darkhelm/notifications-admin
1
0
Fork 0
mirror of https://github.com/GSA/notifications-admin.git synced 2026-05-05 16:38:59 -04:00
Code Issues Packages Projects Releases Wiki Activity

Ensure non-gov invited users get added to services

Browse Source 
We were adding invited users to services in the `main.add_service` view
function as the last step in the process of inviting users. Since this
view function is decorated with `@user_is_gov_user`, invited users with
non-governmental email addresses would never reach this point and would
be able to register an account but would not get linked to a service.

To fix this, we now add the invited user to the service at the point at
which the user gets activated and also ensure that non-gov users don't
get redirected to a page which they don't have permission to view.
This commit is contained in:
Katie Smith
2019-01-18 16:13:29 +00:00
parent 63889cb047
commit bbc7b173f0
4 changed files with 29 additions and 27 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
tests/app/main/views/test_register.py
View File

@@ -271,6 +271,7 @@ def test_register_from_invite_when_user_registers_in_another_browser(
assert response.location == url_for('main.verify', _external=True)
@pytest.mark.parametrize('invite_email_address', ['gov-user@gov.uk', 'non-gov-user@example.com'])
def test_register_from_email_auth_invite(
client,
sample_invite,
@@ -281,8 +282,11 @@ def test_register_from_email_auth_invite(
mock_send_verify_code,
mock_accept_invite,
mock_create_event,
mock_add_user_to_service,
invite_email_address,
):
sample_invite['auth_type'] = 'email_auth'
sample_invite['email_address'] = invite_email_address
with client.session_transaction() as session:
session['invited_user'] = sample_invite
assert not current_user.is_authenticated
@@ -298,7 +302,7 @@ def test_register_from_email_auth_invite(
resp = client.post(url_for('main.register_from_invite'), data=data)
assert resp.status_code == 302
assert resp.location == url_for('main.add_service', first='first', _external=True)
assert resp.location == url_for('main.service_dashboard', service_id=sample_invite['service'], _external=True)
# doesn't send any 2fa code
assert not mock_send_verify_email.called
@@ -314,6 +318,7 @@ def test_register_from_email_auth_invite(
mock_accept_invite.assert_called_once_with(sample_invite['service'], sample_invite['id'])
# just logs them in
assert current_user.is_authenticated
assert mock_add_user_to_service.called
with client.session_transaction() as session:
# invited user details are still there so they can get added to the service
@@ -330,6 +335,7 @@ def test_can_register_email_auth_without_phone_number(
mock_send_verify_code,
mock_accept_invite,
mock_create_event,
mock_add_user_to_service,
):
sample_invite['auth_type'] = 'email_auth'
with client.session_transaction() as session:
@@ -346,7 +352,7 @@ def test_can_register_email_auth_without_phone_number(
resp = client.post(url_for('main.register_from_invite'), data=data)
assert resp.status_code == 302
assert resp.location == url_for('main.add_service', first='first', _external=True)
assert resp.location == url_for('main.service_dashboard', service_id=sample_invite['service'], _external=True)
mock_register_user.assert_called_once_with(
ANY,