Merge pull request #358 from guardian/an/enforce-atom-workshop-access…

…-permission enforce atom_workshop_access permissions
guardian · Jul 9, 2024 · 72c32ec · 72c32ec
2 parents 38108fc + fdbb89c
commit 72c32ec
Show file tree

Hide file tree

Showing 2 changed files with 21 additions and 2 deletions.
diff --git a/app/controllers/PanDomainAuthActions.scala b/app/controllers/PanDomainAuthActions.scala
@@ -5,6 +5,8 @@ import com.gu.pandomainauth.action.AuthActions
 import com.gu.pandomainauth.model.AuthenticatedUser
 import play.api.Logging
 import services.Permissions
+import play.api.mvc.{RequestHeader, Result}
+import play.api.mvc.Results.Forbidden
 
 trait PanDomainAuthActions extends AuthActions with Logging {
 
@@ -22,10 +24,14 @@ trait PanDomainAuthActions extends AuthActions with Logging {
       logger.warn(s"User ${authedUser.user.email} does not have atom_workshop_access permission")
     }
 
-    isValid // TODO && canAccess
+    isValid && canAccess
+  }
+
+  override def showUnauthedMessage(message: String)(implicit request: RequestHeader): Result = {
+    Forbidden(views.html.authError(message))
   }
 
   override def authCallbackUrl: String
 
   def permissions: Permissions
-}
+}
diff --git a/app/views/authError.scala.html b/app/views/authError.scala.html
@@ -0,0 +1,13 @@
+@(message: String)
+<!DOCTYPE html>
+<html>
+  <head lang="en">
+    <meta charset="UTF-8">
+    <title>Atom Workshop - access denied</title>
+  </head>
+  <body>
+    <h1>Atom Workshop - access denied</h1>
+    <p>@message</p>
+    <p>If you require access to the Atom Workshop tool, please contact <a href="mailto:central.production@@theguardian.com">Central Production</a> for assistance</p>
+  </body>
+</html>