mirror of
https://github.com/GSA/notifications-admin.git
synced 2026-07-01 04:37:03 -04:00
Be strict about similar email addresses for alerts
We don’t want a single person to have two accounts on an emergency alerts service because it would let them circumvent the two eyes approval process. We can go some way to mitigating against this by stopping people using common methods that email providers use to alias email addresses. These are: - being case insensitive - being insensitive to the position or number of dots in the local part of an email address - using ‘plus addressing’ We already prevent the first one, this commit adds normalisation which strip out the second two before doing the comparision with the current user’s email address.
This commit is contained in:
@@ -62,6 +62,7 @@ from app.models.roles_and_permissions import (
|
||||
roles,
|
||||
)
|
||||
from app.utils import merge_jsonlike
|
||||
from app.utils.user import distinct_email_addresses
|
||||
|
||||
|
||||
def get_time_value_and_label(future_time):
|
||||
@@ -1060,6 +1061,10 @@ class InviteUserForm(BaseInviteUserForm, PermissionsForm):
|
||||
class BroadcastInviteUserForm(BaseInviteUserForm, BroadcastPermissionsForm):
|
||||
email_address = email_address(gov_user=True)
|
||||
|
||||
def validate_email_address(self, field):
|
||||
if not distinct_email_addresses(field.data, self.invalid_email_address):
|
||||
raise ValidationError("You cannot send an invitation to yourself")
|
||||
|
||||
|
||||
class InviteOrgUserForm(StripWhitespaceForm):
|
||||
email_address = email_address(gov_user=False)
|
||||
|
||||
@@ -66,3 +66,14 @@ def _email_address_ends_with(email_address, known_domains):
|
||||
))
|
||||
for known in known_domains
|
||||
)
|
||||
|
||||
|
||||
def normalise_email_address_aliases(email_address):
|
||||
local_part, domain = email_address.split('@')
|
||||
local_part = local_part.split('+')[0].replace('.', '')
|
||||
|
||||
return f'{local_part}@{domain}'.lower()
|
||||
|
||||
|
||||
def distinct_email_addresses(*args):
|
||||
return len(args) == len(set(map(normalise_email_address_aliases, args)))
|
||||
|
||||
@@ -1443,6 +1443,70 @@ def test_user_cant_invite_themselves(
|
||||
assert not mock_create_invite.called
|
||||
|
||||
|
||||
@pytest.mark.parametrize('email_address', (
|
||||
'test@user.gov.uk',
|
||||
'TEST@user.gov.uk',
|
||||
'test@USER.gov.uk',
|
||||
'test+test@user.gov.uk',
|
||||
'te.st@user.gov.uk',
|
||||
pytest.param('test2@user.gov.uk', marks=pytest.mark.xfail),
|
||||
pytest.param('test@other.gov.uk', marks=pytest.mark.xfail),
|
||||
))
|
||||
def test_broadcast_user_cant_invite_themselves_or_their_aliases(
|
||||
client_request,
|
||||
service_one,
|
||||
mocker,
|
||||
active_user_with_permissions,
|
||||
mock_create_invite,
|
||||
mock_get_template_folders,
|
||||
email_address,
|
||||
):
|
||||
service_one['permissions'] += ['broadcast']
|
||||
page = client_request.post(
|
||||
'main.invite_user',
|
||||
service_id=SERVICE_ONE_ID,
|
||||
_data={
|
||||
'email_address': email_address,
|
||||
'permissions_field': []
|
||||
},
|
||||
_expected_status=200,
|
||||
)
|
||||
assert normalize_spaces(page.select_one('span.govuk-error-message').text) == (
|
||||
"Error: You cannot send an invitation to yourself"
|
||||
)
|
||||
assert mock_create_invite.called is False
|
||||
|
||||
|
||||
@pytest.mark.parametrize('extra_service_permissions', (
|
||||
pytest.param([], marks=pytest.mark.xfail),
|
||||
['broadcast'],
|
||||
))
|
||||
def test_platform_admin_cant_invite_themselves_to_broadcast_services(
|
||||
client_request,
|
||||
service_one,
|
||||
mocker,
|
||||
platform_admin_user,
|
||||
mock_create_invite,
|
||||
mock_get_template_folders,
|
||||
extra_service_permissions,
|
||||
):
|
||||
service_one['permissions'] += extra_service_permissions
|
||||
client_request.login(platform_admin_user)
|
||||
page = client_request.post(
|
||||
'main.invite_user',
|
||||
service_id=SERVICE_ONE_ID,
|
||||
_data={
|
||||
'email_address': platform_admin_user['email_address'],
|
||||
'permissions_field': []
|
||||
},
|
||||
_expected_status=200,
|
||||
)
|
||||
assert normalize_spaces(page.select_one('span.govuk-error-message').text) == (
|
||||
"Error: You cannot send an invitation to yourself"
|
||||
)
|
||||
assert mock_create_invite.called is False
|
||||
|
||||
|
||||
def test_no_permission_manage_users_page(
|
||||
client_request,
|
||||
service_one,
|
||||
|
||||
Reference in New Issue
Block a user