enforce tag_manager_access permission

guardian · Jul 10, 2024 · b29df38 · b29df38
1 parent b089b93
commit b29df38
Show file tree

Hide file tree

Showing 2 changed files with 30 additions and 2 deletions.
diff --git a/app/controllers/PanDomainAuthActions.scala b/app/controllers/PanDomainAuthActions.scala
@@ -6,9 +6,14 @@ import com.gu.pandomainauth.model.AuthenticatedUser
 import services.Config
 import permissions.Permissions
 import play.api.Logging
+import play.api.mvc.{RequestHeader, Result}
+import play.api.mvc.Results.Forbidden
 
 trait PanDomainAuthActions extends HMACAuthActions with Logging {
 
+  private def noPermissionMessage(authedUser: AuthenticatedUser): String =
+    s"user ${authedUser.user.email} does not have ${Permissions.TagManagerAccess.name} permission"
+
   override def validateUser(authedUser: AuthenticatedUser): Boolean = {
     val isValid = PanDomain.guardianValidation(authedUser)
 
@@ -17,10 +22,20 @@ trait PanDomainAuthActions extends HMACAuthActions with Logging {
     if (!isValid) {
       logger.warn(s"User ${authedUser.user.email} is not valid")
     } else if (!canAccess) {
-      logger.warn(s"User ${authedUser.user.email} does not have tag_manager_access permission")
+      logger.warn(noPermissionMessage(authedUser))
     }
 
-    isValid // TODO && canAccess
+    isValid && canAccess
+  }
+
+  override def showUnauthedMessage(message: String)(implicit request: RequestHeader): Result =
+    Forbidden(views.html.Application.authError(message))
+
+  override def invalidUserMessage(claimedAuth: AuthenticatedUser): String = {
+    val hasAccess = Permissions.testUser(Permissions.TagManagerAccess)(claimedAuth.user.email)
+
+    if (!hasAccess) noPermissionMessage(claimedAuth)
+    else super.invalidUserMessage(claimedAuth)
   }
 
   override def cacheValidation = true

diff --git a/app/views/Application/authError.scala.html b/app/views/Application/authError.scala.html
@@ -0,0 +1,13 @@
+@(message: String)
+<!DOCTYPE html>
+<html>
+  <head lang="en">
+    <meta charset="UTF-8">
+    <title>Tag Manager - access denied</title>
+  </head>
+  <body>
+    <h1>Tag Manager - access denied</h1>
+    <p>@message</p>
+    <p>If you require access to the Tag Manager tool, please contact <a href="mailto:central.production@@theguardian.com">Central Production</a> for assistance</p>
+  </body>
+</html>