Only allow users matching the team invite to accept, if the invite was specified for a user (rather than an email)

2014-09-12 14:29:01 -04:00 · 2014-09-12 14:29:01 -04:00 · 10faa7de84
commit 10faa7de84
parent c5ca46a14b
7 changed files with 24 additions and 21 deletions
--- a/data/model/legacy.py
+++ b/data/model/legacy.py
@ -1988,6 +1988,12 @@ def delete_team_invite(code, user=None):
 def confirm_team_invite(code, user):
  found = lookup_team_invite(code)

+  # If the invite is for a specific user, we have to confirm that here.
+  if found.user is not None and found.user != user:
+    message = """This invite is intended for user "%s". 
+                 Please login to that account and try again.""" % found.user.username
+    raise DataModelException(message)
+
  # Add the user to the team.
  try:
    add_user_to_team(user, found.team)
--- a/endpoints/api/team.py
+++ b/endpoints/api/team.py
@ -11,10 +11,7 @@ from util.useremails import send_org_invite_email
 from util.gravatar import compute_hash

 def try_accept_invite(code, user):
-  try:
-    (team, inviter) = model.confirm_team_invite(code, user)
-  except model.DataModelException:
-    return None
+  (team, inviter) = model.confirm_team_invite(code, user)

  model.delete_matching_notifications(user, 'org_team_invite', code=code)

@ -355,10 +352,7 @@ class TeamMemberInvite(ApiResource):
  @require_user_admin
  def delete(self, code):
    """ Delete an existing member of a team. """
-    try:
-      (team, inviter) = model.delete_team_invite(code, get_authenticated_user())
-    except model.DataModelException:
-      raise NotFound()
+    (team, inviter) = model.delete_team_invite(code, get_authenticated_user())

    model.delete_matching_notifications(get_authenticated_user(), 'org_team_invite', code=code)

--- a/endpoints/api/user.py
+++ b/endpoints/api/user.py
@ -215,7 +215,10 @@ class User(ApiResource):
      if parsed_invite is not None:
        if parsed_invite[0] == 'teaminvite':
          # Add the user to the team.
-          try_accept_invite(invite_code, new_user)
+          try:
+            try_accept_invite(invite_code, new_user)
+          except model.DataModelException:
+            pass

      return 'Created', 201
    except model.TooManyUsersException as ex:
--- a/static/js/controllers.js
+++ b/static/js/controllers.js
@ -2785,9 +2785,9 @@ function ConfirmInviteCtrl($scope, $location, UserService, ApiService, Notificat
      ApiService.acceptOrganizationTeamInvite(null, params).then(function(resp) {
        NotificationService.update();
        $location.path('/organization/' + resp.org + '/teams/' + resp.team);
-      }, function() {
+      }, function(resp) {
        $scope.loading = false;
-        $scope.invalid = true;
+        $scope.invalid = ApiService.getErrorMessage(resp, 'Invalid confirmation code');
      });
    }
  });
--- a/static/partials/confirm-invite.html
+++ b/static/partials/confirm-invite.html
@ -7,7 +7,7 @@
        </div>        
        <div class="quay-spinner" ng-show="!user.anonymous && loading"></div>
        <div class="alert alert-danger" ng-show="!user.anonymous && invalid">
-          Invalid confirmation code
+          {{ invalid }}
        </div>
      </div>
    </div>
--- a/test/test_api_security.py
+++ b/test/test_api_security.py
@ -3518,25 +3518,25 @@ class TestTeamMemberInvite(ApiTestCase):
    self._run_test('PUT', 401, None, None)

  def test_put_freshuser(self):
-    self._run_test('PUT', 404, 'freshuser', None)
+    self._run_test('PUT', 400, 'freshuser', None)

  def test_put_reader(self):
-    self._run_test('PUT', 404, 'reader', None)
+    self._run_test('PUT', 400, 'reader', None)

  def test_put_devtable(self):
-    self._run_test('PUT', 404, 'devtable', None)
+    self._run_test('PUT', 400, 'devtable', None)

  def test_delete_anonymous(self):
    self._run_test('DELETE', 401, None, None)

  def test_delete_freshuser(self):
-    self._run_test('DELETE', 404, 'freshuser', None)
+    self._run_test('DELETE', 400, 'freshuser', None)

  def test_delete_reader(self):
-    self._run_test('DELETE', 404, 'reader', None)
+    self._run_test('DELETE', 400, 'reader', None)

  def test_delete_devtable(self):
-    self._run_test('DELETE', 404, 'devtable', None)
+    self._run_test('DELETE', 400, 'devtable', None)


 class TestSuperUserList(ApiTestCase):
--- a/test/test_api_usage.py
+++ b/test/test_api_usage.py
@ -891,7 +891,7 @@ class TestAcceptTeamMemberInvite(ApiTestCase):
    # Verify the accept now fails.
    self.putResponse(TeamMemberInvite,
                     params=dict(code=invites[0].invite_token),
-                     expected_code=404)
+                     expected_code=400)



@ -914,7 +914,7 @@ class TestDeclineTeamMemberInvite(ApiTestCase):

    self.deleteResponse(TeamMemberInvite,
                        params=dict(code=invites[0].invite_token),
-                        expected_code=404)
+                        expected_code=400)


  def test_decline(self):
@ -942,7 +942,7 @@ class TestDeclineTeamMemberInvite(ApiTestCase):
    # Make sure the invite was deleted.
    self.deleteResponse(TeamMemberInvite,
                        params=dict(code=invites[0].invite_token),
-                        expected_code=404)
+                        expected_code=400)


 class TestDeleteOrganizationTeamMember(ApiTestCase):