def edit_user_permissions(service_id, user_id):
service_has_email_auth = 'email_auth' in current_service['permissions']
# TODO we should probably using the service id here in the get user
# call as well. eg. /user/<user_id>?&service=service_id
user = user_api_client.get_user(user_id)
user_has_no_mobile_number = user.mobile_number is None
form = PermissionsForm(**{
role: user.has_permission_for_service(service_id, role)
for role in roles.keys()
},
login_authentication=user.auth_type)
if form.validate_on_submit():
user_api_client.set_user_permissions(
user_id,
service_id,
permissions=set(get_permissions_from_form(form)),
)
if service_has_email_auth:
user_api_client.update_user_attribute(
user_id, auth_type=form.login_authentication.data)
return redirect(url_for('.manage_users', service_id=service_id))
return render_template('views/edit-user-permissions.html',
user=user,
form=form,
service_has_email_auth=service_has_email_auth,
user_has_no_mobile_number=user_has_no_mobile_number)
def confirm_edit_user_mobile_number(service_id, user_id):
user = current_service.get_team_member(user_id)
if 'team_member_mobile_change' in session:
new_number = session['team_member_mobile_change']
else:
return redirect(
url_for('.edit_user_mobile_number',
service_id=service_id,
user_id=user_id))
if request.method == 'POST':
try:
user_api_client.update_user_attribute(str(user_id),
mobile_number=new_number,
updated_by=current_user.id)
except HTTPError as e:
abort(500, e)
else:
create_mobile_number_change_event(user.id, current_user.id,
user.mobile_number, new_number)
finally:
session.pop('team_member_mobile_change', None)
return redirect(url_for('.manage_users', service_id=service_id))
return render_template(
'views/manage-users/confirm-edit-user-mobile-number.html',
user=user,
service_id=service_id,
new_mobile_number=new_number)
def user_profile_mobile_number_confirm():
# Validate verify code for form
def _check_code(cde):
return user_api_client.check_verify_code(current_user.id, cde, 'sms')
if NEW_MOBILE_PASSWORD_CONFIRMED not in session:
return redirect(url_for('.user_profile_mobile_number'))
form = TwoFactorForm(_check_code)
if form.validate_on_submit():
user = user_api_client.get_user(current_user.id)
# the user will have a new current_session_id set by the API - store it in the cookie for future requests
session['current_session_id'] = user.current_session_id
mobile_number = session[NEW_MOBILE]
del session[NEW_MOBILE]
del session[NEW_MOBILE_PASSWORD_CONFIRMED]
user_api_client.update_user_attribute(current_user.id, mobile_number=mobile_number)
return redirect(url_for('.user_profile'))
return render_template(
'views/user-profile/confirm.html',
form_field=form.sms_code,
thing='mobile number'
)
def edit_user_permissions(service_id, user_id):
service_has_email_auth = current_service.has_permission('email_auth')
# TODO we should probably using the service id here in the get user
# call as well. eg. /user/<user_id>?&service=service_id
user = user_api_client.get_user(user_id)
user_has_no_mobile_number = user.mobile_number is None
form = PermissionsForm.from_user(user, service_id)
if form.validate_on_submit():
user_api_client.set_user_permissions(
user_id,
service_id,
permissions=form.permissions,
)
if service_has_email_auth:
user_api_client.update_user_attribute(
user_id, auth_type=form.login_authentication.data)
return redirect(url_for('.manage_users', service_id=service_id))
return render_template('views/edit-user-permissions.html',
user=user,
form=form,
service_has_email_auth=service_has_email_auth,
user_has_no_mobile_number=user_has_no_mobile_number)
def test_client_cannot_update_platform_admin_attribute(mocker):
mocker.patch('app.notify_client.current_user', platform_admin=True)
with pytest.raises(TypeError) as error:
user_api_client.update_user_attribute('platform_admin',
platform_admin=True)
assert str(
error.value) == 'Not allowed to update user attributes: platform_admin'
def user_profile_email_confirm(token):
token_data = check_token(token, current_app.config['SECRET_KEY'],
current_app.config['DANGEROUS_SALT'],
current_app.config['EMAIL_EXPIRY_SECONDS'])
token_data = json.loads(token_data)
user_id = token_data['user_id']
new_email = token_data['email']
user_api_client.update_user_attribute(user_id, email_address=new_email)
session.pop(NEW_EMAIL, None)
return redirect(url_for('.user_profile'))
def user_profile_name():
form = ChangeNameForm(new_name=current_user.name)
if form.validate_on_submit():
user_api_client.update_user_attribute(current_user.id,
name=form.new_name.data)
return redirect(url_for('.user_profile'))
return render_template('views/user-profile/change.html',
thing='name',
form_field=form.new_name)
def user_profile_email_confirm(token):
token_data = check_token(token,
current_app.config['SECRET_KEY'],
current_app.config['DANGEROUS_SALT'],
current_app.config['EMAIL_EXPIRY_SECONDS'])
token_data = json.loads(token_data)
user_id = token_data['user_id']
new_email = token_data['email']
user_api_client.update_user_attribute(user_id,
email_address=new_email)
session.pop(NEW_EMAIL, None)
return redirect(url_for('.user_profile'))
def user_profile_name():
form = ChangeNameForm(new_name=current_user.name)
if form.validate_on_submit():
user_api_client.update_user_attribute(current_user.id,
name=form.new_name.data)
return redirect(url_for('.user_profile'))
return render_template(
'views/user-profile/change.html',
thing='name',
form_field=form.new_name
)
def edit_user_permissions(service_id, user_id):
service_has_email_auth = current_service.has_permission('email_auth')
user = current_service.get_team_member(user_id)
mobile_number = None
if user.mobile_number:
mobile_number = redact_mobile_number(user.mobile_number, " ")
form = PermissionsForm.from_user(
user,
service_id,
folder_permissions=None if user.platform_admin else [
f['id'] for f in current_service.all_template_folders
if user.has_template_folder_permission(f)
],
all_template_folders=None
if user.platform_admin else current_service.all_template_folders)
if form.validate_on_submit():
user_api_client.set_user_permissions(
user_id,
service_id,
permissions=form.permissions,
folder_permissions=form.folder_permissions.data,
)
if service_has_email_auth:
user_api_client.update_user_attribute(
user_id, auth_type=form.login_authentication.data)
return redirect(url_for('.manage_users', service_id=service_id))
return render_template(
'views/edit-user-permissions.html',
user=user,
form=form,
service_has_email_auth=service_has_email_auth,
mobile_number=mobile_number,
delete=request.args.get('delete'),
)
def check_and_resend_text_code():
user = user_api_client.get_user_by_email(session['user_details']['email'])
if user.state == 'active':
# this is a verified user and therefore redirect to page to request resend without edit mobile
return render_template('views/verification-not-received.html')
form = TextNotReceivedForm(mobile_number=user.mobile_number)
if form.validate_on_submit():
user_api_client.send_verify_code(user.id, 'sms', to=form.mobile_number.data)
user = user_api_client.update_user_attribute(user.id, mobile_number=form.mobile_number.data)
return redirect(url_for('.verify'))
return render_template('views/text-not-received.html', form=form)
def user_profile_mobile_number_confirm():
# Validate verify code for form
def _check_code(cde):
return user_api_client.check_verify_code(current_user.id, cde, 'sms')
if NEW_MOBILE_PASSWORD_CONFIRMED not in session:
return redirect(url_for('.user_profile_mobile_number'))
form = ConfirmMobileNumberForm(_check_code)
if form.validate_on_submit():
mobile_number = session[NEW_MOBILE]
del session[NEW_MOBILE]
del session[NEW_MOBILE_PASSWORD_CONFIRMED]
user_api_client.update_user_attribute(current_user.id,
mobile_number=mobile_number)
return redirect(url_for('.user_profile'))
return render_template(
'views/user-profile/confirm.html',
form_field=form.sms_code,
thing='mobile number'
)
def accept_invite(token):
try:
invited_user = invite_api_client.check_token(token)
except HTTPError as e:
if e.status_code == 400 and 'invitation' in e.message:
flash(e.message['invitation'])
return redirect(url_for('main.sign_in'))
else:
raise e
if not current_user.is_anonymous and current_user.email_address.lower(
) != invited_user.email_address.lower():
message = Markup("""
You’re signed in as {}.
This invite is for another email address.
<a href={}>Sign out</a> and click the link again to accept this invite.
""".format(current_user.email_address,
url_for("main.sign_out", _external=True)))
flash(message=message)
abort(403)
if invited_user.status == 'cancelled':
from_user = user_api_client.get_user(invited_user.from_user)
service = service_api_client.get_service(invited_user.service)['data']
return render_template('views/cancelled-invitation.html',
from_user=from_user.name,
service_name=service['name'])
if invited_user.status == 'accepted':
session.pop('invited_user', None)
return redirect(
url_for('main.service_dashboard', service_id=invited_user.service))
session['invited_user'] = invited_user.serialize()
existing_user = user_api_client.get_user_by_email_or_none(
invited_user.email_address)
service_users = user_api_client.get_users_for_service(invited_user.service)
if existing_user:
invite_api_client.accept_invite(invited_user.service, invited_user.id)
if existing_user in service_users:
return redirect(
url_for('main.service_dashboard',
service_id=invited_user.service))
else:
service = service_api_client.get_service(
invited_user.service)['data']
# if the service you're being added to can modify auth type, then check if this is relevant
if 'email_auth' in service['permissions'] and (
# they have a phone number, we want them to start using it. if they dont have a mobile we just
# ignore that option of the invite
(existing_user.mobile_number
and invited_user.auth_type == 'sms_auth') or
# we want them to start sending emails. it's always valid, so lets always update
invited_user.auth_type == 'email_auth'):
user_api_client.update_user_attribute(
existing_user.id, auth_type=invited_user.auth_type)
user_api_client.add_user_to_service(invited_user.service,
existing_user.id,
invited_user.permissions)
return redirect(
url_for('main.service_dashboard',
service_id=invited_user.service))
else:
return redirect(url_for('main.register_from_invite'))
def test_client_only_updates_allowed_attributes(mocker):
mocker.patch('app.notify_client.current_user', id='1')
with pytest.raises(TypeError) as error:
user_api_client.update_user_attribute('user_id', id='1')
assert str(error.value) == 'Not allowed to update user attributes: id'
def accept_invite(token):
try:
check_token(token, current_app.config['SECRET_KEY'],
current_app.config['DANGEROUS_SALT'],
current_app.config['INVITATION_EXPIRY_SECONDS'])
except SignatureExpired:
errors = [
'Your invitation to GOV.UK Notify has expired. '
'Please ask the person that invited you to send you another one'
]
return render_template("error/400.html", message=errors), 400
invited_user = invite_api_client.check_token(token)
if not current_user.is_anonymous and current_user.email_address.lower(
) != invited_user.email_address.lower():
message = Markup("""
You’re signed in as {}.
This invite is for another email address.
<a href={}>Sign out</a> and click the link again to accept this invite.
""".format(current_user.email_address,
url_for("main.sign_out", _external=True)))
flash(message=message)
abort(403)
if invited_user.status == 'cancelled':
from_user = user_api_client.get_user(invited_user.from_user)
service = service_api_client.get_service(invited_user.service)['data']
return render_template('views/cancelled-invitation.html',
from_user=from_user.name,
service_name=service['name'])
if invited_user.status == 'accepted':
session.pop('invited_user', None)
return redirect(
url_for('main.service_dashboard', service_id=invited_user.service))
session['invited_user'] = invited_user.serialize()
existing_user = user_api_client.get_user_by_email_or_none(
invited_user.email_address)
service_users = user_api_client.get_users_for_service(invited_user.service)
if existing_user:
invite_api_client.accept_invite(invited_user.service, invited_user.id)
if existing_user in service_users:
return redirect(
url_for('main.service_dashboard',
service_id=invited_user.service))
else:
service = service_api_client.get_service(
invited_user.service)['data']
# if the service you're being added to can modify auth type, then check if this is relevant
if 'email_auth' in service['permissions'] and (
# they have a phone number, we want them to start using it. if they dont have a mobile we just
# ignore that option of the invite
(existing_user.mobile_number
and invited_user.auth_type == 'sms_auth') or
# we want them to start sending emails. it's always valid, so lets always update
invited_user.auth_type == 'email_auth'):
user_api_client.update_user_attribute(
existing_user.id, auth_type=invited_user.auth_type)
user_api_client.add_user_to_service(invited_user.service,
existing_user.id,
invited_user.permissions)
return redirect(
url_for('main.service_dashboard',
service_id=invited_user.service))
else:
return redirect(url_for('main.register_from_invite'))
def test_client_only_updates_allowed_attributes(mocker):
mocker.patch("app.notify_client.current_user", id="1")
with pytest.raises(TypeError) as error:
user_api_client.update_user_attribute("user_id", id="1")
assert str(error.value) == "Not allowed to update user attributes: id"
