From 9070cfb474452c802fa61b383414ddf7a000523d Mon Sep 17 00:00:00 2001
From: Andrew Nowak <andrew.nowak@guardian.co.uk>
Date: Wed, 15 Jan 2025 15:10:50 +0000
Subject: [PATCH 1/3] require users to have been granted the access permission
 to access the tool

---
 app/story_packages/auth/PanDomainAuthActions.scala | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/app/story_packages/auth/PanDomainAuthActions.scala b/app/story_packages/auth/PanDomainAuthActions.scala
index 3020268..f8220d6 100644
--- a/app/story_packages/auth/PanDomainAuthActions.scala
+++ b/app/story_packages/auth/PanDomainAuthActions.scala
@@ -18,8 +18,10 @@ trait PanDomainAuthActions extends AuthActions with Results with Logging {
   override def validateUser(authedUser: AuthenticatedUser): Boolean = {
     if (!permissions.hasPermission(StoryPackagesAccess, authedUser.user.email)) {
       Logger.warn(s"User ${authedUser.user.email} does not have ${StoryPackagesAccess.name} permission")
+      false
+    } else {
+      PanDomain.guardianValidation(authedUser)
     }
-    PanDomain.guardianValidation(authedUser)
   }
 
   override def authCallbackUrl: String = config.pandomain.host  + "/oauthCallback"

From b03e1178d82a382b3167aece6771cad15943848d Mon Sep 17 00:00:00 2001
From: Andrew Nowak <andrew.nowak@guardian.co.uk>
Date: Wed, 15 Jan 2025 16:03:34 +0000
Subject: [PATCH 2/3] Add unauthzed message

---
 app/story_packages/auth/PanDomainAuthActions.scala | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/app/story_packages/auth/PanDomainAuthActions.scala b/app/story_packages/auth/PanDomainAuthActions.scala
index f8220d6..0b55434 100644
--- a/app/story_packages/auth/PanDomainAuthActions.scala
+++ b/app/story_packages/auth/PanDomainAuthActions.scala
@@ -33,10 +33,12 @@ trait PanDomainAuthActions extends AuthActions with Results with Logging {
 
   override def invalidUserMessage(claimedAuth: AuthenticatedUser): String = {
     if( (claimedAuth.user.emailDomain == "guardian.co.uk") && !claimedAuth.multiFactor) {
-      s"${claimedAuth.user.email} is not valid for use with the Fronts Tool as you need to have two factor authentication enabled." +
-       s" Please contact the Helpdesk by emailing 34444@theguardian.com or calling 34444 and request access to Composer CMS tools."
-    } else {
+      s"${claimedAuth.user.email} is not valid for use with the Story Packages tool as you need to have two factor authentication enabled." +
+       s" Please contact the Helpdesk by emailing 34444@theguardian.com or calling 34444 and request assistance setting up two factor authentication on your Google account."
+    } else if (claimedAuth.user.emailDomain != "guardian.co.uk") {
       s"${claimedAuth.user.email} is not valid for use with the Fronts Tool. You need to use your Guardian Google account to login. Please sign in with your Guardian Google account first, then retry logging in."
+    } else {
+      s"${claimedAuth.user.email} has not been granted access to the Story Packages tool. Please contact Central Production at central.production@guardian.co.uk requesting access to the Story Packages tool."
     }
   }
 }

From fbe013c35dcfd4374d532c7a1437c6615fb26487 Mon Sep 17 00:00:00 2001
From: Andrew Nowak <10963046+andrew-nowak@users.noreply.github.com>
Date: Wed, 15 Jan 2025 17:24:56 +0000
Subject: [PATCH 3/3] update the other warning referring to wrong tool

Co-authored-by: David Furey <david.furey@guardian.co.uk>
---
 app/story_packages/auth/PanDomainAuthActions.scala | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/app/story_packages/auth/PanDomainAuthActions.scala b/app/story_packages/auth/PanDomainAuthActions.scala
index 0b55434..be972a3 100644
--- a/app/story_packages/auth/PanDomainAuthActions.scala
+++ b/app/story_packages/auth/PanDomainAuthActions.scala
@@ -36,7 +36,7 @@ trait PanDomainAuthActions extends AuthActions with Results with Logging {
       s"${claimedAuth.user.email} is not valid for use with the Story Packages tool as you need to have two factor authentication enabled." +
        s" Please contact the Helpdesk by emailing 34444@theguardian.com or calling 34444 and request assistance setting up two factor authentication on your Google account."
     } else if (claimedAuth.user.emailDomain != "guardian.co.uk") {
-      s"${claimedAuth.user.email} is not valid for use with the Fronts Tool. You need to use your Guardian Google account to login. Please sign in with your Guardian Google account first, then retry logging in."
+      s"${claimedAuth.user.email} is not valid for use with the Story Packages Tool. You need to use your Guardian Google account to login. Please sign in with your Guardian Google account first, then retry logging in."
     } else {
       s"${claimedAuth.user.email} has not been granted access to the Story Packages tool. Please contact Central Production at central.production@guardian.co.uk requesting access to the Story Packages tool."
     }