Commit Graph

1028 Commits

Author SHA1 Message Date
Rebecca Law
9308e95b02 Merge pull request #1162 from alphagov/fix-user-login-flow
Fix user login flow
2017-02-28 16:50:11 +00:00
Rebecca Law
35f61125e8 Fix the user flow when the user account is locked.
The user has 10 tries at the password, after which the account is locked.
The same is true for the verify code, the user will have 10 tries before the user account is locked.
2017-02-28 14:41:31 +00:00
Rebecca Law
2d4e0a0631 Added a reset of failed_login_count when the user is activated.
Update user from the update-password api call (which resets the failed_login_count)
2017-02-28 11:56:40 +00:00
Chris Hill-Scott
90da5a35da Merge pull request #1160 from alphagov/11-or-fewer
Make long SMS sender name error accurate
2017-02-27 16:09:00 +00:00
Chris Hill-Scott
e909bce928 Make long SMS sender name error accurate
`<=11` not `< 11`
2017-02-27 15:56:58 +00:00
Chris Hill-Scott
888821d1b4 Don’t 500 when a CSV is missing rows
> When the CSV is missing the header row, we get an error and the user
> will see "Sorry, we are experiencing technical difficulties..."
>
> We should return a better error message for the user.

– https://www.pivotaltracker.com/story/show/140668615

This was caused by an attempt to access the `first_recipient` variable
before it was assigned. It would only be assigned when there was at
least one row in the file.

Fixing this means doing two things:
- defaulting `first_recipient` to be `None` before looking in the file
- adding an error message for when we can’t extract any rows out of the
  file (which is more nuanced than the file just being completely empty)

(There’s a nasty `sort` in the Jinja template because when there are no
rows in the file the order of the required column headers is not
deterministic.)
2017-02-27 14:46:01 +00:00
Leo Hemsted
4df12f5f4e ensure other 2FA pages also handle session id
specifically, the 2FA page when you first create an account is different to the login 2FA page
and also the 2FA page when you change your phone number is different as well
2017-02-24 16:32:59 +00:00
Leo Hemsted
1ec20151d0 Merge pull request #1146 from alphagov/session-id
check users' session id.
2017-02-24 14:25:06 +00:00
Chris Hill-Scott
d18334100e Remove HTML entity from permission choice
Not sure why we had a non-breaking space in here because it didn’t wrap
onto two lines anyway. And it wasn’t working because it was showing up
encoded, rather than as a raw entity.
2017-02-23 10:50:28 +00:00
Leo Hemsted
f14a836baa check users' session id.
when a user enters their 2FA code, the API will store a random UUID
against them in the database - this code is then stored on the cookie
on the front end.

At the beginning of each authenticated request, we do the following
steps:
  * Retrieve the user's cookie, and get the user_id from it
  * Request that user's details from the database
  * populate current_user with the DB model
  * run the login_required decorator, which calls
    current_user.is_authenticated

is_authenticated now also checks that the database model matches the
cookie for session_id. The potential states and meanings are as follows:

