fix: Only authenticated users can approve story map invite with token

techmatters · Oct 4, 2023 · 64911e3 · 64911e3
1 parent 445522a
commit 64911e3
Show file tree

Hide file tree

Showing 3 changed files with 7 additions and 26 deletions.
diff --git a/terraso_backend/apps/graphql/schema/story_maps.py b/terraso_backend/apps/graphql/schema/story_maps.py
@@ -37,12 +37,7 @@
 from apps.story_map.notifications import send_memberships_invite_email
 from apps.story_map.services import story_map_media_upload_service
 
-from .commons import (
-    BaseAuthenticatedMutation,
-    BaseDeleteMutation,
-    BaseUnauthenticatedMutation,
-    TerrasoConnection,
-)
+from .commons import BaseAuthenticatedMutation, BaseDeleteMutation, TerrasoConnection
 from .constants import MutationTypes
 
 logger = structlog.get_logger(__name__)
@@ -290,7 +285,7 @@ def validate(context):
         return cls(memberships=[membership["membership"] for membership in memberships])
 
 
-class StoryMapMembershipApproveTokenMutation(BaseUnauthenticatedMutation):
+class StoryMapMembershipApproveTokenMutation(BaseAuthenticatedMutation):
     model_class = Membership
     membership = graphene.Field(CollaborationMembershipNode)
     story_map = graphene.Field(StoryMapNode)

diff --git a/terraso_backend/apps/story_map/permission_rules.py b/terraso_backend/apps/story_map/permission_rules.py
@@ -76,21 +76,11 @@ def allowed_to_approve_story_map_membership(user, obj):
     return is_user_membership
 
 
-# This rule is used to check if the user is allowed to approve a membership
-# with a token. This is used when the user is not logged in or when the user
-# is logged in but the membership is associated with the user.
 @rules.predicate
 def allowed_to_approve_story_map_membership_with_token(user, obj):
     membership = obj.get("membership")
     request_user = user
-
-    if membership.pending_email is not None:
-        return request_user.is_anonymous
-
-    if request_user.is_anonymous or request_user.id == membership.user.id:
-        return True
-
-    return False
+    return request_user.id == membership.user.id
 
 
 @rules.predicate

diff --git a/terraso_backend/tests/graphql/mutations/test_story_map_mutations.py b/terraso_backend/tests/graphql/mutations/test_story_map_mutations.py
@@ -427,10 +427,8 @@ def test_story_map_approve_membership_with_token_for_registered_user(
 def test_story_map_approve_membership_with_token_for_unregistered_user(
     client_query_no_token,
     story_map_user_memberships_not_registered_approve_tokens,
-    story_map_user_memberships_not_registered,
 ):
     token = story_map_user_memberships_not_registered_approve_tokens[0]
-    membership = story_map_user_memberships_not_registered[0]
 
     response = client_query_no_token(
         """
@@ -454,12 +452,10 @@ def test_story_map_approve_membership_with_token_for_unregistered_user(
     )
     json_response = response.json()
 
-    assert json_response["data"]["approveStoryMapMembershipToken"]["errors"] is None
-
-    response_membership = json_response["data"]["approveStoryMapMembershipToken"]["membership"]
-
-    assert response_membership["id"] == str(membership.id)
-    assert response_membership["membershipStatus"] == "APPROVED"
+    assert "errors" in json_response["data"]["approveStoryMapMembershipToken"]
+    error_result = json_response["data"]["approveStoryMapMembershipToken"]["errors"][0]["message"]
+    json_error = json.loads(error_result)
+    assert json_error[0]["code"] == "unauthorized"
 
 
 def test_story_map_approve_membership_with_token_for_registered_user_fails_due_user_mismatch(