Add public API endpoint to create emergency alerts

We know there is at least one system which wants to integrate with Notify to send out emergency alerts, rather than creating them manually. This commit adds an endpoint to the public API to let them do that. To start with we’ll just let the system create them in a single call, meaning they still have to be approved manually. This reduces the risk of an attacker being able to broadcast an alert via the API, should the other system be compromised. We’ve worked with the owners of the other system to define which fields we should care about initially.
2026-02-03 09:51:11 -05:00 · 2021-01-18 10:01:44 +00:00
parent dfbd31cef8
commit 61c9e50ed9
5 changed files with 116 additions and 0 deletions
--- a/app/v2/broadcast/init.py
+++ b/app/v2/broadcast/init.py
@@ -0,0 +1,10 @@
+from flask import Blueprint
+from app.v2.errors import register_errors
+
+v2_broadcast_blueprint = Blueprint(
+    "v2_broadcast_blueprint",
+    __name__,
+    url_prefix='/v2/broadcast',
+)
+
+register_errors(v2_broadcast_blueprint)
--- a/app/v2/broadcast/post_broadcast.py
+++ b/app/v2/broadcast/post_broadcast.py
@@ -0,0 +1,37 @@
+from flask import jsonify, request
+from app import authenticated_service, api_user
+from app.dao.dao_utils import dao_save_object
+from app.notifications.validators import check_service_has_permission
+from app.models import BROADCAST_TYPE, BroadcastMessage, BroadcastStatusType
+from app.v2.broadcast import v2_broadcast_blueprint
+
+
+@v2_broadcast_blueprint.route("", methods=['POST'])
+def create_broadcast():
+
+    check_service_has_permission(
+        BROADCAST_TYPE,
+        authenticated_service.permissions,
+    )
+
+    request_json = request.get_json()
+
+    broadcast_message = BroadcastMessage(
+        service_id=authenticated_service.id,
+        content=request_json['content'],
+        reference=request_json['reference'],
+        areas={
+            "areas": [],
+            "simple_polygons": request_json['polygons'],
+        },
+        status=BroadcastStatusType.PENDING_APPROVAL,
+        api_key_id=api_user.id,
+        # The client may pass in broadcast_json['expires'] but it’s
+        # simpler for now to ignore it and have the rules around expiry
+        # for broadcasts created with the API match those created from
+        # the admin app
+    )
+
+    dao_save_object(broadcast_message)
+
+    return jsonify(broadcast_message.serialize()), 201