From 24625a44f35eb7664cb5a3279aeb5502dcb1dc09 Mon Sep 17 00:00:00 2001
From: Leo Hemsted <leo.hemsted@digital.cabinet-office.gov.uk>
Date: Tue, 24 May 2016 13:08:38 +0100
Subject: [PATCH] prevent public api from sending archived templates

---
 app/notifications/rest.py            |  7 ++++++-
 tests/app/notifications/test_rest.py | 24 +++++++++++++++++++++++-
 2 files changed, 29 insertions(+), 2 deletions(-)

diff --git a/app/notifications/rest.py b/app/notifications/rest.py
index 679a3cdfc..7d03a0d9a 100644
--- a/app/notifications/rest.py
+++ b/app/notifications/rest.py
@@ -1,4 +1,4 @@
-from datetime import datetime, date
+from datetime import datetime
 import statsd
 import itertools
 from flask import (
@@ -30,6 +30,7 @@ from app.schemas import (
     notifications_filter_schema,
     notifications_statistics_schema,
     day_schema,
+    unarchived_template_schema
 )
 from app.celery.tasks import send_sms, send_email
 
@@ -328,6 +329,10 @@ def send_notification(notification_type):
         service_id=service_id
     )
 
+    errors = unarchived_template_schema.validate({'archived': template.archived})
+    if errors:
+        return jsonify(result='error', message=errors), 400
+
     template_object = Template(template.__dict__, notification.get('personalisation', {}))
     if template_object.missing_data:
         return jsonify(
diff --git a/tests/app/notifications/test_rest.py b/tests/app/notifications/test_rest.py
index 4f7aea7c1..0dcbcaeb2 100644
--- a/tests/app/notifications/test_rest.py
+++ b/tests/app/notifications/test_rest.py
@@ -13,7 +13,7 @@ from tests.app.conftest import sample_email_template as create_sample_email_temp
 from tests.app.conftest import sample_template as create_sample_template
 from flask import (json, current_app, url_for)
 from app.models import Service
-from app.dao.templates_dao import dao_get_all_templates_for_service
+from app.dao.templates_dao import dao_get_all_templates_for_service, dao_update_template
 from app.dao.services_dao import dao_update_service
 from app.dao.notifications_dao import get_notification_by_id, dao_get_notification_statistics_for_service
 from freezegun import freeze_time
@@ -564,6 +564,28 @@ def test_send_notification_with_placeholders_replaced(notify_api, sample_templat
             assert encryption.decrypt(app.celery.tasks.send_sms.apply_async.call_args[0][0][2]) == data
 
 
+def test_should_not_send_notification_for_archived_template(notify_api, sample_template, mocker):
+    with notify_api.test_request_context():
+        with notify_api.test_client() as client:
+            sample_template.archived = True
+            dao_update_template(sample_template)
+            limit = current_app.config.get('SMS_CHAR_COUNT_LIMIT')
+            json_data = json.dumps({
+                'to': '+447700900855',
+                'template': sample_template.id
+            })
+            endpoint = url_for('notifications.send_notification', notification_type='sms')
+            auth_header = create_authorization_header(service_id=sample_template.service.id)
+
+            resp = client.post(
+                path=endpoint,
+                data=json_data,
+                headers=[('Content-Type', 'application/json'), auth_header])
+            assert resp.status_code == 400
+            json_resp = json.loads(resp.get_data(as_text=True))
+            assert 'Template has been deleted' in json_resp['message']['template']
+
+
 def test_send_notification_with_missing_personalisation(notify_api, sample_template_with_placeholders, mocker):
     with notify_api.test_request_context():
         with notify_api.test_client() as client: