Fix permissions check for inviting users to a service

This changeset reverts a change we had made previously where we accidentally locked down the ability for service admins to invite other users to their own service. This removes the platform admin user check and reverts it back to the proper permissions check (including adjusting the tests to account for this). Signed-off-by: Carlo Costino <carlo.costino@gsa.gov>
2026-06-10 16:31:15 -04:00 · 2023-12-11 10:47:21 -05:00
parent 190bc3f807
commit f7efceba44
2 changed files with 12 additions and 7 deletions
--- a/app/main/views/manage_users.py
+++ b/app/main/views/manage_users.py
@@ -21,7 +21,7 @@ from app.main.forms import (
    SearchUsersForm,
 )
 from app.models.user import InvitedUser, User
-from app.utils.user import is_gov_user, user_has_permissions, user_is_platform_admin
+from app.utils.user import is_gov_user, user_has_permissions
 from app.utils.user_permissions import permission_options


@@ -42,7 +42,7 @@ def manage_users(service_id):
@main.route(
    "/services/<uuid:service_id>/users/invite/<uuid:user_id>", methods=["GET", "POST"]
 )
-@user_is_platform_admin
+@user_has_permissions("manage_service")
 def invite_user(service_id, user_id=None):
    form_class = InviteUserForm
    form = form_class(
--- a/tests/app/main/views/test_manage_users.py
+++ b/tests/app/main/views/test_manage_users.py
@@ -800,10 +800,13 @@ def test_should_show_page_for_inviting_user_with_email_prefilled(
        user_id=fake_uuid,
        # We have the user’s name in the H1 but don’t want it duplicated
        # in the page title
-        _test_page_title=False,
-        _expected_status=403,
+        _test_page_title=False
    )
-    assert "not allowed to see this page" in page.h1.string.strip()
+    assert normalize_spaces(page.select_one("title").text).startswith(
+        "Invite a team member"
+    )
+    assert normalize_spaces(page.select_one("h1").text) == ("Invite Service Two User")
+    assert not page.select("input#email_address") or page.select("input[type=email]")


 def test_should_show_page_if_prefilled_user_is_already_a_team_member(
@@ -1280,9 +1283,11 @@ def test_user_cant_invite_themselves(
            "permissions_field": ["send_messages", "manage_service", "manage_api_keys"],
        },
        _follow_redirects=True,
-        _expected_status=403,
+        _expected_status=200,
    )
-    assert "not allowed to see this page" in page.h1.string.strip()
+    assert page.h1.string.strip() == "Invite a team member"
+    form_error = page.find("span", class_="usa-error-message").text.strip()
+    assert form_error == "Error: You cannot send an invitation to yourself"
    assert not mock_create_invite.called