From f84b12267d4349bea4a239e0f0cb299699dbe9bc Mon Sep 17 00:00:00 2001
From: Richard Jones <richard@cottagelabs.com>
Date: Fri, 17 Nov 2023 11:50:10 +0000
Subject: [PATCH] restrict access to the validation tab to only users who have
 been given it

---
 .../testbook/publisher_csv/validate_csv.yml   | 19 ++++++++++++++++++
 doajtest/testdrive/publisher_csv_upload.py    |  2 +-
 portality/constants.py                        |  2 ++
 portality/settings.py                         |  3 ++-
 portality/templates/publisher/nav.html        | 20 +++++++++----------
 portality/view/publisher.py                   |  7 ++++++-
 6 files changed, 40 insertions(+), 13 deletions(-)

diff --git a/doajtest/testbook/publisher_csv/validate_csv.yml b/doajtest/testbook/publisher_csv/validate_csv.yml
index 98e01108b9..3f75ea66e2 100644
--- a/doajtest/testbook/publisher_csv/validate_csv.yml
+++ b/doajtest/testbook/publisher_csv/validate_csv.yml
@@ -77,3 +77,22 @@ tests:
     - step: Click 'Validate'
       results:
         - You are shown a validation message that says validation is successful
+    - step: If you are finished testing, you can teardown the testdrive using the link provided.  If you are going to continue
+        with the other tests in this suite you can leave the testdrive in place until the very end
+
+- title: Access to the feature
+  context:
+    role: Publisher
+    testdrive: publisher_csv_upload
+    setup:
+      - If you have not done so already, use the publisher_csv_upload testdrive to setup for this test at /testdrive/publisher_csv_upload
+    steps:
+      - step: Log in as the publisher account specified by the testdrive result
+        results:
+          - The "Validate your CSV" navigation tab is visible
+      - step: As an administrator, edit the user's account and remove the "journal_csv" role
+      - step: As the publisher again, reload the publisher home page
+        results:
+          - The "Validate your CSV" tab is no longer visible
+
+
diff --git a/doajtest/testdrive/publisher_csv_upload.py b/doajtest/testdrive/publisher_csv_upload.py
index 01b680ed8a..e4b59e3aa3 100644
--- a/doajtest/testdrive/publisher_csv_upload.py
+++ b/doajtest/testdrive/publisher_csv_upload.py
@@ -12,7 +12,7 @@ class PublisherCsvUpload(TestDrive):
     def setup(self) -> dict:
         un = self.create_random_str()
         pw = self.create_random_str()
-        acc = models.Account.make_account(un + "@example.com", un, "Publisher " + un, [constants.ROLE_PUBLISHER])
+        acc = models.Account.make_account(un + "@example.com", un, "Publisher " + un, [constants.ROLE_PUBLISHER, constants.ROLE_PUBLISHER_JOURNAL_CSV])
         acc.set_password(pw)
         acc.save()
 
diff --git a/portality/constants.py b/portality/constants.py
index 5fec2fff90..3e5a43790f 100644
--- a/portality/constants.py
+++ b/portality/constants.py
@@ -81,6 +81,8 @@
 ROLE_ASSOCIATE_EDITOR = 'associate_editor'
 ROLE_PUBLIC_DATA_DUMP = "public_data_dump"
 ROLE_PUBLISHER = "publisher"
+ROLE_PUBLISHER_JOURNAL_CSV = "journal_csv"
+ROLE_PUBLISHER_PRESERVATION = "preservation"
 
 CRON_NEVER = {"month": "2", "day": "31", "day_of_week": "*", "hour": "*", "minute": "*"}
 
diff --git a/portality/settings.py b/portality/settings.py
index 92284bd2be..72322c862a 100644
--- a/portality/settings.py
+++ b/portality/settings.py
@@ -296,7 +296,8 @@
     "api",
     "ultra_bulk_delete",
     "preservation",
-    constants.ROLE_PUBLIC_DATA_DUMP
+    constants.ROLE_PUBLIC_DATA_DUMP,
+    constants.ROLE_PUBLISHER_JOURNAL_CSV
 ]
 
 ROLE_MAP = {
diff --git a/portality/templates/publisher/nav.html b/portality/templates/publisher/nav.html
index 76c277fa5f..989afa6bdf 100644
--- a/portality/templates/publisher/nav.html
+++ b/portality/templates/publisher/nav.html
@@ -8,23 +8,23 @@
 {% set csv = url_for('publisher.journal_csv') %}
 
 {% set tabs = [
-    (index, "My drafts", 0),
-    (journals, "My journals", 1),
-    (urs, "My update requests", 2),
-    (xml, "Upload article XML", 3),
-    (metadata, "Enter article metadata", 4),
-    (preservation, "Upload preservation file", 5),
-    (csv, "Validate your Journal CSV", 6),
-    (help, "Help", 7),
+    (index, "My drafts", 0, constants.ROLE_PUBLISHER),
+    (journals, "My journals", 1, constants.ROLE_PUBLISHER),
+    (urs, "My update requests", 2, constants.ROLE_PUBLISHER),
+    (xml, "Upload article XML", 3, constants.ROLE_PUBLISHER),
+    (metadata, "Enter article metadata", 4, constants.ROLE_PUBLISHER),
+    (preservation, "Upload preservation file", 5, constants.ROLE_PUBLISHER_PRESERVATION),
+    (csv, "Validate your Journal CSV", 6, constants.ROLE_PUBLISHER_JOURNAL_CSV),
+    (help, "Help", 7, constants.ROLE_PUBLISHER),
     ]
 %}
 
 <div class="tabs">
     <nav class="tabs__menu">
         <ul class="tabs__list" role="tablist">
-            {% for url, label, ix in tabs %}
+            {% for url, label, ix, role in tabs %}
                 {# Hide the preservation tab for publishers without preservation role (by ID in case label changes) #}
-                {% if ix == 5 and not current_user.has_role("preservation") %}
+                {% if not current_user.has_role(role) %}
                     {% continue %}
                 {% endif %}
                 {% set selected = url == request.path %}
diff --git a/portality/view/publisher.py b/portality/view/publisher.py
index 9fd1fadfb2..cf355060bf 100644
--- a/portality/view/publisher.py
+++ b/portality/view/publisher.py
@@ -2,6 +2,7 @@
 from flask import render_template, abort, redirect, url_for, flash
 from flask_login import current_user, login_required
 
+import constants
 from portality.app_email import EmailException
 from portality import models
 from portality.bll.exceptions import AuthoriseException, ArticleMergeConflict, DuplicateArticleException, ArticleNotAcceptable
@@ -372,13 +373,17 @@ def metadata():
 @ssl_required
 @write_required()
 def journal_csv():
-    return render_template('publisher/journal_csv.html')
+    if current_user.has_role(constants.ROLE_PUBLISHER_JOURNAL_CSV):
+        return render_template('publisher/journal_csv.html')
+    abort(403)
 
 @blueprint.route("/journal-csv/validate", methods=["POST"])
 @login_required
 @ssl_required
 @write_required()
 def journal_csv_validate():
+    if not current_user.has_role(constants.ROLE_PUBLISHER_JOURNAL_CSV):
+        abort(403)
     if "journal_csv" not in request.files:
         abort(400)
     file = request.files["journal_csv"]