Merge pull request #205 from guardian/an/enforce-access-permission

andrew-nowak · web-flow · commit 19f5ea46f01c · 2025-01-21T16:54:18.000Z
require users to have been granted the access permission to access the tool
diff --git a/app/story_packages/auth/PanDomainAuthActions.scala b/app/story_packages/auth/PanDomainAuthActions.scala
@@ -18,8 +18,10 @@ trait PanDomainAuthActions extends AuthActions with Results with Logging {
   override def validateUser(authedUser: AuthenticatedUser): Boolean = {
     if (!permissions.hasPermission(StoryPackagesAccess, authedUser.user.email)) {
       Logger.warn(s"User ${authedUser.user.email} does not have ${StoryPackagesAccess.name} permission")
+      false
+    } else {
+      PanDomain.guardianValidation(authedUser)
     }
-    PanDomain.guardianValidation(authedUser)
   }
 
   override def authCallbackUrl: String = config.pandomain.host  + "/oauthCallback"
@@ -31,10 +33,12 @@ trait PanDomainAuthActions extends AuthActions with Results with Logging {
 
   override def invalidUserMessage(claimedAuth: AuthenticatedUser): String = {
     if( (claimedAuth.user.emailDomain == "guardian.co.uk") && !claimedAuth.multiFactor) {
-      s"${claimedAuth.user.email} is not valid for use with the Fronts Tool as you need to have two factor authentication enabled." +
-       s" Please contact the Helpdesk by emailing 34444@theguardian.com or calling 34444 and request access to Composer CMS tools."
+      s"${claimedAuth.user.email} is not valid for use with the Story Packages tool as you need to have two factor authentication enabled." +
+       s" Please contact the Helpdesk by emailing 34444@theguardian.com or calling 34444 and request assistance setting up two factor authentication on your Google account."
+    } else if (claimedAuth.user.emailDomain != "guardian.co.uk") {
+      s"${claimedAuth.user.email} is not valid for use with the Story Packages Tool. You need to use your Guardian Google account to login. Please sign in with your Guardian Google account first, then retry logging in."
     } else {
-      s"${claimedAuth.user.email} is not valid for use with the Fronts Tool. You need to use your Guardian Google account to login. Please sign in with your Guardian Google account first, then retry logging in."
+      s"${claimedAuth.user.email} has not been granted access to the Story Packages tool. Please contact Central Production at central.production@guardian.co.uk requesting access to the Story Packages tool."
     }
   }
 }

Original file line number	Diff line number	Diff line change
`@@ -18,8 +18,10 @@ trait PanDomainAuthActions extends AuthActions with Results with Logging {`
`18`	`18`	`override def validateUser(authedUser: AuthenticatedUser): Boolean = {`
`19`	`19`	`if (!permissions.hasPermission(StoryPackagesAccess, authedUser.user.email)) {`
`20`	`20`	`Logger.warn(s"User ${authedUser.user.email} does not have ${StoryPackagesAccess.name} permission")`
	`21`	`+ false`
	`22`	`+ } else {`
	`23`	`+ PanDomain.guardianValidation(authedUser)`
`21`	`24`	`}`
`22`		`- PanDomain.guardianValidation(authedUser)`
`23`	`25`	`}`
`24`	`26`
`25`	`27`	`override def authCallbackUrl: String = config.pandomain.host + "/oauthCallback"`
`@@ -31,10 +33,12 @@ trait PanDomainAuthActions extends AuthActions with Results with Logging {`
`31`	`33`
`32`	`34`	`override def invalidUserMessage(claimedAuth: AuthenticatedUser): String = {`
`33`	`35`	`if( (claimedAuth.user.emailDomain == "guardian.co.uk") && !claimedAuth.multiFactor) {`
`34`		`- s"${claimedAuth.user.email} is not valid for use with the Fronts Tool as you need to have two factor authentication enabled." +`
`35`		`- s" Please contact the Helpdesk by emailing [email protected] or calling 34444 and request access to Composer CMS tools."`
	`36`	`+ s"${claimedAuth.user.email} is not valid for use with the Story Packages tool as you need to have two factor authentication enabled." +`
	`37`	`+ s" Please contact the Helpdesk by emailing [email protected] or calling 34444 and request assistance setting up two factor authentication on your Google account."`
	`38`	`+ } else if (claimedAuth.user.emailDomain != "guardian.co.uk") {`
	`39`	`+ s"${claimedAuth.user.email} is not valid for use with the Story Packages Tool. You need to use your Guardian Google account to login. Please sign in with your Guardian Google account first, then retry logging in."`
`36`	`40`	`} else {`
`37`		`- s"${claimedAuth.user.email} is not valid for use with the Fronts Tool. You need to use your Guardian Google account to login. Please sign in with your Guardian Google account first, then retry logging in."`
	`41`	`+ s"${claimedAuth.user.email} has not been granted access to the Story Packages tool. Please contact Central Production at [email protected] requesting access to the Story Packages tool."`
`38`	`42`	`}`
`39`	`43`	`}`
`40`	`44`	`}`