 database | cookie | meaning
----------+--------+---------
 None     | None   | New user, or system just been deployed.
          |        | Redirect to start page.
----------+--------+---------
 'abc'    | None   | New browser (or cleared cookies). Redirect to
          |        | start page.
----------+--------+---------
 None     | 'abc'  | Invalid state (cookie is set from user obj, so
          |        | would only happen if DB is cleared)
----------+--------+---------
 'abc'    | 'abc'  | Same browser. Business as usual
----------+--------+---------
 'abc'    | 'def'  | Different browser in cookie - db has been changed
          |        | since then. Redirect to start
2017-02-22 17:31:13 +00:00
Imdad Ahad
2c51792ae5 Update two-factor to use new update password endpoint and refactor tests 2017-02-20 14:55:28 +00:00
Leo Hemsted
f550699daf fix non-gsm error message
Use `it`/`they` depending on how many different characters you've used
Also don't wrap the message with quotes, as it looks confusing and
potentialy implies that you can't use apostrophes
2017-02-17 10:39:52 +00:00
Leo Hemsted
9046ec3bbc ensure emails still accept emoji 2017-02-17 10:39:52 +00:00
Leo Hemsted
73a965a3c6 allow downgradeable unicode characters in SMS templates 2017-02-17 10:39:52 +00:00
Leo Hemsted
41fa158635 error when users put non-GSM chars in a sms template
additionally, this moves the formatted_list jinja macro into a python
function, so that it can be called from the form validator
2017-02-17 10:39:52 +00:00
Chris Hill-Scott
221d401289 Merge pull request #1136 from alphagov/sign-in-message
Show a more useful message if you get signed out
2017-02-16 15:33:33 +00:00
Chris Hill-Scott
fb33255bd0 Show a more useful message if you get signed out
> Users that allow their session to expire, or access a bookmarked link
> are told they need to "Sign in to access this page" - we should
> explain that it's because they've been away a while, so that they
> understand why they're being asked to log in again.

– https://www.pivotaltracker.com/story/show/140016919

The message we were showing before (Please log in to access this page is
the default message from Flask Login).

In order to stop this flash message from appearing, we need to override
the default handler for when a user is unauthorised. We’re overriding it
with the same behaviour, minus the flash message.

If you navigate deliberately to the sign in page it’s unchanged.

Content is Sheryll-approved.
2017-02-16 13:33:32 +00:00
Rebecca Law
cf3a933b1e Updated error message is the code is not the right size or data type.
Updated two_factor to error is the user account is locked (locked = over 10 failed_login_count)
2017-02-15 14:56:22 +00:00
imdadahad
cdd192590f Merge pull request #1106 from alphagov/feat-update-user-profile-password-with-new-endpoint
Update password on user profile with new endpoint
2017-02-10 17:23:46 +00:00
Chris Hill-Scott
3c7b41aace Limit months shown to current and past
Matches what we do on the usage page. No need to see months in the
future because there’s no way you’ll have sent any messages in those
months, unless you’re Marty McFly.
2017-02-08 11:16:11 +00:00
Chris Hill-Scott
ac9d4f2daf Break down usage by month, filter by year
The previous, weekly activity breakdown was what we reckoned might be
useful. But now that we have people using the platform it feels like
aggregating a service’s usage by month is:
- matches the timeframe users report on within their organisation
- is consistent with the usage page

And like the usage page this commit also limits the page to only show
one financial year’s worth of data at once (rather than data for all
time).

This commit also makes some changes to the jobs view code so that our
aggregation of failure states is consistent between the dashboard pages
and the jobs pages.
2017-02-08 10:59:26 +00:00
Imdad Ahad
24b372de77 Update go-live message + tests 2017-02-07 16:14:58 +00:00
Pete Herlihy
7e93058484 Update subject line for Request to go live tickets 2017-02-07 16:03:55 +00:00
Pete Herlihy
c906bec3eb Making the feedback tickets subject unique to avoid threading in gmail
Lots of tickets get rolled into a single thread and can mean we miss some tickets.  This will ensure a different thread for each one.
2017-02-07 16:03:02 +00:00
Imdad Ahad
48b4dce848 Update password on user profile with new endpoint 2017-02-07 13:32:20 +00:00
Chris Hill-Scott
2a502753a4 Filter and navigate usage by financial year
Right now we tell people that the usage page is for the current
financial year. This is a lie – it’s for all time.

So this commit calls through to the API to get the stats for (by
default) the current financial year.

We already do this for the monthly breakdown, this just does the same
thing for the yearly totals.

