def edit_user_permissions(service_id, user_id): service_has_email_auth = 'email_auth' in current_service['permissions'] # TODO we should probably using the service id here in the get user # call as well. eg. /user/<user_id>?&service=service_id user = user_api_client.get_user(user_id) user_has_no_mobile_number = user.mobile_number is None form = PermissionsForm(**{ role: user.has_permission_for_service(service_id, role) for role in roles.keys() }, login_authentication=user.auth_type) if form.validate_on_submit(): user_api_client.set_user_permissions( user_id, service_id, permissions=set(get_permissions_from_form(form)), ) if service_has_email_auth: user_api_client.update_user_attribute( user_id, auth_type=form.login_authentication.data) return redirect(url_for('.manage_users', service_id=service_id)) return render_template('views/edit-user-permissions.html', user=user, form=form, service_has_email_auth=service_has_email_auth, user_has_no_mobile_number=user_has_no_mobile_number)
def confirm_edit_user_mobile_number(service_id, user_id): user = current_service.get_team_member(user_id) if 'team_member_mobile_change' in session: new_number = session['team_member_mobile_change'] else: return redirect( url_for('.edit_user_mobile_number', service_id=service_id, user_id=user_id)) if request.method == 'POST': try: user_api_client.update_user_attribute(str(user_id), mobile_number=new_number, updated_by=current_user.id) except HTTPError as e: abort(500, e) else: create_mobile_number_change_event(user.id, current_user.id, user.mobile_number, new_number) finally: session.pop('team_member_mobile_change', None) return redirect(url_for('.manage_users', service_id=service_id)) return render_template( 'views/manage-users/confirm-edit-user-mobile-number.html', user=user, service_id=service_id, new_mobile_number=new_number)
def user_profile_mobile_number_confirm(): # Validate verify code for form def _check_code(cde): return user_api_client.check_verify_code(current_user.id, cde, 'sms') if NEW_MOBILE_PASSWORD_CONFIRMED not in session: return redirect(url_for('.user_profile_mobile_number')) form = TwoFactorForm(_check_code) if form.validate_on_submit(): user = user_api_client.get_user(current_user.id) # the user will have a new current_session_id set by the API - store it in the cookie for future requests session['current_session_id'] = user.current_session_id mobile_number = session[NEW_MOBILE] del session[NEW_MOBILE] del session[NEW_MOBILE_PASSWORD_CONFIRMED] user_api_client.update_user_attribute(current_user.id, mobile_number=mobile_number) return redirect(url_for('.user_profile')) return render_template( 'views/user-profile/confirm.html', form_field=form.sms_code, thing='mobile number' )
def edit_user_permissions(service_id, user_id): service_has_email_auth = current_service.has_permission('email_auth') # TODO we should probably using the service id here in the get user # call as well. eg. /user/<user_id>?&service=service_id user = user_api_client.get_user(user_id) user_has_no_mobile_number = user.mobile_number is None form = PermissionsForm.from_user(user, service_id) if form.validate_on_submit(): user_api_client.set_user_permissions( user_id, service_id, permissions=form.permissions, ) if service_has_email_auth: user_api_client.update_user_attribute( user_id, auth_type=form.login_authentication.data) return redirect(url_for('.manage_users', service_id=service_id)) return render_template('views/edit-user-permissions.html', user=user, form=form, service_has_email_auth=service_has_email_auth, user_has_no_mobile_number=user_has_no_mobile_number)
def test_client_cannot_update_platform_admin_attribute(mocker): mocker.patch('app.notify_client.current_user', platform_admin=True) with pytest.raises(TypeError) as error: user_api_client.update_user_attribute('platform_admin', platform_admin=True) assert str( error.value) == 'Not allowed to update user attributes: platform_admin'
def user_profile_email_confirm(token): token_data = check_token(token, current_app.config['SECRET_KEY'], current_app.config['DANGEROUS_SALT'], current_app.config['EMAIL_EXPIRY_SECONDS']) token_data = json.loads(token_data) user_id = token_data['user_id'] new_email = token_data['email'] user_api_client.update_user_attribute(user_id, email_address=new_email) session.pop(NEW_EMAIL, None) return redirect(url_for('.user_profile'))
def user_profile_name(): form = ChangeNameForm(new_name=current_user.name) if form.validate_on_submit(): user_api_client.update_user_attribute(current_user.id, name=form.new_name.data) return redirect(url_for('.user_profile')) return render_template('views/user-profile/change.html', thing='name', form_field=form.new_name)
def user_profile_name(): form = ChangeNameForm(new_name=current_user.name) if form.validate_on_submit(): user_api_client.update_user_attribute(current_user.id, name=form.new_name.data) return redirect(url_for('.user_profile')) return render_template( 'views/user-profile/change.html', thing='name', form_field=form.new_name )
def edit_user_permissions(service_id, user_id): service_has_email_auth = current_service.has_permission('email_auth') user = current_service.get_team_member(user_id) mobile_number = None if user.mobile_number: mobile_number = redact_mobile_number(user.mobile_number, " ") form = PermissionsForm.from_user( user, service_id, folder_permissions=None if user.platform_admin else [ f['id'] for f in current_service.all_template_folders if user.has_template_folder_permission(f) ], all_template_folders=None if user.platform_admin else current_service.all_template_folders) if form.validate_on_submit(): user_api_client.set_user_permissions( user_id, service_id, permissions=form.permissions, folder_permissions=form.folder_permissions.data, ) if service_has_email_auth: user_api_client.update_user_attribute( user_id, auth_type=form.login_authentication.data) return redirect(url_for('.manage_users', service_id=service_id)) return render_template( 'views/edit-user-permissions.html', user=user, form=form, service_has_email_auth=service_has_email_auth, mobile_number=mobile_number, delete=request.args.get('delete'), )
def check_and_resend_text_code(): user = user_api_client.get_user_by_email(session['user_details']['email']) if user.state == 'active': # this is a verified user and therefore redirect to page to request resend without edit mobile return render_template('views/verification-not-received.html') form = TextNotReceivedForm(mobile_number=user.mobile_number) if form.validate_on_submit(): user_api_client.send_verify_code(user.id, 'sms', to=form.mobile_number.data) user = user_api_client.update_user_attribute(user.id, mobile_number=form.mobile_number.data) return redirect(url_for('.verify')) return render_template('views/text-not-received.html', form=form)
def user_profile_mobile_number_confirm(): # Validate verify code for form def _check_code(cde): return user_api_client.check_verify_code(current_user.id, cde, 'sms') if NEW_MOBILE_PASSWORD_CONFIRMED not in session: return redirect(url_for('.user_profile_mobile_number')) form = ConfirmMobileNumberForm(_check_code) if form.validate_on_submit(): mobile_number = session[NEW_MOBILE] del session[NEW_MOBILE] del session[NEW_MOBILE_PASSWORD_CONFIRMED] user_api_client.update_user_attribute(current_user.id, mobile_number=mobile_number) return redirect(url_for('.user_profile')) return render_template( 'views/user-profile/confirm.html', form_field=form.sms_code, thing='mobile number' )
def accept_invite(token): try: invited_user = invite_api_client.check_token(token) except HTTPError as e: if e.status_code == 400 and 'invitation' in e.message: flash(e.message['invitation']) return redirect(url_for('main.sign_in')) else: raise e if not current_user.is_anonymous and current_user.email_address.lower( ) != invited_user.email_address.lower(): message = Markup(""" You’re signed in as {}. This invite is for another email address. <a href={}>Sign out</a> and click the link again to accept this invite. """.format(current_user.email_address, url_for("main.sign_out", _external=True))) flash(message=message) abort(403) if invited_user.status == 'cancelled': from_user = user_api_client.get_user(invited_user.from_user) service = service_api_client.get_service(invited_user.service)['data'] return render_template('views/cancelled-invitation.html', from_user=from_user.name, service_name=service['name']) if invited_user.status == 'accepted': session.pop('invited_user', None) return redirect( url_for('main.service_dashboard', service_id=invited_user.service)) session['invited_user'] = invited_user.serialize() existing_user = user_api_client.get_user_by_email_or_none( invited_user.email_address) service_users = user_api_client.get_users_for_service(invited_user.service) if existing_user: invite_api_client.accept_invite(invited_user.service, invited_user.id) if existing_user in service_users: return redirect( url_for('main.service_dashboard', service_id=invited_user.service)) else: service = service_api_client.get_service( invited_user.service)['data'] # if the service you're being added to can modify auth type, then check if this is relevant if 'email_auth' in service['permissions'] and ( # they have a phone number, we want them to start using it. if they dont have a mobile we just # ignore that option of the invite (existing_user.mobile_number and invited_user.auth_type == 'sms_auth') or # we want them to start sending emails. it's always valid, so lets always update invited_user.auth_type == 'email_auth'): user_api_client.update_user_attribute( existing_user.id, auth_type=invited_user.auth_type) user_api_client.add_user_to_service(invited_user.service, existing_user.id, invited_user.permissions) return redirect( url_for('main.service_dashboard', service_id=invited_user.service)) else: return redirect(url_for('main.register_from_invite'))
def test_client_only_updates_allowed_attributes(mocker): mocker.patch('app.notify_client.current_user', id='1') with pytest.raises(TypeError) as error: user_api_client.update_user_attribute('user_id', id='1') assert str(error.value) == 'Not allowed to update user attributes: id'
def accept_invite(token): try: check_token(token, current_app.config['SECRET_KEY'], current_app.config['DANGEROUS_SALT'], current_app.config['INVITATION_EXPIRY_SECONDS']) except SignatureExpired: errors = [ 'Your invitation to GOV.UK Notify has expired. ' 'Please ask the person that invited you to send you another one' ] return render_template("error/400.html", message=errors), 400 invited_user = invite_api_client.check_token(token) if not current_user.is_anonymous and current_user.email_address.lower( ) != invited_user.email_address.lower(): message = Markup(""" You’re signed in as {}. This invite is for another email address. <a href={}>Sign out</a> and click the link again to accept this invite. """.format(current_user.email_address, url_for("main.sign_out", _external=True))) flash(message=message) abort(403) if invited_user.status == 'cancelled': from_user = user_api_client.get_user(invited_user.from_user) service = service_api_client.get_service(invited_user.service)['data'] return render_template('views/cancelled-invitation.html', from_user=from_user.name, service_name=service['name']) if invited_user.status == 'accepted': session.pop('invited_user', None) return redirect( url_for('main.service_dashboard', service_id=invited_user.service)) session['invited_user'] = invited_user.serialize() existing_user = user_api_client.get_user_by_email_or_none( invited_user.email_address) service_users = user_api_client.get_users_for_service(invited_user.service) if existing_user: invite_api_client.accept_invite(invited_user.service, invited_user.id) if existing_user in service_users: return redirect( url_for('main.service_dashboard', service_id=invited_user.service)) else: service = service_api_client.get_service( invited_user.service)['data'] # if the service you're being added to can modify auth type, then check if this is relevant if 'email_auth' in service['permissions'] and ( # they have a phone number, we want them to start using it. if they dont have a mobile we just # ignore that option of the invite (existing_user.mobile_number and invited_user.auth_type == 'sms_auth') or # we want them to start sending emails. it's always valid, so lets always update invited_user.auth_type == 'email_auth'): user_api_client.update_user_attribute( existing_user.id, auth_type=invited_user.auth_type) user_api_client.add_user_to_service(invited_user.service, existing_user.id, invited_user.permissions) return redirect( url_for('main.service_dashboard', service_id=invited_user.service)) else: return redirect(url_for('main.register_from_invite'))
def test_client_only_updates_allowed_attributes(mocker): mocker.patch("app.notify_client.current_user", id="1") with pytest.raises(TypeError) as error: user_api_client.update_user_attribute("user_id", id="1") assert str(error.value) == "Not allowed to update user attributes: id"