Merge pull request #1142 from dod-ccpo/bugfix/revoke-deleted-user

Bugfix: Invited but disabled portfolio member shouldn't be able to reactivate self
2019-10-29 11:53:58 -04:00 · 2019-10-29 11:53:58 -04:00 · 3456f37396
commit 3456f37396
parent 27df678aaf 5526356938
3 changed files with 13 additions and 11 deletions
--- a/atst/domain/invitations.py
+++ b/atst/domain/invitations.py
@ -114,7 +114,9 @@ class BaseInvitations(object):
    @classmethod
    def revoke(cls, token):
        invite = cls._get(token)
-        return cls._update_status(invite, InvitationStatus.REVOKED)
+        invite = cls._update_status(invite, InvitationStatus.REVOKED)
+        cls.role_domain_class.disable(invite.role)
+        return invite

    @classmethod
    def resend(cls, inviter, token, user_info=None):
@ -142,9 +144,3 @@ class PortfolioInvitations(BaseInvitations):
 class ApplicationInvitations(BaseInvitations):
    model = ApplicationInvitation
    role_domain_class = ApplicationRoles
-
-    @classmethod
-    def revoke(cls, token):
-        invite = super().revoke(token)
-        ApplicationRoles.disable(invite.role)
-        return invite
--- a/atst/routes/portfolios/admin.py
+++ b/atst/routes/portfolios/admin.py
@ -3,6 +3,8 @@ from flask import render_template, request as http_request, g, redirect, url_for
 from . import portfolios_bp
 from atst.domain.portfolios import Portfolios
 from atst.domain.portfolio_roles import PortfolioRoles
+from atst.models.portfolio_role import Status as PortfolioRoleStatus
+from atst.domain.invitations import PortfolioInvitations
 from atst.domain.permission_sets import PermissionSets
 from atst.domain.audit_log import AuditLog
 from atst.domain.common import Paginator
@ -184,8 +186,12 @@ def remove_member(portfolio_id, portfolio_role_id):
            g.current_user, "you can't delete the portfolios PPoC from the portfolio"
        )

-    # TODO: should this cascade and disable any application and environment
-    # roles they might have?
+    if (
+        portfolio_role.latest_invitation
+        and portfolio_role.status == PortfolioRoleStatus.PENDING
+    ):
+        PortfolioInvitations.revoke(portfolio_role.latest_invitation.token)
+    else:
        PortfolioRoles.disable(portfolio_role=portfolio_role)

    flash("portfolio_member_removed", member_name=portfolio_role.full_name)
--- a/tests/domain/test_invitations.py
+++ b/tests/domain/test_invitations.py
@ -134,7 +134,7 @@ def test_revoke_invitation():
    assert invite.is_pending
    PortfolioInvitations.revoke(invite.token)
    assert invite.is_revoked
-    assert invite.role.status == PortfolioRoleStatus.PENDING
+    assert invite.role.status == PortfolioRoleStatus.DISABLED


 def test_resend_invitation(session):