It also adds navigation to show the data for other financial years:
- previous so you can go back and see your usage and verify that the
  bill you’re about to pay is correct
- next so that you can check what your SMS allowance is going to be
  before you actually get into it
2017-02-06 12:25:48 +00:00
Rebecca Law
b9d88cccc3 Merge pull request #1103 from alphagov/testing-doc
Testing doc
2017-02-03 10:44:38 +00:00
Rebecca Law
b1150efbbc Merge pull request #1100 from alphagov/implement-suspend-service
Add Suspend and Resume service buttons to service-settings page.
2017-02-02 16:08:48 +00:00
Chris Hill-Scott
ef1bbb5692 Be stricter about meaning of severe query param
`severe` can mean one of three things:
- `yes` – user has told us this is an emergency
- `no` – user has told us this isn’t an emergency
- Anything else – user hasn’t been asked the question or has
  hacked/mangled the URL

This commit adds some stricter sanitisation of the `severe` query
parameter and does so up front, rather than spreading it across multiple
functions.
2017-02-02 15:18:42 +00:00
Chris Hill-Scott
f3e52d310b Make calculation of business hours timezone aware
`replace` doesn’t convert a time from one timezone to another. It just
changes the label that says what timezone a time is in 😬

`.localize` is how we handle these kind of issues in the API (see
d0b467b2fb/app/utils.py (L42-L44) )

So this commit changes the calculation to use `.localize`, and makes the
tests timezone aware to check we’re doing this right.
2017-02-02 15:18:42 +00:00
Chris Hill-Scott
97f3a2374b Don’t test for existance of current_user
Current_user is never falsy - it's an `AnonymousUserMixin` when
someone's not logged in.
2017-02-02 15:18:42 +00:00
Chris Hill-Scott
17a4d8ef3b Use boolean logic instead of any/all
Using and/or over any/all has a couple of advantages:

- it's a bit quicker
- it won't evaluate the second half at all if the first half fails – if
  it is in business hours, and convert_to_boolean would raise, with your
  use of all we'd throw a 500, whereas if we had or, business_hours
  would trip and we'd skip over the second half without worrying about
  exceptions

any and all are designed for use with variable length args eg
`any(x for x in thing())`
2017-02-02 15:18:42 +00:00
Leo Hemsted
199dc24cb8 display service name in feedback email if user is logged in
also, split out a couple of tests for legibility and clear up some
linter errors
2017-02-02 15:18:41 +00:00
Chris Hill-Scott
d2680fe885 Require email address for reporting problems
If you report a problem we want to be able to get back to you to find
out more information, or to update you on the status of a fix. So it
shouldn’t be possible to report a problem without providing an email
address.

This commit makes `email_address` a required field when `ticket_type` is
problem.

This requires a bit of fiddling with the tests which weren’t expecting
to have to provide an email address. So the tests now either:
- pass an email address
- check for an error when they don’t pass an email address
2017-02-02 15:18:41 +00:00
Chris Hill-Scott
8f3ba46b27 Preserve message in session if we go out of hours
This is a real edge case, but it seems worth handling.

How you’d get to this case:
- it’s 5:29pm and you start to describe the problem you’re having
- it’s 5:31pm and you click ‘submit’
- you’re redirected to the triage page because we’re now out of hours
- you click ‘this is a serious problem’

What would be bad thing to happen:
- you’re back on the message page and all the stuff you’ve written is
  gone

What would be a good thing to happen:
- we save the message in a session so that you can check it again before
  sending it
2017-02-02 15:18:41 +00:00
Chris Hill-Scott
4ef087fb01 Add a confirmation page
Generally I prefer confirmation pages to the flash message thing
(they’re harder to miss). So this commit adds one.

It also adds some logic to this page, so that, depending what the user
has told us about the thing they’ve submitted, we can tell them how
quickly to expect a response.
2017-02-02 15:18:41 +00:00
Chris Hill-Scott
438868257f Triage tickets based on time of day and services
TL;DR, as much as possible we should work out how to prioritise tickets
and not put that burden on the user. However, there are some cases where
we can’t.

In business hours all tickets are high priority, ie we will at least
acknowledge them within 30 mins.

