which brought in a renamed
`TTL` as `DEFAULT_TTL`.

However, not only did it change the name, it also changed its type
from an `int` to a `float`:
https://github.com/alphagov/notifications-utils/pull/923/files

We thought that would be OK as in the utils, we moved the conversion
to an integer to happen in the `set` method but it turns out that
caused an issue in the admin app where setting the `has_jobs...`
redis keys will error:

```
Redis error performing set on has_jobs-4bd11cb2-cc17-44e1-b241-8547990db245
...
...
redis.exceptions.ResponseError: value is not an integer or out of range
```

It looks like this is because we are passing a float instead of an
int to `ex`
See a similar post describing the importance of ints rather than
floats for other parameters:
https://developpaper.com/question/redis-err-value-is-not-an-integer-or-out-of-range/

An interesting note is our test
`test_client_creates_job_data_correctly` didn't catch this because
`float(604800) == int(604800`.

I've gone for the quickest solution which is to wrap `DEFAULT_TTL`
in an int. The reason I've done this now is that to do the long
term and more durable fix is to add this fix to utils, however
there are several breaking changes infront of it that would take
me a while to bring in to the admin app first. I've checked the
admin and API apps and this is the only place we are directly
using `DEFAULT_TTL`.
2021-12-09 14:16:36 +00:00
Tom Byers
8ceff631f4 Remove image used as background before 2021-12-09 12:03:06 +00:00
Tom Byers
301480a732 Make SVG icon in alert mock up inline
Making the icon an inline SVG lets it inherit
colours from the page styles. This helps in forced
colour modes, like Windows high contrast mode,
where it will match the colour of the text next to
it, whatever it is set to.

Making it inline requires some changes to the CSS
to allow its position to match that of the current
background image.

This also sets `forced-color-adjust` to `auto` on
the `<svg>` element, which tells the browser it
can control its colours in forced colour modes.
This is required because the browsers that support
forced colour mode set it to `none` for the
`<svg>` element by default.
2021-12-09 10:23:49 +00:00
David McDonald
159e4c0bcb Merge pull request #4077 from alphagov/reduce-redis-cache-ttl
Reduce impact of bug with performance page caching stale data
2021-12-08 16:22:34 +00:00
David McDonald
20cc1e230f Reduce TTL to 1 hour for get_count_of_live_services_and_organisations
This stat is shown on a few of our pages, such as our homepage,
the performance page and also a platform admin page
and is currently catched for the
default TTL of 1 week. I think there is no reason we can't make
this only cache once an hour and give slightly more up to date stats
which will update more regularly.

This mimics the approach and also the TTL choice of 1 hour that has
been added for the performance page (although there is no
particular bug here to fix, it is just nice to have slightly more up
up to date data).

Note, the API call only takes about 0.3 seconds at the moment
so it is not particularly intensive on the DB to run this more
regularly.
2021-12-08 15:39:10 +00:00
Ben Thorner
1e63ee2d09 Merge pull request #4089 from alphagov/flash-upload-errors-177535141
Show flash instead of inline upload errors
2021-12-08 10:03:06 +00:00
Ben Thorner
b04bb51971 Merge pull request #4090 from alphagov/limit-csv-file-size-177535141
Reject CSV / Spreadsheet files larger than 10Mb
2021-12-07 17:00:05 +00:00
Ben Thorner
1a4204fed1 Merge pull request #4086 from alphagov/small-spreadsheet-refactor-177535141
Small refactoring to the Spreadsheet class
2021-12-07 16:59:46 +00:00
Ben Thorner
0ce7f72b07 Reject CSV / Spreadsheet files larger than 10Mb
This is a quick additional check to protect the user:

- From getting a CloudFront 502 error if the file takes too
long to upload. I was surprised to find it takes about 1 minute
to upload a 70Mb file to S3.*

- From getting a CloudFront 502 error when we follow the redirect
and run through the slow processing code in utils that builds a
RecipientCSV [1].

For context, a CSV with 100K rows and a few columns is around 5Mb,
so a 10Mb limit should be enough. Analysis over the past week shows
that the vast majority of CSV uploads are actually < 2.5Mb.

I haven't added any tests for this because:

- The check isn't critical, as the worst case scenario is the user
gets a worse error than this in-app one.

- There's no easy way to mock the validation, and I didn't want to
have a test that depends on a 10Mb+ file.

*We're using "key.put" to upload the file, when we could be doing
a multipart upload [2]. However, I tried this myself with a chunk
size of 1000 bytes and found it only led to a marginal improvement.

[1]: https://github.com/alphagov/notifications-utils/pull/930
[2]: https://boto3.amazonaws.com/v1/documentation/api/latest/guide/s3-uploading-files.html
2021-12-07 15:33:34 +00:00
David McDonald
925f86aa70 Merge pull request #4088 from alphagov/security-policy
Add security policy page
2021-12-07 15:29:33 +00:00