Ensure that mobile of user not belonging to service cannot be edited

2026-05-26 08:09:51 -04:00 · 2019-02-26 11:47:15 +00:00
parent d60ab838a8
commit d93278f5f0
2 changed files with 25 additions and 9 deletions
--- a/app/main/views/manage_users.py
+++ b/app/main/views/manage_users.py
@@ -198,11 +198,11 @@ def confirm_edit_user_email(service_id, user_id):
    )


-@main.route("/services/<service_id>/users/<user_id>/edit-mobile-number", methods=['GET', 'POST'])
+@main.route("/services/<service_id>/users/<uuid:user_id>/edit-mobile-number", methods=['GET', 'POST'])
@login_required
@user_has_permissions('manage_service')
 def edit_user_mobile_number(service_id, user_id):
-    user = user_api_client.get_user(user_id)
+    user = current_service.get_team_member(user_id)
    user_mobile_number = redact_mobile_number(user.mobile_number)

    form = ChangeMobileNumberForm(mobile_number=user_mobile_number)
@@ -223,11 +223,11 @@ def edit_user_mobile_number(service_id, user_id):
    )


-@main.route("/services/<service_id>/users/<user_id>/edit-mobile-number/confirm", methods=['GET', 'POST'])
+@main.route("/services/<service_id>/users/<uuid:user_id>/edit-mobile-number/confirm", methods=['GET', 'POST'])
@login_required
@user_has_permissions('manage_service')
 def confirm_edit_user_mobile_number(service_id, user_id):
-    user = user_api_client.get_user(user_id)
+    user = current_service.get_team_member(user_id)
    if 'team_member_mobile_change' in session:
        new_number = session['team_member_mobile_change']
    else:
@@ -238,7 +238,7 @@ def confirm_edit_user_mobile_number(service_id, user_id):
        ))
    if request.method == 'POST':
        try:
-            user_api_client.update_user_attribute(user_id, mobile_number=new_number)
+            user_api_client.update_user_attribute(str(user_id), mobile_number=new_number)
        except HTTPError as e:
            abort(500, e)
        finally:
--- a/tests/app/main/views/test_manage_users.py
+++ b/tests/app/main/views/test_manage_users.py
@@ -1007,10 +1007,6 @@ def test_confirm_edit_user_email_doesnt_change_user_email_for_non_team_member(
    )


-def test_confirm_edit_user_email_with_no_permission_aborts():
-    pass
-
-
 def test_edit_user_permissions_page_displays_redacted_mobile_number_and_change_link(
    client_request,
    active_user_with_permissions,
@@ -1039,6 +1035,7 @@ def test_edit_user_permissions_page_displays_redacted_mobile_number_and_change_l
 def test_edit_user_mobile_number_page(
    client_request,
    active_user_with_permissions,
+    mock_get_users_by_service,
    service_one,
    mocker
 ):
@@ -1060,6 +1057,7 @@ def test_edit_user_mobile_number_page(
 def test_edit_user_mobile_number_redirects_to_confirmation(
    logged_in_client,
    active_user_with_permissions,
+    mock_get_users_by_service,
    service_one,
    mocker,
    mock_get_user,
@@ -1083,6 +1081,7 @@ def test_edit_user_mobile_number_redirects_to_confirmation(
 def test_edit_user_mobile_number_redirects_to_manage_users_if_number_not_changed(
    logged_in_client,
    active_user_with_permissions,
+    mock_get_users_by_service,
    service_one,
    mocker,
    mock_get_user,
@@ -1102,6 +1101,7 @@ def test_edit_user_mobile_number_redirects_to_manage_users_if_number_not_changed
 def test_confirm_edit_user_mobile_number_page(
    logged_in_client,
    active_user_with_permissions,
+    mock_get_users_by_service,
    service_one,
    mocker,
    mock_get_user,
@@ -1129,6 +1129,7 @@ def test_confirm_edit_user_mobile_number_page(
 def test_confirm_edit_user_mobile_number_page_redirects_if_session_empty(
    logged_in_client,
    active_user_with_permissions,
+    mock_get_users_by_service,
    service_one,
    mocker,
    mock_get_user,
@@ -1145,6 +1146,7 @@ def test_confirm_edit_user_mobile_number_page_redirects_if_session_empty(
 def test_confirm_edit_user_mobile_number_changes_user_mobile_number(
    logged_in_client,
    active_user_with_permissions,
+    mock_get_users_by_service,
    service_one,
    mocker,
    mock_get_user,
@@ -1162,3 +1164,17 @@ def test_confirm_edit_user_mobile_number_changes_user_mobile_number(
    assert response.location == url_for(
        'main.manage_users', service_id=service_one['id'], _external=True)
    mock_update_user_attribute.assert_called_once_with(active_user_with_permissions.id, mobile_number=new_number)
+
+
+def test_confirm_edit_user_mobile_number_doesnt_change_user_mobile_for_non_team_member(
+    client_request,
+    mock_get_users_by_service,
+):
+    with client_request.session_transaction() as session:
+        session['team_member_mobile_change'] = '07554080636'
+    client_request.post(
+        'main.confirm_edit_user_mobile_number',
+        service_id=SERVICE_ONE_ID,
+        user_id=USER_ONE_ID,
+        _expected_status=404,
+    )