Merge pull request #2240 from coreos-inc/wrong-email-invite-accept

Fix attempts to confirm team invite for mismatched email address

test/test_api_usage.py

@@ -30,7 +30,7 @@ from test.helpers import assert_action_logged
 from util.secscan.fake import fake_security_scanner
 
 from endpoints.api.team import (TeamMember, TeamMemberList, TeamMemberInvite, OrganizationTeam,
-                                TeamPermissions)
+                                TeamPermissions, InviteTeamMember)
 from endpoints.api.tag import RepositoryTagImages, RepositoryTag, RevertTag, ListRepositoryTags
 from endpoints.api.search import EntitySearch, ConductSearch
 from endpoints.api.image import RepositoryImage, RepositoryImageList
@@ -1556,7 +1556,102 @@ class TestAcceptTeamMemberInvite(ApiTestCase):
                      params=dict(code=invites[0].invite_token),
                      expected_code=400)
 
+  def test_accept_via_email(self):
+    self.login(ADMIN_ACCESS_USER)
 
+    # Create the invite.
+    member = model.user.get_user(NO_ACCESS_USER)
+    response = self.putJsonResponse(InviteTeamMember,
+                                    params=dict(orgname=ORGANIZATION, teamname='owners',
+                                                email=member.email))
+
+    self.assertEquals(True, response['invited'])
+
+    # Login as the user.
+    self.login(member.username)
+
+    # Accept the invite.
+    invites = list(model.team.lookup_team_invites_by_email(member.email))
+    self.assertEquals(1, len(invites))
+
+    self.putJsonResponse(TeamMemberInvite, params=dict(code=invites[0].invite_token))
+
+    # Verify the user is now on the team.
+    json = self.getJsonResponse(TeamMemberList,
+                                params=dict(orgname=ORGANIZATION,
+                                            teamname='owners'))
+
+    self.assertInTeam(json, member.username)
+
+    # Verify the accept now fails.
+    self.putResponse(TeamMemberInvite,
+                     params=dict(code=invites[0].invite_token),
+                     expected_code=400)
+
+
+  def test_accept_invite_different_user(self):
+    self.login(ADMIN_ACCESS_USER)
+
+    # Create the invite.
+    response = self.putJsonResponse(TeamMember,
+                                    params=dict(orgname=ORGANIZATION, teamname='owners',
+                                                membername=NO_ACCESS_USER))
+
+    self.assertEquals(True, response['invited'])
+
+    # Login as a different user.
+    self.login(PUBLIC_USER)
+
+    # Try to accept the invite.
+    user = model.user.get_user(NO_ACCESS_USER)
+    invites = list(model.team.lookup_team_invites(user))
+    self.assertEquals(1, len(invites))
+
+    self.putResponse(TeamMemberInvite, params=dict(code=invites[0].invite_token),
+                     expected_code=400)
+
+    # Ensure the invite is still valid.
+    user = model.user.get_user(NO_ACCESS_USER)
+    invites = list(model.team.lookup_team_invites(user))
+    self.assertEquals(1, len(invites))
+
+    # Ensure the user is *not* a member of the team.
+    self.login(ADMIN_ACCESS_USER)
+    json = self.getJsonResponse(TeamMemberList,
+                                params=dict(orgname=ORGANIZATION,
+                                            teamname='owners'))
+    self.assertNotInTeam(json, PUBLIC_USER)
+
+  def test_accept_invite_different_email(self):
+    self.login(ADMIN_ACCESS_USER)
+
+    # Create the invite.
+    response = self.putJsonResponse(InviteTeamMember,
+                                    params=dict(orgname=ORGANIZATION, teamname='owners',
+                                                email='someemail@example.com'))
+
+    self.assertEquals(True, response['invited'])
+
+    # Login as a different user.
+    self.login(PUBLIC_USER)
+
+    # Try to accept the invite.
+    invites = list(model.team.lookup_team_invites_by_email('someemail@example.com'))
+    self.assertEquals(1, len(invites))
+
+    self.putResponse(TeamMemberInvite, params=dict(code=invites[0].invite_token),
+                     expected_code=400)
+
+    # Ensure the invite is still valid.
+    invites = list(model.team.lookup_team_invites_by_email('someemail@example.com'))
+    self.assertEquals(1, len(invites))
+
+    # Ensure the user is *not* a member of the team.
+    self.login(ADMIN_ACCESS_USER)
+    json = self.getJsonResponse(TeamMemberList,
+                                params=dict(orgname=ORGANIZATION,
+                                            teamname='owners'))
+    self.assertNotInTeam(json, PUBLIC_USER)
 
 class TestDeclineTeamMemberInvite(ApiTestCase):
   def test_decline_wronguser(self):