From 19f7678b0560fcf1d00ab32f0c5b543bc728abb4 Mon Sep 17 00:00:00 2001
From: Pea Tyczynska <pea.tyczynska@digital.cabinet-office.gov.uk>
Date: Mon, 17 Dec 2018 10:03:54 +0000
Subject: [PATCH] Don't allow to set postage per template if no service
 permission

---
 app/template/rest.py                | 14 +++++++-
 app/template/template_schemas.py    |  3 +-
 tests/app/dao/test_templates_dao.py |  2 +-
 tests/app/db.py                     |  2 ++
 tests/app/template/test_rest.py     | 56 +++++++++++++++++++++++++++++
 5 files changed, 74 insertions(+), 3 deletions(-)

diff --git a/app/template/rest.py b/app/template/rest.py
index 8cbb4125f..9dc32c94f 100644
--- a/app/template/rest.py
+++ b/app/template/rest.py
@@ -31,7 +31,7 @@ from app.errors import (
     InvalidRequest
 )
 from app.letters.utils import get_letter_pdf
-from app.models import SMS_TYPE, Template
+from app.models import SMS_TYPE, Template, CHOOSE_POSTAGE
 from app.notifications.validators import service_has_permission, check_reply_to
 from app.schema_validation import validate
 from app.schemas import (template_schema, template_history_schema)
@@ -78,6 +78,12 @@ def create_template(service_id):
         errors = {'template_type': [message]}
         raise InvalidRequest(errors, 403)
 
+    if new_template.postage:
+        if not service_has_permission(CHOOSE_POSTAGE, fetched_service.permissions):
+            message = "Setting postage on templates is not enabled for this service."
+            errors = {'template_postage': [message]}
+            raise InvalidRequest(errors, 403)
+
     new_template.service = fetched_service
 
     over_limit = _content_count_greater_than_limit(new_template.content, new_template.template_type)
@@ -110,6 +116,12 @@ def update_template(service_id, template_id):
     if data.get('redact_personalisation') is True:
         return redact_template(fetched_template, data)
 
+    if data.get('postage'):
+        if not service_has_permission(CHOOSE_POSTAGE, fetched_template.service.permissions):
+            message = "Setting postage on templates is not enabled for this service."
+            errors = {'template_postage': [message]}
+            raise InvalidRequest(errors, 403)
+
     if "reply_to" in data:
         check_reply_to(service_id, data.get("reply_to"), fetched_template.template_type)
         updated = dao_update_template_reply_to(template_id=template_id, reply_to=data.get("reply_to"))
diff --git a/app/template/template_schemas.py b/app/template/template_schemas.py
index f63ad4575..9f38262a5 100644
--- a/app/template/template_schemas.py
+++ b/app/template/template_schemas.py
@@ -17,7 +17,8 @@ post_create_template_schema = {
         "content": {"type": "string"},
         "subject": {"type": "string"},
         "created_by": uuid,
-        "parent_folder_id": uuid
+        "parent_folder_id": uuid,
+        "postage": {"type": "string"},
     },
     "if": {
         "properties": {
diff --git a/tests/app/dao/test_templates_dao.py b/tests/app/dao/test_templates_dao.py
index d86cec7a0..cbe6c6b72 100644
--- a/tests/app/dao/test_templates_dao.py
+++ b/tests/app/dao/test_templates_dao.py
@@ -153,7 +153,7 @@ def test_dao_update_template_reply_to_none_to_some(sample_service, sample_user):
     assert template_history.updated_at == updated.updated_at
 
 
-def test_dao_update_tempalte_reply_to_some_to_some(sample_service, sample_user):
+def test_dao_update_template_reply_to_some_to_some(sample_service, sample_user):
     letter_contact = create_letter_contact(sample_service, 'Edinburgh, ED1 1AA')
     letter_contact_2 = create_letter_contact(sample_service, 'London, N1 1DE')
 
diff --git a/tests/app/db.py b/tests/app/db.py
index 94d6ac287..a2db88ae6 100644
--- a/tests/app/db.py
+++ b/tests/app/db.py
@@ -140,6 +140,7 @@ def create_template(
         hidden=False,
         archived=False,
         folder=None,
+        postage=None,
 ):
     data = {
         'name': template_name or '{} Template Name'.format(template_type),
@@ -150,6 +151,7 @@ def create_template(
         'reply_to': reply_to,
         'hidden': hidden,
         'folder': folder,
+        'postage': postage,
     }
     if template_type != SMS_TYPE:
         data['subject'] = subject
diff --git a/tests/app/template/test_rest.py b/tests/app/template/test_rest.py
index 7cf46aa80..91c569a00 100644
--- a/tests/app/template/test_rest.py
+++ b/tests/app/template/test_rest.py
@@ -17,6 +17,7 @@ from app.models import (
     EMAIL_TYPE,
     LETTER_TYPE,
     SMS_TYPE,
+    CHOOSE_POSTAGE,
     Template,
     TemplateHistory
 )
@@ -210,6 +211,34 @@ def test_should_raise_error_on_create_if_no_permission(
     assert json_resp['message'] == expected_error
 
 
+def test_should_raise_error_on_create_if_no_choose_postage_permission(client, sample_user):
+    service = create_service(service_permissions=[LETTER_TYPE])
+    data = {
+        'name': 'my template',
+        'template_type': LETTER_TYPE,
+        'content': 'template content',
+        'service': str(service.id),
+        'created_by': str(sample_user.id),
+        'subject': "Some letter",
+        'postage': 'first',
+    }
+
+    data = json.dumps(data)
+    auth_header = create_authorization_header()
+
+    response = client.post(
+        '/service/{}/template'.format(service.id),
+        headers=[('Content-Type', 'application/json'), auth_header],
+        data=data
+    )
+    json_resp = json.loads(response.get_data(as_text=True))
+    assert response.status_code == 403
+    assert json_resp['result'] == 'error'
+    assert json_resp['message'] == {
+        "template_postage": ["Setting postage on templates is not enabled for this service."]
+    }
+
+
 @pytest.mark.parametrize('template_factory, expected_error', [
     (sample_template_without_sms_permission, {'template_type': ['Updating text message templates is not allowed']}),
     (sample_template_without_email_permission, {'template_type': ['Updating email templates is not allowed']}),
@@ -239,6 +268,33 @@ def test_should_be_error_on_update_if_no_permission(
     assert json_resp['message'] == expected_error
 
 
+def test_should_be_error_on_update_if_no_choose_postage_permission(client, sample_user):
+    service = create_service(service_name='some_service', service_permissions=[LETTER_TYPE])
+    template = create_template(service, template_type=LETTER_TYPE)
+    data = {
+        'content': 'new template content',
+        'created_by': str(sample_user.id),
+        'postage': 'first'
+    }
+
+    data = json.dumps(data)
+    auth_header = create_authorization_header()
+
+    update_response = client.post(
+        '/service/{}/template/{}'.format(
+            template.service_id, template.id),
+        headers=[('Content-Type', 'application/json'), auth_header],
+        data=data
+    )
+
+    json_resp = json.loads(update_response.get_data(as_text=True))
+    assert update_response.status_code == 403
+    assert json_resp['result'] == 'error'
+    assert json_resp['message'] == {
+        "template_postage": ["Setting postage on templates is not enabled for this service."]
+    }
+
+
 def test_should_error_if_created_by_missing(client, sample_user, sample_service):
     service_id = str(sample_service.id)
     data = {