From 7f7bff60f05d58748b53e510b6bc7fc84eab4971 Mon Sep 17 00:00:00 2001
From: Andrew Nowak <andrew.nowak@guardian.co.uk>
Date: Mon, 7 Oct 2024 17:33:42 +0100
Subject: [PATCH] add logging for users without permission to access tool

---
 app/conf/Configuration.scala                       | 7 +++++++
 app/story_packages/auth/PanDomainAuthActions.scala | 8 ++++++++
 build.sbt                                          | 1 +
 3 files changed, 16 insertions(+)

diff --git a/app/conf/Configuration.scala b/app/conf/Configuration.scala
index 6a714f8..a4a7102 100644
--- a/app/conf/Configuration.scala
+++ b/app/conf/Configuration.scala
@@ -10,6 +10,7 @@ import com.amazonaws.regions.{Region, RegionUtils}
 import com.amazonaws.services.cloudwatch.AmazonCloudWatch
 import com.amazonaws.services.dynamodbv2.AmazonDynamoDB
 import com.amazonaws.services.s3.{AmazonS3, AmazonS3ClientBuilder}
+import com.gu.permissions.PermissionsConfig
 import org.apache.commons.io.IOUtils
 import play.api.Mode
 import play.api.{Configuration => PlayConfiguration}
@@ -170,6 +171,12 @@ class ApplicationConfiguration(val playConfiguration: PlayConfiguration, val env
   object latest {
     lazy val pageSize = 20
   }
+
+  val permissions = PermissionsConfig(
+    stage = environment.stage,
+    region = aws.region,
+    awsCredentials = aws.mandatoryCredentials,
+  )
 }
 
 object Properties extends AutomaticResourceManagement {
diff --git a/app/story_packages/auth/PanDomainAuthActions.scala b/app/story_packages/auth/PanDomainAuthActions.scala
index 018ade8..dc743f1 100644
--- a/app/story_packages/auth/PanDomainAuthActions.scala
+++ b/app/story_packages/auth/PanDomainAuthActions.scala
@@ -3,6 +3,7 @@ package story_packages.auth
 import com.gu.pandomainauth.action.AuthActions
 import com.gu.pandomainauth.model.AuthenticatedUser
 import com.gu.pandomainauth.PanDomain
+import com.gu.permissions.{PermissionDefinition, PermissionsProvider}
 import play.api.mvc._
 import conf.ApplicationConfiguration
 import story_packages.services.Logging
@@ -10,7 +11,14 @@ import story_packages.services.Logging
 trait PanDomainAuthActions extends AuthActions with Results with Logging {
   def config: ApplicationConfiguration
 
+  val permissions = PermissionsProvider(config.permissions)
+
+  val StoryPackagesAccess = PermissionDefinition("story-packages-access", "story-packages")
+
   override def validateUser(authedUser: AuthenticatedUser): Boolean = {
+    if (!permissions.hasPermission(StoryPackagesAccess, authedUser.user.email)) {
+      Logger.warn(s"User ${authedUser.user.email} does not have ${StoryPackagesAccess.name} permission")
+    }
     PanDomain.guardianValidation(authedUser)
   }
 
diff --git a/build.sbt b/build.sbt
index 545cdbb..032863c 100644
--- a/build.sbt
+++ b/build.sbt
@@ -68,6 +68,7 @@ libraryDependencies ++= jacksonOverrides ++  Seq(
     "com.gu" %% "content-api-client-aws" % "0.7.5",
     "com.gu" %% "fapi-client-play30" % "12.0.0",
     "com.gu" %% "pan-domain-auth-play_3-0" % "4.0.0",
+    "com.gu" %% "editorial-permissions-client" % "2.15",
     "com.gu" %% "story-packages-model" % "2.2.0",
     "com.gu" %% "thrift-serializer" % "4.0.2",
     "org.json4s" %% "json4s-native" % json4sVersion,