Add permission check in for v2 post notification

2026-02-01 07:35:34 -05:00 · 2017-06-29 11:13:32 +01:00
parent 46a55c1cdb
commit e0fbcb0dc6
4 changed files with 58 additions and 16 deletions
--- a/app/notifications/validators.py
+++ b/app/notifications/validators.py
@@ -73,6 +73,19 @@ def service_can_send_to_recipient(send_to, key_type, service):
        raise BadRequestError(message=message)


+def service_has_permission(service, permission):
+    if permission not in [p.permission for p in service.permissions]:
+        action = 'send'
+        permission_text = permission + 's'
+        if permission == SMS_TYPE:
+            permission_text = 'text messages'
+        elif permission == SCHEDULE_NOTIFICATIONS:
+            action = 'schedule'
+            permission_text = "notifications (this feature is invite-only)"
+
+        raise BadRequestError(message="Cannot {} {}".format(action, permission_text))
+
+
 def validate_and_format_recipient(send_to, key_type, service, notification_type):
    service_can_send_to_recipient(send_to, key_type, service)

@@ -98,12 +111,6 @@ def check_sms_content_char_count(content_count):
        raise BadRequestError(message=message)


-def service_can_schedule_notification(service, scheduled_for):
-    if scheduled_for:
-        if SCHEDULE_NOTIFICATIONS not in [p.permission for p in service.permissions]:
-            raise BadRequestError(message="Cannot schedule notifications (this feature is invite-only)")
-
-
 def validate_template(template_id, personalisation, service, notification_type):
    try:
        template = templates_dao.dao_get_template_by_id_and_service_id(
--- a/app/template/rest.py
+++ b/app/template/rest.py
@@ -37,7 +37,7 @@ def _content_count_greater_than_limit(content, template_type):
    return template.content_count > current_app.config.get('SMS_CHAR_COUNT_LIMIT')


-def _has_service_permission(template_type, action, permissions):
+def _service_has_permission(template_type, action, permissions):
    if template_type not in [p.permission for p in permissions]:
        template_type_text = template_type
        if template_type == SMS_TYPE:
@@ -53,7 +53,7 @@ def create_template(service_id):
    permissions = fetched_service.permissions
    new_template = template_schema.load(request.get_json()).data

-    _has_service_permission(new_template.template_type, 'Create', permissions)
+    _service_has_permission(new_template.template_type, 'Create', permissions)

    new_template.service = fetched_service
    over_limit = _content_count_greater_than_limit(new_template.content, new_template.template_type)
@@ -71,7 +71,7 @@ def create_template(service_id):
 def update_template(service_id, template_id):
    fetched_template = dao_get_template_by_id_and_service_id(template_id=template_id, service_id=service_id)

-    _has_service_permission(fetched_template.template_type, 'Update', fetched_template.service.permissions)
+    _service_has_permission(fetched_template.template_type, 'Update', fetched_template.service.permissions)

    data = request.get_json()

--- a/app/v2/notifications/post_notifications.py
+++ b/app/v2/notifications/post_notifications.py
@@ -2,7 +2,7 @@ from flask import request, jsonify, current_app

 from app import api_user, authenticated_service
 from app.config import QueueNames
-from app.models import SMS_TYPE, EMAIL_TYPE, PRIORITY
+from app.models import SMS_TYPE, EMAIL_TYPE, PRIORITY, SCHEDULE_NOTIFICATIONS
 from app.notifications.process_notifications import (
    persist_notification,
    send_notification_to_queue,
@@ -11,7 +11,7 @@ from app.notifications.process_notifications import (
 from app.notifications.validators import (
    validate_and_format_recipient,
    check_rate_limiting,
-    service_can_schedule_notification,
+    service_has_permission,
    validate_template
 )
 from app.schema_validation import validate
@@ -30,8 +30,11 @@ def post_notification(notification_type):
    else:
        form = validate(request.get_json(), post_sms_request)

+    service_has_permission(authenticated_service, notification_type)
+
    scheduled_for = form.get("scheduled_for", None)
-    service_can_schedule_notification(authenticated_service, scheduled_for)
+    if scheduled_for:
+        service_has_permission(authenticated_service, SCHEDULE_NOTIFICATIONS)

    check_rate_limiting(authenticated_service, api_user)

@@ -45,7 +48,7 @@ def post_notification(notification_type):
        form['template_id'],
        form.get('personalisation', {}),
        authenticated_service,
-        notification_type
+        notification_type,
    )

    # Do not persist or send notification to the queue if it is a simulated recipient