From 64911e373ca03977e065428aa4b8ce0094254e7e Mon Sep 17 00:00:00 2001 From: Jose Buitron Date: Tue, 3 Oct 2023 14:19:49 -0500 Subject: [PATCH] fix: Only authenticated users can approve story map invite with token --- terraso_backend/apps/graphql/schema/story_maps.py | 9 ++------- terraso_backend/apps/story_map/permission_rules.py | 12 +----------- .../graphql/mutations/test_story_map_mutations.py | 12 ++++-------- 3 files changed, 7 insertions(+), 26 deletions(-) diff --git a/terraso_backend/apps/graphql/schema/story_maps.py b/terraso_backend/apps/graphql/schema/story_maps.py index 0f6cdd975..a1a0cc4bd 100644 --- a/terraso_backend/apps/graphql/schema/story_maps.py +++ b/terraso_backend/apps/graphql/schema/story_maps.py @@ -37,12 +37,7 @@ from apps.story_map.notifications import send_memberships_invite_email from apps.story_map.services import story_map_media_upload_service -from .commons import ( - BaseAuthenticatedMutation, - BaseDeleteMutation, - BaseUnauthenticatedMutation, - TerrasoConnection, -) +from .commons import BaseAuthenticatedMutation, BaseDeleteMutation, TerrasoConnection from .constants import MutationTypes logger = structlog.get_logger(__name__) @@ -290,7 +285,7 @@ def validate(context): return cls(memberships=[membership["membership"] for membership in memberships]) -class StoryMapMembershipApproveTokenMutation(BaseUnauthenticatedMutation): +class StoryMapMembershipApproveTokenMutation(BaseAuthenticatedMutation): model_class = Membership membership = graphene.Field(CollaborationMembershipNode) story_map = graphene.Field(StoryMapNode) diff --git a/terraso_backend/apps/story_map/permission_rules.py b/terraso_backend/apps/story_map/permission_rules.py index 0914c4d6a..c337950ed 100644 --- a/terraso_backend/apps/story_map/permission_rules.py +++ b/terraso_backend/apps/story_map/permission_rules.py @@ -76,21 +76,11 @@ def allowed_to_approve_story_map_membership(user, obj): return is_user_membership -# This rule is used to check if the user is allowed to approve a membership -# with a token. This is used when the user is not logged in or when the user -# is logged in but the membership is associated with the user. @rules.predicate def allowed_to_approve_story_map_membership_with_token(user, obj): membership = obj.get("membership") request_user = user - - if membership.pending_email is not None: - return request_user.is_anonymous - - if request_user.is_anonymous or request_user.id == membership.user.id: - return True - - return False + return request_user.id == membership.user.id @rules.predicate diff --git a/terraso_backend/tests/graphql/mutations/test_story_map_mutations.py b/terraso_backend/tests/graphql/mutations/test_story_map_mutations.py index 81b969b19..9c3cf38ba 100644 --- a/terraso_backend/tests/graphql/mutations/test_story_map_mutations.py +++ b/terraso_backend/tests/graphql/mutations/test_story_map_mutations.py @@ -427,10 +427,8 @@ def test_story_map_approve_membership_with_token_for_registered_user( def test_story_map_approve_membership_with_token_for_unregistered_user( client_query_no_token, story_map_user_memberships_not_registered_approve_tokens, - story_map_user_memberships_not_registered, ): token = story_map_user_memberships_not_registered_approve_tokens[0] - membership = story_map_user_memberships_not_registered[0] response = client_query_no_token( """ @@ -454,12 +452,10 @@ def test_story_map_approve_membership_with_token_for_unregistered_user( ) json_response = response.json() - assert json_response["data"]["approveStoryMapMembershipToken"]["errors"] is None - - response_membership = json_response["data"]["approveStoryMapMembershipToken"]["membership"] - - assert response_membership["id"] == str(membership.id) - assert response_membership["membershipStatus"] == "APPROVED" + assert "errors" in json_response["data"]["approveStoryMapMembershipToken"] + error_result = json_response["data"]["approveStoryMapMembershipToken"]["errors"][0]["message"] + json_error = json.loads(error_result) + assert json_error[0]["code"] == "unauthorized" def test_story_map_approve_membership_with_token_for_registered_user_fails_due_user_mismatch(