add logging for users without permission to access tool

guardian · Oct 30, 2024 · 7f7bff6 · 7f7bff6
1 parent a532d59
commit 7f7bff6
Show file tree

Hide file tree

Showing 3 changed files with 16 additions and 0 deletions.
diff --git a/app/conf/Configuration.scala b/app/conf/Configuration.scala
@@ -10,6 +10,7 @@ import com.amazonaws.regions.{Region, RegionUtils}
 import com.amazonaws.services.cloudwatch.AmazonCloudWatch
 import com.amazonaws.services.dynamodbv2.AmazonDynamoDB
 import com.amazonaws.services.s3.{AmazonS3, AmazonS3ClientBuilder}
+import com.gu.permissions.PermissionsConfig
 import org.apache.commons.io.IOUtils
 import play.api.Mode
 import play.api.{Configuration => PlayConfiguration}
@@ -170,6 +171,12 @@ class ApplicationConfiguration(val playConfiguration: PlayConfiguration, val env
   object latest {
     lazy val pageSize = 20
   }
+
+  val permissions = PermissionsConfig(
+    stage = environment.stage,
+    region = aws.region,
+    awsCredentials = aws.mandatoryCredentials,
+  )
 }
 
 object Properties extends AutomaticResourceManagement {

diff --git a/app/story_packages/auth/PanDomainAuthActions.scala b/app/story_packages/auth/PanDomainAuthActions.scala
@@ -3,14 +3,22 @@ package story_packages.auth
 import com.gu.pandomainauth.action.AuthActions
 import com.gu.pandomainauth.model.AuthenticatedUser
 import com.gu.pandomainauth.PanDomain
+import com.gu.permissions.{PermissionDefinition, PermissionsProvider}
 import play.api.mvc._
 import conf.ApplicationConfiguration
 import story_packages.services.Logging
 
 trait PanDomainAuthActions extends AuthActions with Results with Logging {
   def config: ApplicationConfiguration
 
+  val permissions = PermissionsProvider(config.permissions)
+
+  val StoryPackagesAccess = PermissionDefinition("story-packages-access", "story-packages")
+
   override def validateUser(authedUser: AuthenticatedUser): Boolean = {
+    if (!permissions.hasPermission(StoryPackagesAccess, authedUser.user.email)) {
+      Logger.warn(s"User ${authedUser.user.email} does not have ${StoryPackagesAccess.name} permission")
+    }
     PanDomain.guardianValidation(authedUser)
   }
 

diff --git a/build.sbt b/build.sbt
@@ -68,6 +68,7 @@ libraryDependencies ++= jacksonOverrides ++  Seq(
     "com.gu" %% "content-api-client-aws" % "0.7.5",
     "com.gu" %% "fapi-client-play30" % "12.0.0",
     "com.gu" %% "pan-domain-auth-play_3-0" % "4.0.0",
+    "com.gu" %% "editorial-permissions-client" % "2.15",
     "com.gu" %% "story-packages-model" % "2.2.0",
     "com.gu" %% "thrift-serializer" % "4.0.2",
     "org.json4s" %% "json4s-native" % json4sVersion,