fix(admin): confirm malware observations have URLs (#18725)

Fixes #18724
Fixes WAREHOUSE-PRODUCTION-287

Signed-off-by: Mike Fiedler <[email protected]>

Author: miketheman

warehouse/admin/templates/admin/malware_reports/detail.html

@@ -211,29 +211,53 @@ <h4 class="modal-title">Remove Malware</h4>
             </button>
           </div>
           <div class="modal-body">
-            <p>
-              You are confirming that this Malware Observation for <code>{{ report.related.name }}</code>
-              is valid and malware.
-            </p>
-            <p>This will remove the Project, freeze the Owner's account, prohibit the Project name from being reused.</p>
-            <div class="form-group col-sm-12">
-              <label for="confirm_project_name">
-                Are you sure you want to confirm
-                <strong><code>{{ report.related.name }}</code></strong>
-                <button type="button"
-                        class="copy-text"
-                        data-copy-text="{{ report.related.name }}">
-                  <i class="fa fa-copy" aria-hidden="true"></i>
-                </button>
-                as malware?
-              </label>
-              <input name="project" type="hidden" value="{{ report.related.name }}">
-              <input name="confirm_project_name" id="confirm_project_name" class="form-control" type="text" placeholder="Enter project name to confirm" {{ "disabled" if not request.has_permission(Permissions.AdminProjectsDelete) }} autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false">
-            </div>
+            {% set project_malware_reports = report.related.observations | selectattr("kind", "equalto", "is_malware") | list %}
+            {% set missing_urls = project_malware_reports | selectattr("additional.helpscout_conversation_url", "undefined") | list %}
+            {% if missing_urls %}
+              <div class="alert alert-warning">
+                <i class="fa fa-exclamation-triangle"></i>
+                <strong>Action Blocked:</strong> {{ missing_urls | length }} observation(s) for this project are missing HelpScout conversation URLs.
+                Please add HelpScout conversation URLs to all observations before removing as malware.
+              </div>
+              <p>Missing URLs for observations:</p>
+              <ul>
+                {% for missing_report in missing_urls %}
+                  <li>
+                    {% if missing_report.id == report.id %}
+                      <strong>Observation {{ missing_report.id | string | truncate(8, False, '...') }} - {{ missing_report.created }} (current)</strong>
+                    {% else %}
+                      <a href="{{ request.route_path('admin.malware_reports.detail', observation_id=missing_report.id) }}">
+                        Observation {{ missing_report.id | string | truncate(8, False, '...') }} - {{ missing_report.created }}
+                      </a>
+                    {% endif %}
+                  </li>
+                {% endfor %}
+              </ul>
+            {% else %}
+              <p>
+                You are confirming that this Malware Observation for <code>{{ report.related.name }}</code>
+                is valid and malware.
+              </p>
+              <p>This will remove the Project, freeze the Owner's account, prohibit the Project name from being reused.</p>
+              <div class="form-group col-sm-12">
+                <label for="confirm_project_name">
+                  Are you sure you want to confirm
+                  <strong><code>{{ report.related.name }}</code></strong>
+                  <button type="button"
+                          class="copy-text"
+                          data-copy-text="{{ report.related.name }}">
+                    <i class="fa fa-copy" aria-hidden="true"></i>
+                  </button>
+                  as malware?
+                </label>
+                <input name="project" type="hidden" value="{{ report.related.name }}">
+                <input name="confirm_project_name" id="confirm_project_name" class="form-control" type="text" placeholder="Enter project name to confirm" {{ "disabled" if not request.has_permission(Permissions.AdminProjectsDelete) }} autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false">
+              </div>
+            {% endif %}
           </div>
           <div class="modal-footer justify-content-between">
             <button type="button" class="btn btn-default" data-dismiss="modal">Close</button>
-            <button type="submit" class="btn btn-danger">Verdict: Remove Malware</button>
+            <button type="submit" class="btn btn-danger" {% if missing_urls %}disabled{% endif %}>Verdict: Remove Malware</button>
           </div>
         </div>
       </form>

warehouse/admin/templates/admin/malware_reports/project_list.html

@@ -246,27 +246,46 @@ <h4 class="modal-title">Remove Malware</h4>
             </button>
           </div>
           <div class="modal-body">
-            <p>
-              You are confirming that any Malware Observations for <code>{{ project.name }}</code>
-              are valid and malware.
-            </p>
-            <p>This will remove the Project, freeze the Owner's account, prohibit the Project name from being reused.</p>
-            <div class="form-group col-sm-12">
-              <label for="confirm_project_name">
-                Are you sure you want to confirm
-                <strong><code>{{ project.name }}</code></strong>
-                <button type="button" class="copy-text" data-copy-text="{{ project.name }}">
-                  <i class="fa fa-copy" aria-hidden="true"></i>
-                </button>
-                as malware?
-              </label>
-              <input name="project" type="hidden" value="{{ project.name }}">
-              <input name="confirm_project_name" id="confirm_project_name" class="form-control" type="text" placeholder="Enter project name to confirm" {{ "disabled" if not request.has_permission(Permissions.AdminProjectsDelete) }} autocomplete="off" autocorrect="off" autocapitalize="off">
-            </div>
+            {% set missing_urls = malware_reports | selectattr("additional.helpscout_conversation_url", "undefined") | list %}
+            {% if missing_urls %}
+              <div class="alert alert-warning">
+                <i class="fa fa-exclamation-triangle"></i>
+                <strong>Action Blocked:</strong> {{ missing_urls | length }} observation(s) are missing HelpScout conversation URLs.
+                Please add HelpScout conversation URLs to all observations before removing as malware.
+              </div>
+              <p>Missing URLs for observations:</p>
+              <ul>
+                {% for report in missing_urls %}
+                  <li>
+                    <a href="{{ request.route_path('admin.malware_reports.detail', observation_id=report.id) }}">
+                      Observation {{ report.id | string | truncate(8, False, '...') }} - {{ report.created }}
+                    </a>
+                  </li>
+                {% endfor %}
+              </ul>
+            {% else %}
+              <p>
+                You are confirming that any Malware Observations for <code>{{ project.name }}</code>
+                are valid and malware.
+              </p>
+              <p>This will remove the Project, freeze the Owner's account, prohibit the Project name from being reused.</p>
+              <div class="form-group col-sm-12">
+                <label for="confirm_project_name">
+                  Are you sure you want to confirm
+                  <strong><code>{{ project.name }}</code></strong>
+                  <button type="button" class="copy-text" data-copy-text="{{ project.name }}">
+                    <i class="fa fa-copy" aria-hidden="true"></i>
+                  </button>
+                  as malware?
+                </label>
+                <input name="project" type="hidden" value="{{ project.name }}">
+                <input name="confirm_project_name" id="confirm_project_name" class="form-control" type="text" placeholder="Enter project name to confirm" {{ "disabled" if not request.has_permission(Permissions.AdminProjectsDelete) }} autocomplete="off" autocorrect="off" autocapitalize="off">
+              </div>
+            {% endif %}
           </div>
           <div class="modal-footer justify-content-between">
             <button type="button" class="btn btn-default" data-dismiss="modal">Close</button>
-            <button type="submit" class="btn btn-danger">Verdict: Remove Malware</button>
+            <button type="submit" class="btn btn-danger" {% if missing_urls %}disabled{% endif %}>Verdict: Remove Malware</button>
           </div>
         </div>
       </form>