From cd8974356966cdc08e313559a76cb779a3d04f8d Mon Sep 17 00:00:00 2001
From: Catherine Pitt <cen1001@cam.ac.uk>
Date: Wed, 12 Apr 2023 12:43:44 +0100
Subject: [PATCH] Provide link to safety handbook from safety checklist form

The starter needs the safety handbook to complete their safety checklist
form. While they should have already been emailed a copy, they could
have lost it. This change adds an endpoint where a user with a valid token
can download the secret handbook, and updates the safety checklist
page to have a link to that. If the handbook hasn't been provided to the
app it tells the starter to go and ask their group admin instead.
---
 .../templates/safety/safety_form.html         |  6 +++-
 chemistry_starters/views/safety_checklist.py  | 32 +++++++++++++++++--
 2 files changed, 35 insertions(+), 3 deletions(-)

diff --git a/chemistry_starters/templates/safety/safety_form.html b/chemistry_starters/templates/safety/safety_form.html
index 2694c40..5dabbc5 100644
--- a/chemistry_starters/templates/safety/safety_form.html
+++ b/chemistry_starters/templates/safety/safety_form.html
@@ -12,9 +12,13 @@ Sorry, the form is not yet complete and so cannot be submitted.
 <p>
 Please complete the safety checklist. Items marked * are compulsory. Your registration cannot be processed until this is done.
 </p>
+{% if safety_handbook_available %}
 <p>
-A copy of the Department Safety Handbook can be found at <a href="https://www.ch.cam.ac.uk/department-safety-handbook">https://www.ch.cam.ac.uk/department-safety-handbook</a> .
+A copy of the Department Safety Handbook can be found <a href="{{ url_for('.safety_handbook', token=request.args.get('token')) }}">here</a> .
 </p>
+{% else %}
+<p>If you do not have a copy of the Department Safety Handbook please ask your group administrator.</p>
+{% endif %}
 </div>
 <div id="registration-form">
  <form method="POST">
diff --git a/chemistry_starters/views/safety_checklist.py b/chemistry_starters/views/safety_checklist.py
index 0941f5e..be98b56 100644
--- a/chemistry_starters/views/safety_checklist.py
+++ b/chemistry_starters/views/safety_checklist.py
@@ -3,11 +3,21 @@ Defines the application's endpoints
 """
 import datetime
 
-from flask import Blueprint, g, redirect, render_template, request, send_file, url_for
+from flask import (
+    Blueprint,
+    g,
+    redirect,
+    render_template,
+    request,
+    send_file,
+    send_from_directory,
+    url_for,
+)
 
-from chemistry_starters import database, utils
+from chemistry_starters import app, database, utils
 from chemistry_starters.forms import static_forms
 from chemistry_starters.utils import control
+from chemistry_starters.utils.safety import is_safety_handbook_file_available
 
 safety_checklist = Blueprint("safety_checklist", __name__)
 
@@ -59,6 +69,7 @@ def safety_checklist_form():
             form=safety_form,
             starter_name=starter_name,
             safety_training_url=safety_training_url,
+            safety_handbook_available=is_safety_handbook_file_available(),
         )
     else:
         if request.form.get("submit") != "Check data and submit form":
@@ -69,6 +80,7 @@ def safety_checklist_form():
                 form=safety_form,
                 starter_name=starter_name,
                 safety_training_url=safety_training_url,
+                safety_handbook_available=is_safety_handbook_file_available(),
             )
         else:
             if safety_form.validate_on_submit():
@@ -98,6 +110,7 @@ def safety_checklist_form():
                     form=safety_form,
                     starter_name=starter_name,
                     safety_training_url=safety_training_url,
+                    safety_handbook_available=is_safety_handbook_file_available(),
                 )
 
 
@@ -178,3 +191,18 @@ def get_completed_safety_form():
             return redirect(url_for("error_pages.forbidden"))
     except database.DatabaseNotAvailable:
         return redirect(url_for("error_pages.unavailable"))
+
+
+@safety_checklist.route("/register/safety-handbook")
+@utils.check_token()
+def safety_handbook():
+    """
+    Serve up the safety handbook
+
+    This document is not in the static directory because it has to have access control.
+    It must also not be committed to the code repository because the contents
+    are secret. This route to download it is protected by token checking.
+    """
+    return send_from_directory(
+        app.root_path + "/documents/", app.config["SAFETY_HANDBOOK_FILENAME"]
+    )
-- 
GitLab