darkhelm/notifications-api
1
0
Fork 0
mirror of https://github.com/GSA/notifications-api.git synced 2026-02-01 07:35:34 -05:00
Code Issues Packages Projects Releases Wiki Activity

Validate that template reply_to belongs to template's service

Browse Source 
Checks that email/sms/letter reply to object has the same service_id
as the template it's being attached to, to make sure it's not possible
to retrieve data about return addresses for other services.
This commit is contained in:
Alexey Bezhan
2017-12-15 17:06:11 +00:00
parent 509441f1d9
commit da247680a4
2 changed files with 51 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

45
tests/app/template/test_rest.py
View File

@@ -588,6 +588,28 @@ def test_create_a_template_with_reply_to(admin_request, sample_user):
assert sorted(json_resp['data']) == sorted(template_schema.dump(template).data)
def test_create_a_template_with_foreign_service_reply_to(admin_request, sample_user):
service = create_service(service_permissions=['letter'])
service2 = create_service(service_name='test service', email_from='test@example.com',
service_permissions=['letter'])
letter_contact = create_letter_contact(service2, "Edinburgh, ED1 1AA")
data = {
'name': 'my template',
'subject': 'subject',
'template_type': 'letter',
'content': 'template <b>content</b>',
'service': str(service.id),
'created_by': str(sample_user.id),
'reply_to': str(letter_contact.id),
}
json_resp = admin_request.post('template.create_template', service_id=service.id, _data=data, _expected_status=400)
assert json_resp['message'] == "letter_contact_id {} does not exist in database for service id {}".format(
str(letter_contact.id), str(service.id)
)
def test_get_template_reply_to(client, sample_letter_template):
auth_header = create_authorization_header()
letter_contact = create_letter_contact(sample_letter_template.service, "Edinburgh, ED1 1AA")
@@ -621,6 +643,29 @@ def test_update_template_reply_to(client, sample_letter_template):
assert template.reply_to == letter_contact.id
def test_update_template_with_foreign_service_reply_to(client, sample_letter_template):
auth_header = create_authorization_header()
service2 = create_service(service_name='test service', email_from='test@example.com',
service_permissions=['letter'])
letter_contact = create_letter_contact(service2, "Edinburgh, ED1 1AA")
data = {
'reply_to': str(letter_contact.id),
}
resp = client.post('/service/{}/template/{}'.format(sample_letter_template.service_id, sample_letter_template.id),
data=json.dumps(data),
headers=[('Content-Type', 'application/json'), auth_header])
assert resp.status_code == 400, resp.get_data(as_text=True)
json_resp = json.loads(resp.get_data(as_text=True))
assert json_resp['message'] == "letter_contact_id {} does not exist in database for service id {}".format(
str(letter_contact.id), str(sample_letter_template.service_id)
)
def test_update_redact_template(admin_request, sample_template):
assert sample_template.redact_personalisation is False