mirror of
https://github.com/GSA/notifications-api.git
synced 2026-04-04 17:39:57 -04:00
Validate that template reply_to belongs to template's service
Checks that email/sms/letter reply to object has the same service_id as the template it's being attached to, to make sure it's not possible to retrieve data about return addresses for other services.
This commit is contained in:
Alexey Bezhan
@@ -16,7 +16,7 @@ from app.dao.templates_dao import (
|
||||
from notifications_utils.template import SMSMessageTemplate
|
||||
from app.dao.services_dao import dao_fetch_service_by_id
|
||||
from app.models import SMS_TYPE
|
||||
from app.notifications.validators import service_has_permission
|
||||
from app.notifications.validators import service_has_permission, check_reply_to
|
||||
from app.schemas import (template_schema, template_history_schema)
|
||||
from app.errors import (
|
||||
register_errors,
|
||||
@@ -58,6 +58,8 @@ def create_template(service_id):
|
||||
errors = {'content': [message]}
|
||||
raise InvalidRequest(errors, status_code=400)
|
||||
|
||||
check_reply_to(service_id, new_template.reply_to, new_template.template_type)
|
||||
|
||||
dao_create_template(new_template)
|
||||
return jsonify(data=template_schema.dump(new_template).data), 201
|
||||
|
||||
@@ -93,6 +95,9 @@ def update_template(service_id, template_id):
|
||||
message = 'Content has a character count greater than the limit of {}'.format(char_count_limit)
|
||||
errors = {'content': [message]}
|
||||
raise InvalidRequest(errors, status_code=400)
|
||||
|
||||
check_reply_to(service_id, update_dict.reply_to, fetched_template.template_type)
|
||||
|
||||
dao_update_template(update_dict)
|
||||
return jsonify(data=template_schema.dump(update_dict).data), 200
|
||||
|
||||
|
||||
@@ -588,6 +588,28 @@ def test_create_a_template_with_reply_to(admin_request, sample_user):
|
||||
assert sorted(json_resp['data']) == sorted(template_schema.dump(template).data)
|
||||
|
||||
|
||||
def test_create_a_template_with_foreign_service_reply_to(admin_request, sample_user):
|
||||
service = create_service(service_permissions=['letter'])
|
||||
service2 = create_service(service_name='test service', email_from='test@example.com',
|
||||
service_permissions=['letter'])
|
||||
letter_contact = create_letter_contact(service2, "Edinburgh, ED1 1AA")
|
||||
data = {
|
||||
'name': 'my template',
|
||||
'subject': 'subject',
|
||||
'template_type': 'letter',
|
||||
'content': 'template <b>content</b>',
|
||||
'service': str(service.id),
|
||||
'created_by': str(sample_user.id),
|
||||
'reply_to': str(letter_contact.id),
|
||||
}
|
||||
|
||||
json_resp = admin_request.post('template.create_template', service_id=service.id, _data=data, _expected_status=400)
|
||||
|
||||
assert json_resp['message'] == "letter_contact_id {} does not exist in database for service id {}".format(
|
||||
str(letter_contact.id), str(service.id)
|
||||
)
|
||||
|
||||
|
||||
def test_get_template_reply_to(client, sample_letter_template):
|
||||
auth_header = create_authorization_header()
|
||||
letter_contact = create_letter_contact(sample_letter_template.service, "Edinburgh, ED1 1AA")
|
||||
@@ -621,6 +643,29 @@ def test_update_template_reply_to(client, sample_letter_template):
|
||||
assert template.reply_to == letter_contact.id
|
||||
|
||||
|
||||
def test_update_template_with_foreign_service_reply_to(client, sample_letter_template):
|
||||
auth_header = create_authorization_header()
|
||||
|
||||
service2 = create_service(service_name='test service', email_from='test@example.com',
|
||||
service_permissions=['letter'])
|
||||
letter_contact = create_letter_contact(service2, "Edinburgh, ED1 1AA")
|
||||
|
||||
data = {
|
||||
'reply_to': str(letter_contact.id),
|
||||
}
|
||||
|
||||
resp = client.post('/service/{}/template/{}'.format(sample_letter_template.service_id, sample_letter_template.id),
|
||||
data=json.dumps(data),
|
||||
headers=[('Content-Type', 'application/json'), auth_header])
|
||||
|
||||
assert resp.status_code == 400, resp.get_data(as_text=True)
|
||||
json_resp = json.loads(resp.get_data(as_text=True))
|
||||
|
||||
assert json_resp['message'] == "letter_contact_id {} does not exist in database for service id {}".format(
|
||||
str(letter_contact.id), str(sample_letter_template.service_id)
|
||||
)
|
||||
|
||||
|
||||
def test_update_redact_template(admin_request, sample_template):
|
||||
assert sample_template.redact_personalisation is False
|
||||
|
||||
|
||||
Reference in New Issue
Block a user