Add public API endpoint to create emergency alerts

We know there is at least one system which wants to integrate with Notify to send out emergency alerts, rather than creating them manually. This commit adds an endpoint to the public API to let them do that. To start with we’ll just let the system create them in a single call, meaning they still have to be approved manually. This reduces the risk of an attacker being able to broadcast an alert via the API, should the other system be compromised. We’ve worked with the owners of the other system to define which fields we should care about initially.
2026-02-02 09:26:08 -05:00 · 2021-01-18 10:01:44 +00:00
parent dfbd31cef8
commit 61c9e50ed9
5 changed files with 116 additions and 0 deletions
--- a/tests/app/v2/broadcast/init.py
+++ b/tests/app/v2/broadcast/init.py
--- a/tests/app/v2/broadcast/test_post_broadcast.py
+++ b/tests/app/v2/broadcast/test_post_broadcast.py
@@ -0,0 +1,65 @@
+from flask import json
+from freezegun import freeze_time
+from tests import create_authorization_header
+from unittest.mock import ANY
+
+
+def test_broadcast_for_service_without_permission_returns_400(
+    client,
+    sample_service,
+):
+    auth_header = create_authorization_header(service_id=sample_service.id)
+    response = client.post(
+        path='/v2/broadcast',
+        data='',
+        headers=[('Content-Type', 'application/json'), auth_header],
+    )
+
+    assert response.status_code == 400
+    assert response.get_json()['errors'][0]['message'] == (
+        'Service is not allowed to send broadcast messages'
+    )
+
+
+def test_valid_post_broadcast_returns_201(
+    client,
+    sample_broadcast_service,
+):
+    auth_header = create_authorization_header(service_id=sample_broadcast_service.id)
+
+    response = client.post(
+        path='/v2/broadcast',
+        data=json.dumps({
+            'content': 'This is a test',
+            'reference': 'abc123',
+            'polygons': [[
+                [1, 2], [3, 4], [5, 6],
+            ]],
+        }),
+        headers=[('Content-Type', 'application/json'), auth_header],
+    )
+
+    assert response.status_code == 201
+
+    response_json = json.loads(response.get_data(as_text=True))
+
+    assert response_json['approved_at'] is None
+    assert response_json['approved_by_id'] == None
+    assert response_json['areas'] == []
+    assert response_json['cancelled_at'] == None
+    assert response_json['cancelled_by_id'] == None
+    assert response_json['content'] == 'This is a test'
+    assert response_json['reference'] == 'abc123'
+    assert response_json['created_at']  # datetime generated by the DB so can’t freeze it
+    assert response_json['created_by_id'] == None
+    assert response_json['finishes_at'] is None
+    assert response_json['id'] == ANY
+    assert response_json['personalisation'] is None
+    assert response_json['service_id'] == str(sample_broadcast_service.id)
+    assert response_json['simple_polygons'] == [[[1, 2], [3, 4], [5, 6]]]
+    assert response_json['starts_at'] is None
+    assert response_json['status'] == 'pending-approval'
+    assert response_json['template_id'] is None
+    assert response_json['template_name'] is None
+    assert response_json['template_version'] is None
+    assert response_json['updated_at'] is None