If we are not in business hours then we need to know if a ticket is
serious enough to get someone out of bed. Only the user can tell us
this, but we can give them some examples to help them decide.

In addition, out-of-hours tickets are only a priority if the user has
live services. Normally we can determine this and do the
priority-setting in the background.

If they can’t log in then we can’t determine what services they have. So
in this case they will need to use the emergency email address, which
only users with live services will have.

The logic for this gets fairly complex. It might be to easier to
understand what’s going on by walking through the test cases, which are
a bit more declarative.

N.B. Deskpro’s ‘urgency’ is descending, eg 10 is the most urgent and 1
is the least.
2017-02-02 15:18:40 +00:00
Chris Hill-Scott
a43112db88 Rename form class
It’s not just feedback now. Support is what we’re calling the whole
feature.
2017-02-02 15:18:40 +00:00
Chris Hill-Scott
8d7869ee54 Don’t ask for a user’s email address if we know it
If a user is logged in then we already know their name and email
address. So there’s no need for them to fill them again on the support
form.

One concern we might have about this is the user not realising we’re
doing this, and the feedback form looking like a bit of a black hole.
So we’re replaying their email address on this page to reassure them
that:
- we know who they are
- and that they’ll get a reply
2017-02-02 15:18:40 +00:00
Chris Hill-Scott
1df3c11ae9 Split support into two pages
The kind of communications we’re getting at the moment can broadly be
broken down into:
- problems
- questions and feedback

We will need to triage problems differently, because they could
potentially be urgent/severe/emergency/P1/whatever language we use.
Questions or feedback will never be P1.

Two reasons for making the user categorise their tickets themselves:

- Outside of hours we can’t get someone out of bed in order to decide if
  a ticket is a problem or just feedback

- We can tailor the subsequent pages to whether it’s a problem or
  feedback (eg showing a link to the status page if the user is having
  a problem)

This commit let’s users make the choice with a pair of radio buttons.

It also cleans up a bunch of the tests and parameterizes them so we’re
testing the flow for both ticket types.
2017-02-02 15:18:40 +00:00
Chris Hill-Scott
4503724ad6 Add a support index page
Our support process is about to get more fully fledged so we’ll need
an index page to route people properly.

We reckon that users will also want to know what the support process is,
so let’s explain it on this page.
2017-02-02 15:18:39 +00:00
Pete Herlihy
d040527dec Merge pull request #1102 from alphagov/api-key-labels
Api key labels updated to clarify Live, Team and Test
2017-02-02 13:33:28 +00:00
Pete Herlihy
c1f771a73d Updated the labels for API key creation options 2017-02-02 12:44:12 +00:00
Rebecca Law
7f31bd7548 Merge branch 'master' into testing-doc 2017-01-31 16:36:03 +00:00
Rebecca Law
26974886ec Add Suspend and Resume service buttons to service-settings page. 2017-01-31 15:56:06 +00:00
Rebecca Law
f07de56b38 Merge pull request #1096 from alphagov/rename-deactive-service-endpoint
Changed deactivate service to archive service.
2017-01-31 13:51:26 +00:00
Leo Hemsted
2cd8304061 Merge pull request #1082 from alphagov/persist-letters
allow creation of letter jobs
2017-01-31 10:31:34 +00:00
Rebecca Law
6d883b59ad Changed deactivate service to archive service.
need to deploy https://github.com/alphagov/notifications-api/pull/808 first
2017-01-31 09:54:51 +00:00
Rebecca Law
dc9524f01e WIP: First attempt at adding a testing doc to the links in the footer.
This may result in changing the developer document section completely.
2017-01-27 17:32:20 +00:00
Rebecca Law
de94f369a7 A bug was reported on where editting a template with a breaking change.
The url was not being properly formed, missing the tempalte_id, meaning the back button on the page did not work.

This fixes that, includes a check of the url for the back button.
2017-01-24 17:42:18 +00:00