diff --git a/endpoints/api/user.py b/endpoints/api/user.py index 93e77f47c..b03c5f87b 100644 --- a/endpoints/api/user.py +++ b/endpoints/api/user.py @@ -444,19 +444,19 @@ class ConvertToOrganization(ApiResource): user = get_authenticated_user() convert_data = request.get_json() - # Ensure that the new admin user is the not user being converted. - admin_username = convert_data['adminUser'] - if admin_username == user.username: - raise request_error(reason='invaliduser', - message='The admin user is not valid') - # Ensure that the sign in credentials work. + admin_username = convert_data['adminUser'] admin_password = convert_data['adminPassword'] (admin_user, error_message) = authentication.verify_user(admin_username, admin_password) if not admin_user: raise request_error(reason='invaliduser', message='The admin user credentials are not valid') + # Ensure that the new admin user is the not user being converted. + if admin_user.id == user.id: + raise request_error(reason='invaliduser', + message='The admin user is not valid') + # Subscribe the organization to the new plan. if features.BILLING: plan = convert_data.get('plan', 'free') diff --git a/test/test_api_usage.py b/test/test_api_usage.py index d82d344e4..6123aa1cc 100644 --- a/test/test_api_usage.py +++ b/test/test_api_usage.py @@ -307,6 +307,16 @@ class TestConvertToOrganization(ApiTestCase): self.assertEqual('The admin user is not valid', json['message']) + def test_sameadminuser_by_email(self): + self.login(READ_ACCESS_USER) + json = self.postJsonResponse(ConvertToOrganization, + data={'adminUser': 'no1@thanks.com', + 'adminPassword': 'password', + 'plan': 'free'}, + expected_code=400) + + self.assertEqual('The admin user is not valid', json['message']) + def test_invalidadminuser(self): self.login(READ_ACCESS_USER) json = self.postJsonResponse(ConvertToOrganization,