invitation can only be accepted by user with matching DOD ID

2018-10-31 10:42:01 -04:00
parent 0ee47f5ac4
commit b3cd08a64f
5 changed files with 47 additions and 9 deletions
--- a/atst/domain/invitations.py
+++ b/atst/domain/invitations.py
@@ -8,6 +8,15 @@ from atst.domain.workspace_users import WorkspaceUsers
 from .exceptions import NotFoundError


+class WrongUserError(Exception):
+    def __init__(self, user, invite):
+        self.user = user
+        self.invite = invite
+
+    @property
+    def message(self):
+        return "User {} with DOD ID {} does not match expected DOD ID {} for invitation {}".format(self.user.id, self.user.dod_id, self.invite.user.dod_id, self.invite.id)
+
 class InvitationError(Exception):
    def __init__(self, invite):
        self.invite = invite
@@ -45,9 +54,12 @@ class Invitations(object):
        return invite

    @classmethod
-    def accept(cls, token):
+    def accept(cls, user, token):
        invite = Invitations._get(token)

+        if invite.user.dod_id != user.dod_id:
+            raise WrongUserError(user, invite)
+
        if invite.is_expired:
            invite.status = InvitationStatus.REJECTED
        elif invite.is_pending:
--- a/atst/routes/errors.py
+++ b/atst/routes/errors.py
@@ -3,7 +3,7 @@ from flask_wtf.csrf import CSRFError
 import werkzeug.exceptions as werkzeug_exceptions

 import atst.domain.exceptions as exceptions
-from atst.domain.invitations import InvitationError
+from atst.domain.invitations import InvitationError, WrongUserError as InvitationWrongUserError


 def make_error_pages(app):
@@ -43,12 +43,13 @@ def make_error_pages(app):
        )

    @app.errorhandler(InvitationError)
+    @app.errorhandler(InvitationWrongUserError)
    # pylint: disable=unused-variable
    def invalid_invitation(e):
        log_error(e)
        return (
            render_template(
-                "error.html", message="The invitation link you clicked is invalid."
+                "error.html", message="The link you followed is invalid."
            ),
            404,
        )
--- a/atst/routes/workspaces.py
+++ b/atst/routes/workspaces.py
@@ -363,7 +363,7 @@ def update_member(workspace_id, member_id):
 def accept_invitation(token):
    # TODO: check that the current_user DOD ID matches the user associated with
    # the invitation
-    invite = Invitations.accept(token)
+    invite = Invitations.accept(g.current_user, token)

    return redirect(
        url_for("workspaces.show_workspace", workspace_id=invite.workspace.id)