Show a confidentiality warning before showing any CfP admin pages

emfcamp · Feb 5, 2024 · 03a1556 · 03a1556
1 parent cee0eb1
commit 03a1556
Show file tree

Hide file tree

Showing 4 changed files with 67 additions and 2 deletions.
diff --git a/apps/cfp_review/__init__.py b/apps/cfp_review/__init__.py
@@ -1,4 +1,5 @@
-from flask import Blueprint, request
+from flask import Blueprint, request, session, redirect, url_for, abort
+from flask_login import current_user
 from sqlalchemy import func, or_
 
 from models.cfp import (
@@ -13,13 +14,40 @@
 from ..common import require_permission
 
 cfp_review = Blueprint("cfp_review", __name__)
+
 admin_required = require_permission(
     "cfp_admin"
 )  # Decorator to require admin permissions
 anon_required = require_permission("cfp_anonymiser")
 review_required = require_permission("cfp_reviewer")
 schedule_required = require_permission("cfp_schedule")
 
+CFP_PERMISSIONS = {
+    "admin",
+    "cfp_admin",
+    "cfp_anonymiser",
+    "cfp_reviewer",
+    "cfp_schedule",
+}
+
+
+@cfp_review.before_request
+def before_request():
+    if not current_user.is_authenticated:
+        return redirect(url_for("users.login", next=request.path))
+
+    # Check if the user has any CFP permissions
+    if len(set(p.name for p in current_user.permissions) & CFP_PERMISSIONS) == 0:
+        abort(404)
+
+    if (
+        not session.get("cfp_confidentiality")
+        and request.endpoint != "cfp_review.confidentiality_warning"
+    ):
+        return redirect(
+            url_for("cfp_review.confidentiality_warning", next=request.path)
+        )
+
 
 def sort_by_notice(notice):
     return {"1 week": 0, "1 month": 1, "> 1 month": 2}.get(notice, -1)

diff --git a/apps/cfp_review/base.py b/apps/cfp_review/base.py
@@ -1227,4 +1227,13 @@ def proposals_summary():
     )
 
 
+@cfp_review.route("/confidentiality", methods=["GET", "POST"])
+def confidentiality_warning():
+    if request.method == "POST" and request.form.get("agree"):
+        session["cfp_confidentiality"] = True
+        return redirect(request.args.get("next", url_for(".proposals")))
+
+    return render_template("cfp_review/confidentiality_warning.html")
+
+
 from . import venues  # noqa
diff --git a/apps/cfp_review/review.py b/apps/cfp_review/review.py
@@ -95,7 +95,6 @@ def review_list():
             )
         )
     ):
-
         random.shuffle(to_review_again)
         random.shuffle(to_review_new)
         random.shuffle(to_review_old)

diff --git a/templates/cfp_review/confidentiality_warning.html b/templates/cfp_review/confidentiality_warning.html
@@ -0,0 +1,29 @@
+{% extends "cfp_review/base.html" %}
+{% block title%}CfP Admin{% endblock %}
+{% block body %}
+<h2>CfP Confidentiality</h2>
+
+<p>
+    You're about to view proposals in the EMF Call for Participation.
+</p>
+
+<p>
+    Please be aware that all proposals are confidential until the schedule is released.
+    Proposals which are not accepted will remain confidential indefinitely.
+</p>
+
+<p>
+    Don't share any information from the CfP with anyone else, including other members
+    of the EMF team who aren't involved in the CfP process.
+</p>
+
+<p>
+    If you have any questions, please ask the content team.
+</p>
+
+<form method="post">
+    <button name="agree" value="1" class="btn btn-primary" type="submit">I agree to keep proposals confidential</button>
+    <input type="hidden" name="next" value="{{ next }}">
+</form>
+
+{% endblock %}
-Original file line number
+Diff line change
@@ Expand Up / @@ -95,7 +95,6 @@ def review_list(): @@
                 )
             )
         ):
             random.shuffle(to_review_again)
             random.shuffle(to_review_new)
             random.shuffle(to_review_old)
@@ Expand Down @@