Fix attempts to confirm team invite for mismatched email address

Currently, if a user tries to confirm an invite sent to them on an account with a mismatching email address, we simply redirect to the org (where they get a 403). This change ensures they get the proper error response message, and restyles the error page to be nicer. Fixes #2227 Fixes https://www.pivotaltracker.com/story/show/136088507
2016-12-15 17:15:11 -05:00 · 2016-12-15 17:15:11 -05:00 · 785c74de52
commit 785c74de52
parent 2730c26b2e
3 changed files with 118 additions and 10 deletions
--- a/test/test_api_usage.py
+++ b/test/test_api_usage.py
@ -30,7 +30,7 @@ from data.database import RepositoryActionCount, Repository as RepositoryTable
 from test.helpers import assert_action_logged

 from endpoints.api.team import (TeamMember, TeamMemberList, TeamMemberInvite, OrganizationTeam,
-                                TeamPermissions)
+                                TeamPermissions, InviteTeamMember)
 from endpoints.api.tag import RepositoryTagImages, RepositoryTag, RevertTag, ListRepositoryTags
 from endpoints.api.search import EntitySearch, ConductSearch
 from endpoints.api.image import RepositoryImage, RepositoryImageList
@ -1556,7 +1556,102 @@ class TestAcceptTeamMemberInvite(ApiTestCase):
                     params=dict(code=invites[0].invite_token),
                     expected_code=400)

+  def test_accept_via_email(self):
+    self.login(ADMIN_ACCESS_USER)

+    # Create the invite.
+    member = model.user.get_user(NO_ACCESS_USER)
+    response = self.putJsonResponse(InviteTeamMember,
+                                    params=dict(orgname=ORGANIZATION, teamname='owners',
+                                                email=member.email))
+
+    self.assertEquals(True, response['invited'])
+
+    # Login as the user.
+    self.login(member.username)
+
+    # Accept the invite.
+    invites = list(model.team.lookup_team_invites_by_email(member.email))
+    self.assertEquals(1, len(invites))
+
+    self.putJsonResponse(TeamMemberInvite, params=dict(code=invites[0].invite_token))
+
+    # Verify the user is now on the team.
+    json = self.getJsonResponse(TeamMemberList,
+                                params=dict(orgname=ORGANIZATION,
+                                            teamname='owners'))
+
+    self.assertInTeam(json, member.username)
+
+    # Verify the accept now fails.
+    self.putResponse(TeamMemberInvite,
+                     params=dict(code=invites[0].invite_token),
+                     expected_code=400)
+
+
+  def test_accept_invite_different_user(self):
+    self.login(ADMIN_ACCESS_USER)
+
+    # Create the invite.
+    response = self.putJsonResponse(TeamMember,
+                                    params=dict(orgname=ORGANIZATION, teamname='owners',
+                                                membername=NO_ACCESS_USER))
+
+    self.assertEquals(True, response['invited'])
+
+    # Login as a different user.
+    self.login(PUBLIC_USER)
+
+    # Try to accept the invite.
+    user = model.user.get_user(NO_ACCESS_USER)
+    invites = list(model.team.lookup_team_invites(user))
+    self.assertEquals(1, len(invites))
+
+    self.putResponse(TeamMemberInvite, params=dict(code=invites[0].invite_token),
+                     expected_code=400)
+
+    # Ensure the invite is still valid.
+    user = model.user.get_user(NO_ACCESS_USER)
+    invites = list(model.team.lookup_team_invites(user))
+    self.assertEquals(1, len(invites))
+
+    # Ensure the user is *not* a member of the team.
+    self.login(ADMIN_ACCESS_USER)
+    json = self.getJsonResponse(TeamMemberList,
+                                params=dict(orgname=ORGANIZATION,
+                                            teamname='owners'))
+    self.assertNotInTeam(json, PUBLIC_USER)
+
+  def test_accept_invite_different_email(self):
+    self.login(ADMIN_ACCESS_USER)
+
+    # Create the invite.
+    response = self.putJsonResponse(InviteTeamMember,
+                                    params=dict(orgname=ORGANIZATION, teamname='owners',
+                                                email='someemail@example.com'))
+
+    self.assertEquals(True, response['invited'])
+
+    # Login as a different user.
+    self.login(PUBLIC_USER)
+
+    # Try to accept the invite.
+    invites = list(model.team.lookup_team_invites_by_email('someemail@example.com'))
+    self.assertEquals(1, len(invites))
+
+    self.putResponse(TeamMemberInvite, params=dict(code=invites[0].invite_token),
+                     expected_code=400)
+
+    # Ensure the invite is still valid.
+    invites = list(model.team.lookup_team_invites_by_email('someemail@example.com'))
+    self.assertEquals(1, len(invites))
+
+    # Ensure the user is *not* a member of the team.
+    self.login(ADMIN_ACCESS_USER)
+    json = self.getJsonResponse(TeamMemberList,
+                                params=dict(orgname=ORGANIZATION,
+                                            teamname='owners'))
+    self.assertNotInTeam(json, PUBLIC_USER)

 class TestDeclineTeamMemberInvite(ApiTestCase):
  def test_decline_wronguser(self):