Add feature flag to allow users to be created only if invited to join a team

Allows for open user creation, but only if extended an invitation by someone who already has access
2017-09-14 15:34:41 -04:00 · 2017-09-14 15:34:41 -04:00 · 804d3c46c3
commit 804d3c46c3
parent c44cc072fa
8 changed files with 112 additions and 4 deletions
--- a/data/users/federated.py
+++ b/data/users/federated.py
@ -4,6 +4,7 @@ import features
 from collections import namedtuple

 from data import model
+from data.users.shared import can_create_user
 from util.validation import generate_valid_usernames

 logger = logging.getLogger(__name__)
@ -99,7 +100,7 @@ class FederatedUsers(object):
    db_user = model.user.verify_federated_login(self._federated_service, username)
    if not db_user:
      # We must create the user in our db. Check to see if this is allowed.
-      if not features.USER_CREATION:
+      if not can_create_user(email):
        return (None, DISABLED_MESSAGE)

      valid_username = None
--- a/data/users/shared.py
+++ b/data/users/shared.py
@ -0,0 +1,18 @@
+import features
+
+from data import model
+
+def can_create_user(email_address):
+  """ Returns true if a user with the specified e-mail address can be created. """
+  if not features.USER_CREATION:
+    return False
+
+  if features.INVITE_ONLY_USER_CREATION:
+    if not email_address:
+      return False
+
+    # Check to see that there is an invite for the e-mail address.
+    return bool(model.team.lookup_team_invites_by_email(email_address))
+
+  # Otherwise the user can be created (assuming it doesn't already exist, of course)
+  return True
--- a/data/users/test/test_shared.py
+++ b/data/users/test/test_shared.py
@ -0,0 +1,38 @@
+import pytest
+
+from mock import patch
+
+from data.database import model
+from data.users.shared import can_create_user
+
+from test.fixtures import *
+
+@pytest.mark.parametrize('open_creation, invite_only, email, has_invite, can_create', [
+  # Open user creation => always allowed.
+  (True, False, None, False, True),
+
+  # Open user creation => always allowed.
+  (True, False, 'foo@example.com', False, True),
+
+  # Invite only user creation + no invite => disallowed.
+  (True, True, None, False, False),
+
+  # Invite only user creation + no invite => disallowed.
+  (True, True, 'foo@example.com', False, False),
+
+  # Invite only user creation + invite => allowed.
+  (True, True, 'foo@example.com', True, True),
+
+  # No open creation => Disallowed.
+  (False, True, 'foo@example.com', False, False),
+  (False, True, 'foo@example.com', True, False),
+])
+def test_can_create_user(open_creation, invite_only, email, has_invite, can_create, app):
+  if has_invite:
+    inviter = model.user.get_user('devtable')
+    team = model.team.get_organization_team('buynlarge', 'owners')
+    model.team.add_or_invite_to_team(inviter, team, email=email)
+
+  with patch('features.USER_CREATION', open_creation):
+    with patch('features.INVITE_ONLY_USER_CREATION', invite_only):
+      assert can_create_user(email) == can_create