Commit Graph

4981 Commits

Author SHA1 Message Date
Alexey Bezhan
e6d4c7aaa8 Don't link folders in the folder path if user doesn't have permission
This updates folder_path macro to not link to any folders that
the user doesn't have permission for.
2019-04-01 10:50:39 +01:00
Alexey Bezhan
172f6b303f Fix missing New template / folder buttons on Templates root page
User folder permission check should recognize both `None` folder and
folder with a `None` id as template root.
2019-04-01 10:50:39 +01:00
Alexey Bezhan
7e0529b600 Fix missing space in current_user context processor 2019-04-01 10:50:39 +01:00
Alexey Bezhan
355927d091 Hide template and folder action links if user doesn't have folder access
Hides action links ('Send', 'Edit', 'Delete' and 'Redact' fro templates
and 'Manage' for template folders) and buttons ('New template', 'New folder')
if the user doesn't have permission to view current folder or template's
parent folder.
2019-04-01 10:50:39 +01:00
Alexey Bezhan
bfe6768796 Add user permission check to template folder actions 2019-04-01 10:50:38 +01:00
Alexey Bezhan
792b625de7 Add folder permission check to copy template endpoint
Copying a template from another service is one place where we can't
use the `current_service` method since the source template can belong
to a different service the user has access to, so we're using an API
client method.
2019-04-01 10:50:38 +01:00
Alexey Bezhan
35fb92c02c Replace sevice api client get template calls with Service methods
Instead of using the API client directly views are now calling one
of two Service model methods:

`get_template` is used for view actions, where the user should see
the template page even if they don't have access to the template
folder (since all templates are still inked from the dashboard or
the sent notifications pages).

`get_template_with_user_permission_or_403` will check if the user
has access to the template's folder first and return 403 otherwise.
This method is used for any endpoints that result in an action: editing
template attributes, deleting templates or sending messages.
2019-04-01 10:50:38 +01:00
Alexey Bezhan
a30c9733b0 Add a helper Service method to get a template given user has permission
Checks if the user has access to the template's parent folder and
either returns the template or a 403 response.

This method should be used instead of calling service_api_client from
the views.
2019-04-01 10:50:38 +01:00
Alexey Bezhan
af2eb0555d Make sure users always have permission to access top-level templates 2019-04-01 10:50:38 +01:00
Alexey Bezhan
e6d7f7ebeb Add a user method to check folder permission
User model is the most natural place for a permission check method,
however this means that we need to pass the full user object to
service model methods and TemplateList instead of user_id.
2019-04-01 10:50:38 +01:00
Chris Hill-Scott
2c03771e9c Mark agreement signed by East Staffordshire 2019-04-01 10:17:00 +01:00
Leo Hemsted
53cdbad2cc make inbound search a POST
that way it doesn't expose PII to our logs
2019-03-29 15:16:29 +00:00
Tom Byers
c5208d712e Merge pull request #2876 from alphagov/stop-focus-overlap-alternative
Stop focus overlap - with support for caret focus
2019-03-27 14:54:09 +00:00
Chris Hill-Scott
a852b6ef07 Merge pull request #2879 from alphagov/use-client-request-fixture
Use `client_request` fixture where possible
2019-03-27 10:51:22 +00:00
karlchillmaid
151fa35e1e Merge pull request #2877 from alphagov/free-message-allowance-update
Update free text message allowance
2019-03-27 10:38:02 +00:00
Chris Hill-Scott
883b07e3f0 Use client_request fixture where possible
It:
- saves repetetive boilerplate code
- does some extra checks (eg checking for a `200` response)
- makes the codebase less confusing to consistently do the same thing in
  the same way
2019-03-26 16:38:00 +00:00
Leo Hemsted
f872294235 remove the remove-user get method
remove `confirm` from `confirm_remove_user_from_service` as there's
only one action now that the initial confirmation prompt takes place
on the edit permissions page
2019-03-26 15:52:37 +00:00
Leo Hemsted
f7f9dd8530 fix user permissions save button sometimes deleting
when you hit the delete button, it flashes the delete button and takes
you to the `/service/../user/../delete` url. If you then click the save
button, it would make a POST to the delete URL... and delete the user.

now the page stays on the edit url, but adds a `?delete=yes` query
string. The dangerous flash banner now has an action field which
defines where the browser will make the POST to (which remains at
/delete).
2019-03-26 15:52:37 +00:00
Chris Hill-Scott
59311e5eab Mark agreement signed by Angus Council 2019-03-26 14:46:06 +00:00
karlchillmaid
67e176133b Updated free text message allowance
Updated free text message allowance to make it clearer.

