From da247680a420b0af0de71ee6d44454b2f2e38b16 Mon Sep 17 00:00:00 2001
From: Alexey Bezhan <al@fueledbylemons.com>
Date: Fri, 15 Dec 2017 17:06:11 +0000
Subject: [PATCH] Validate that template reply_to belongs to template's service

Checks that email/sms/letter reply to object has the same service_id
as the template it's being attached to, to make sure it's not possible
to retrieve data about return addresses for other services.
---
 app/template/rest.py            |  7 ++++-
 tests/app/template/test_rest.py | 45 +++++++++++++++++++++++++++++++++
 2 files changed, 51 insertions(+), 1 deletion(-)

diff --git a/app/template/rest.py b/app/template/rest.py
index 1f869fb5d..3f03ece60 100644
--- a/app/template/rest.py
+++ b/app/template/rest.py
@@ -16,7 +16,7 @@ from app.dao.templates_dao import (
 from notifications_utils.template import SMSMessageTemplate
 from app.dao.services_dao import dao_fetch_service_by_id
 from app.models import SMS_TYPE
-from app.notifications.validators import service_has_permission
+from app.notifications.validators import service_has_permission, check_reply_to
 from app.schemas import (template_schema, template_history_schema)
 from app.errors import (
     register_errors,
@@ -58,6 +58,8 @@ def create_template(service_id):
         errors = {'content': [message]}
         raise InvalidRequest(errors, status_code=400)
 
+    check_reply_to(service_id, new_template.reply_to, new_template.template_type)
+
     dao_create_template(new_template)
     return jsonify(data=template_schema.dump(new_template).data), 201
 
@@ -93,6 +95,9 @@ def update_template(service_id, template_id):
         message = 'Content has a character count greater than the limit of {}'.format(char_count_limit)
         errors = {'content': [message]}
         raise InvalidRequest(errors, status_code=400)
+
+    check_reply_to(service_id, update_dict.reply_to, fetched_template.template_type)
+
     dao_update_template(update_dict)
     return jsonify(data=template_schema.dump(update_dict).data), 200
 
diff --git a/tests/app/template/test_rest.py b/tests/app/template/test_rest.py
index f754baa24..8f32458f1 100644
--- a/tests/app/template/test_rest.py
+++ b/tests/app/template/test_rest.py
@@ -588,6 +588,28 @@ def test_create_a_template_with_reply_to(admin_request, sample_user):
     assert sorted(json_resp['data']) == sorted(template_schema.dump(template).data)
 
 
+def test_create_a_template_with_foreign_service_reply_to(admin_request, sample_user):
+    service = create_service(service_permissions=['letter'])
+    service2 = create_service(service_name='test service', email_from='test@example.com',
+                              service_permissions=['letter'])
+    letter_contact = create_letter_contact(service2, "Edinburgh, ED1 1AA")
+    data = {
+        'name': 'my template',
+        'subject': 'subject',
+        'template_type': 'letter',
+        'content': 'template <b>content</b>',
+        'service': str(service.id),
+        'created_by': str(sample_user.id),
+        'reply_to': str(letter_contact.id),
+    }
+
+    json_resp = admin_request.post('template.create_template', service_id=service.id, _data=data, _expected_status=400)
+
+    assert json_resp['message'] == "letter_contact_id {} does not exist in database for service id {}".format(
+        str(letter_contact.id), str(service.id)
+    )
+
+
 def test_get_template_reply_to(client, sample_letter_template):
     auth_header = create_authorization_header()
     letter_contact = create_letter_contact(sample_letter_template.service, "Edinburgh, ED1 1AA")
@@ -621,6 +643,29 @@ def test_update_template_reply_to(client, sample_letter_template):
     assert template.reply_to == letter_contact.id
 
 
+def test_update_template_with_foreign_service_reply_to(client, sample_letter_template):
+    auth_header = create_authorization_header()
+
+    service2 = create_service(service_name='test service', email_from='test@example.com',
+                              service_permissions=['letter'])
+    letter_contact = create_letter_contact(service2, "Edinburgh, ED1 1AA")
+
+    data = {
+        'reply_to': str(letter_contact.id),
+    }
+
+    resp = client.post('/service/{}/template/{}'.format(sample_letter_template.service_id, sample_letter_template.id),
+                       data=json.dumps(data),
+                       headers=[('Content-Type', 'application/json'), auth_header])
+
+    assert resp.status_code == 400, resp.get_data(as_text=True)
+    json_resp = json.loads(resp.get_data(as_text=True))
+
+    assert json_resp['message'] == "letter_contact_id {} does not exist in database for service id {}".format(
+        str(letter_contact.id), str(sample_letter_template.service_id)
+    )
+
+
 def test_update_redact_template(admin_request, sample_template):
     assert sample_template.redact_personalisation is False