Add flag to say if user is eligible for WebAuthn

Currently we have some data-driven roles to say who can use this feature. Adding a flag in the API means we can avoid API calls in the Admin app to determine the same. Allowing members of the GOV.UK Notify service to use the feature is a workaround, so we can avoid making someone a Platform Admin before they've protected their account with it.
2026-02-01 07:35:34 -05:00 · 2021-06-25 17:29:19 +01:00
parent 2b292ebd16
commit 2fa6327efb
3 changed files with 27 additions and 0 deletions
--- a/app/models.py
+++ b/app/models.py
@@ -140,6 +140,17 @@ class User(db.Model):
    def password(self):
        raise AttributeError("Password not readable")

+    @property
+    def can_use_webauthn(self):
+        if self.platform_admin:
+            return True
+
+        return any(
+            str(service.organisation_id) == current_app.config['BROADCAST_ORGANISATION_ID'] or
+            str(service.id) == current_app.config['NOTIFY_SERVICE_ID']
+            for service in self.services
+        )
+
    @password.setter
    def password(self, password):
        self._password = hashpw(password)
@@ -179,6 +190,7 @@ class User(db.Model):
            'permissions': self.get_permissions(),
            'platform_admin': self.platform_admin,
            'services': [x.id for x in self.services if x.active],
+            'can_use_webauthn': self.can_use_webauthn,
            'state': self.state,
        }

--- a/tests/app/test_model.py
+++ b/tests/app/test_model.py
@@ -341,3 +341,17 @@ def test_template_folder_is_parent(sample_service):
    assert folders[0].is_parent_of(folders[4])
    assert folders[1].is_parent_of(folders[2])
    assert not folders[1].is_parent_of(folders[0])
+
+
+@pytest.mark.parametrize('is_platform_admin', (False, True))
+def test_user_can_use_webauthn_returns_false(sample_user, is_platform_admin):
+    sample_user.platform_admin = is_platform_admin
+    assert sample_user.can_use_webauthn == is_platform_admin
+
+
+def test_user_can_use_webauthn_if_in_broadcast_org(sample_broadcast_service):
+    assert sample_broadcast_service.users[0].can_use_webauthn
+
+
+def test_user_can_use_webauthn_if_in_notify_team(notify_service):
+    assert notify_service.users[0].can_use_webauthn
--- a/tests/app/user/test_rest.py
+++ b/tests/app/user/test_rest.py
@@ -72,6 +72,7 @@ def test_get_user(admin_request, sample_service, sample_organisation):
    assert fetched['permissions'].keys() == {str(sample_service.id)}
    assert fetched['services'] == [str(sample_service.id)]
    assert fetched['organisations'] == [str(sample_organisation.id)]
+    assert fetched['can_use_webauthn'] is False
    assert sorted(fetched['permissions'][str(sample_service.id)]) == sorted(expected_permissions)