Added a link to full pricing information.

Ticket: https://www.pivotaltracker.com/story/show/163908166
2019-03-26 10:59:27 +00:00
Chris Hill-Scott
d693715516 Merge pull request #2875 from alphagov/set-service-count-as-live
Allow excluding services from live services count
2019-03-25 16:26:34 +00:00
Tom Byers
a426cae968 Remove overlap check for elements in sticky
Our sticky controls often contain focusable
elements.
2019-03-25 15:59:32 +00:00
Tom Byers
8ad4c5e6e1 Add separate overlap handling for textareas
Our textareas are multi-line and can change in
size based on their content.

Because of this, we need to check the caret for
overlapping, not the whole textarea.

This adds separate tracking for this.
2019-03-25 15:59:32 +00:00
Tom Byers
5ba2bd66e0 Revert "Merge pull request #2855 from alphagov/revert-2843-stop-sticky-overlapping-focus"
This reverts commit 0f9969989a, reversing
changes made to 42e3770e65.
2019-03-25 15:58:23 +00:00
Chris Hill-Scott
8fb576e60a Allow excluding services from live services count
Adds a front end for:
https://github.com/alphagov/notifications-api/pull/2417

> Sometimes we have to make a few services for what really is one
> service, for example GOV.UK Pay and GOV.UK Pay Direct Debit. We also
> have our own test services which aren’t included in the count of live
> services. We currently count these as one service by not including
> them in the beta partners spreadsheet.
2019-03-25 15:46:35 +00:00
Chris Hill-Scott
0f4fcafe59 Mark agreement signed by Sevenoaks District Council 2019-03-25 14:24:46 +00:00
Chris Hill-Scott
23bbfb955f Fix isort breaking things 2019-03-25 11:23:59 +00:00
Chris Hill-Scott
cff009bc0d Run isort 2019-03-25 11:23:58 +00:00
Chris Hill-Scott
9e27e4e510 Merge pull request #2869 from alphagov/update-dependencies
Update pyexcel, pyexcel-io and werkzeug
2019-03-25 11:16:45 +00:00
Chris Hill-Scott
db3cee63ba Update call to proxy fix to use new method signature
Old method:

```python
ProxyFix(app, num_proxies=1)
```
https://werkzeug.palletsprojects.com/en/0.14.x/contrib/fixers/#werkzeug.contrib.fixers.ProxyFix

This uses forwarded values for `REMOTE_ADDR` and `HTTP_HOST`.

New method:
```python
ProxyFix(app, num_proxies=None, x_for=1, x_proto=0, x_host=0, x_port=0, x_prefix=0)
```
https://werkzeug.palletsprojects.com/en/0.15.x/middleware/proxy_fix/#module-werkzeug.middleware.proxy_fix

Setting `x_for=1` preserves the same behaviour as `num_proxies=1`.
Setting  `x_proto=1` and `x_host=1` will cause `REMOTE_ADDR`,
`HTTP_HOST`, `SERVER_NAME` and `SERVER_PORT` to be forwarded.

So we will be forwarding `SERVER_NAME` and `SERVER_PORT` which we
weren’t before, but we think this is OK.
2019-03-25 11:03:48 +00:00
Chris Hill-Scott
50bb20ad32 Allow up to 20 domains per organisation
The most we have in the spreadsheet is 18
2019-03-22 16:27:30 +00:00
Chris Hill-Scott
8b81d3594a Prevent duplicate domains 2019-03-22 16:10:34 +00:00
Chris Hill-Scott
de68d720c7 Make all services for an organisation available to platform admin users 2019-03-22 14:23:25 +00:00
Chris Hill-Scott
eaa7af8692 Make navigating organisations a bit easier 2019-03-22 14:23:25 +00:00
Chris Hill-Scott
936883bf7b Allow editing of an organisation’s details
Adds a user interface for updating all the columns added in
https://github.com/alphagov/notifications-api/pull/2368

Sorry for the mega commit 😓
2019-03-22 14:23:24 +00:00
Katie Smith
c675925fd1 Upgrade pyexcel-io, which also upgrades Werkzeug
Upgraded pyexcel-io from 0.5.14 to 0.5.16. This change causes Werkzeug
to be upgraded from 0.14.1 to 0.15.1 which requires some changes:

* ProxyFix now needs to be imported from a different location
* The status code of RequestRedirect has changed from 301 to 308. Since
status code 308 is not currently supported on Internet Explorer with
Windows 7 and 8.1, this subclasses RequestRedirect to keep the status
code of 301.

changelog: https://werkzeug.palletsprojects.com/en/0.15.x/changes/#version-0-15-0
2019-03-22 14:18:44 +00:00
Pea (Malgorzata Tyczynska)
307e959fd6 Merge pull request #2862 from alphagov/show-templates-across-user-folders
When replying to inbound sms show templates in all user's folders
2019-03-22 14:15:13 +00:00
Katie Smith
fe86833549 Merge pull request #2850 from alphagov/add-folder-permissions-when-inviting-user
Set folder permissions when creating and accepting invites
2019-03-22 13:37:27 +00:00
Katie Smith
7654d3c5fd Send folders if inviting user for service without edit folder permissions
If a new user is being invited for a service which doesn't have edit
folder permissions turned on, we want to send all folders for that
service to api.
2019-03-22 13:29:13 +00:00
Pea Tyczynska
0743a68e09 Reflect template folder structure on inbound conversation reply page 2019-03-21 16:06:47 +00:00
Pea Tyczynska
3fc4f6866c When replying to inbound sms show templates in all user's folders 2019-03-21 16:06:47 +00:00
karlchillmaid
358b5054ad Correct typo and remove sub-heading
Correct typo in line 39

Remove sub-heading because it's probably not needed on the Letter validation preview page
2019-03-21 10:28:18 +00:00
Katie Smith
3fb752a009 Delete cached template-folders when adding user to service
The api endpoint to get all template folders also returns the users who
can see each folder.

We need to clear the template-folder cache when adding a user to a service so
that we are not using out of date data about who can see each folder.
2019-03-21 10:17:05 +00:00
Katie Smith
c39f6d49ea Set folder permissions when creating and accepting invites to services
Added a folder permissions form to the page to invite users to services.
This only shows if the service has 'edit_folder_permissions' enabled,
and all folder checkboxes are checked by default. This change means that
InviteApiClient.create_invite now sends folder_permissions through to
notifications_api (so invites get created with folder permissions).

Started passing the folder_permissions through to notifications-api when
accepting an invite. This changes UserApiClient.add_user_to_service to
send folder_permissions to notifications_api so that new users get folder
permissions when they are added to the service.
2019-03-21 10:17:05 +00:00
Katie Smith
782bd34394 Use folder_permissions in the InvitedUser model
We were already invitializing InvitedUser with folder_permissions
(defaulting to None), but this removes the default and adds
folder_permissions to the serialize method. Folder permissions should
now always be returned from api, either as an empty list or a list of
UUIDs.
2019-03-21 10:17:05 +00:00
Rebecca Law
15b74a74fb Merge pull request #2864 from alphagov/fix-delete-folder-with-permissions
Delete folder bug fix
2019-03-21 09:17:06 +00:00
Rebecca Law
980f75029f This is a fix for delete folder when the service has permission to edit folder permissions. 2019-03-20 17:04:44 +00:00
Chris Hill-Scott
0cc566a796 Mark agreement signed by Horsham Council 2019-03-20 16:20:58 +00:00
Chris Hill-Scott
e32f6a92c1 Merge pull request #2860 from fidejoseph/patch-8
Update email_domains.yml
2019-03-20 13:48:44 +00:00
Rebecca Law
42e63667f7 Updated copy on the page.
Added unit tests.
Added error when file is too big.
2019-03-20 11:31:29 +00:00