restrict access to the validation tab to only users who have been giv…

…en it
DOAJ · Nov 17, 2023 · f84b122 · f84b122
1 parent 9b70dc6
commit f84b122
Show file tree

Hide file tree

Showing 6 changed files with 40 additions and 13 deletions.
diff --git a/doajtest/testbook/publisher_csv/validate_csv.yml b/doajtest/testbook/publisher_csv/validate_csv.yml
@@ -77,3 +77,22 @@ tests:
     - step: Click 'Validate'
       results:
         - You are shown a validation message that says validation is successful
+    - step: If you are finished testing, you can teardown the testdrive using the link provided.  If you are going to continue
+        with the other tests in this suite you can leave the testdrive in place until the very end
+
+- title: Access to the feature
+  context:
+    role: Publisher
+    testdrive: publisher_csv_upload
+    setup:
+      - If you have not done so already, use the publisher_csv_upload testdrive to setup for this test at /testdrive/publisher_csv_upload
+    steps:
+      - step: Log in as the publisher account specified by the testdrive result
+        results:
+          - The "Validate your CSV" navigation tab is visible
+      - step: As an administrator, edit the user's account and remove the "journal_csv" role
+      - step: As the publisher again, reload the publisher home page
+        results:
+          - The "Validate your CSV" tab is no longer visible
+
+
diff --git a/doajtest/testdrive/publisher_csv_upload.py b/doajtest/testdrive/publisher_csv_upload.py
@@ -12,7 +12,7 @@ class PublisherCsvUpload(TestDrive):
     def setup(self) -> dict:
         un = self.create_random_str()
         pw = self.create_random_str()
-        acc = models.Account.make_account(un + "@example.com", un, "Publisher " + un, [constants.ROLE_PUBLISHER])
+        acc = models.Account.make_account(un + "@example.com", un, "Publisher " + un, [constants.ROLE_PUBLISHER, constants.ROLE_PUBLISHER_JOURNAL_CSV])
         acc.set_password(pw)
         acc.save()
 

diff --git a/portality/constants.py b/portality/constants.py
@@ -81,6 +81,8 @@
 ROLE_ASSOCIATE_EDITOR = 'associate_editor'
 ROLE_PUBLIC_DATA_DUMP = "public_data_dump"
 ROLE_PUBLISHER = "publisher"
+ROLE_PUBLISHER_JOURNAL_CSV = "journal_csv"
+ROLE_PUBLISHER_PRESERVATION = "preservation"
 
 CRON_NEVER = {"month": "2", "day": "31", "day_of_week": "*", "hour": "*", "minute": "*"}
 

diff --git a/portality/settings.py b/portality/settings.py
@@ -296,7 +296,8 @@
     "api",
     "ultra_bulk_delete",
     "preservation",
-    constants.ROLE_PUBLIC_DATA_DUMP
+    constants.ROLE_PUBLIC_DATA_DUMP,
+    constants.ROLE_PUBLISHER_JOURNAL_CSV
 ]
 
 ROLE_MAP = {

diff --git a/portality/templates/publisher/nav.html b/portality/templates/publisher/nav.html
@@ -8,23 +8,23 @@
 {% set csv = url_for('publisher.journal_csv') %}
 
 {% set tabs = [
-    (index, "My drafts", 0),
-    (journals, "My journals", 1),
-    (urs, "My update requests", 2),
-    (xml, "Upload article XML", 3),
-    (metadata, "Enter article metadata", 4),
-    (preservation, "Upload preservation file", 5),
-    (csv, "Validate your Journal CSV", 6),
-    (help, "Help", 7),
+    (index, "My drafts", 0, constants.ROLE_PUBLISHER),
+    (journals, "My journals", 1, constants.ROLE_PUBLISHER),
+    (urs, "My update requests", 2, constants.ROLE_PUBLISHER),
+    (xml, "Upload article XML", 3, constants.ROLE_PUBLISHER),
+    (metadata, "Enter article metadata", 4, constants.ROLE_PUBLISHER),
+    (preservation, "Upload preservation file", 5, constants.ROLE_PUBLISHER_PRESERVATION),
+    (csv, "Validate your Journal CSV", 6, constants.ROLE_PUBLISHER_JOURNAL_CSV),
+    (help, "Help", 7, constants.ROLE_PUBLISHER),
     ]
 %}
 
 <div class="tabs">
     <nav class="tabs__menu">
         <ul class="tabs__list" role="tablist">
-            {% for url, label, ix in tabs %}
+            {% for url, label, ix, role in tabs %}
                 {# Hide the preservation tab for publishers without preservation role (by ID in case label changes) #}
-                {% if ix == 5 and not current_user.has_role("preservation") %}
+                {% if not current_user.has_role(role) %}
                     {% continue %}
                 {% endif %}
                 {% set selected = url == request.path %}

diff --git a/portality/view/publisher.py b/portality/view/publisher.py
@@ -2,6 +2,7 @@
 from flask import render_template, abort, redirect, url_for, flash
 from flask_login import current_user, login_required
 
+import constants
 from portality.app_email import EmailException
 from portality import models
 from portality.bll.exceptions import AuthoriseException, ArticleMergeConflict, DuplicateArticleException, ArticleNotAcceptable
@@ -372,13 +373,17 @@ def metadata():
 @ssl_required
 @write_required()
 def journal_csv():
-    return render_template('publisher/journal_csv.html')
+    if current_user.has_role(constants.ROLE_PUBLISHER_JOURNAL_CSV):
+        return render_template('publisher/journal_csv.html')
+    abort(403)
 
 @blueprint.route("/journal-csv/validate", methods=["POST"])
 @login_required
 @ssl_required
 @write_required()
 def journal_csv_validate():
+    if not current_user.has_role(constants.ROLE_PUBLISHER_JOURNAL_CSV):
+        abort(403)
     if "journal_csv" not in request.files:
         abort(400)
     file = request.files["journal_csv"]