diff --git a/src/djangooidc/views.py b/src/djangooidc/views.py index d203f18c0..5b31b83c6 100644 --- a/src/djangooidc/views.py +++ b/src/djangooidc/views.py @@ -69,15 +69,16 @@ def login_callback(request): try: query = parse_qs(request.GET.urlencode()) userinfo = CLIENT.callback(query, request.session) + + # test for need for identity verification and if it is satisfied + # if not satisfied, redirect user to login with stepped up acr_value + if requires_step_up_auth(userinfo): + # add acr_value to request.session + request.session["acr_value"] = CLIENT.get_step_up_acr_value() + return CLIENT.create_authn_request(request.session) + user = authenticate(request=request, **userinfo) if user: - # test for need for identity verification and if it is satisfied - # if not satisfied, redirect user to login with stepped up acr_value - if requires_step_up_auth(userinfo): - # add acr_value to request.session - request.session["acr_value"] = CLIENT.get_step_up_acr_value() - return CLIENT.create_authn_request(request.session) - login(request, user) logger.info("Successfully logged in user %s" % user) return redirect(request.session.get("next", "/")) diff --git a/src/registrar/models/user.py b/src/registrar/models/user.py index e1880b9dd..5c1170f78 100644 --- a/src/registrar/models/user.py +++ b/src/registrar/models/user.py @@ -3,6 +3,8 @@ import logging from django.contrib.auth.models import AbstractUser from django.db import models +from registrar.models.user_domain_role import UserDomainRole + from .domain_invitation import DomainInvitation from .transition_domain import TransitionDomain from .domain import Domain @@ -66,6 +68,40 @@ class User(AbstractUser): @classmethod def needs_identity_verification(cls, email, uuid): + + logger.info('needs_identity_verification') + + try: + + existing_user = cls.objects.get(username=uuid) + + # An existing user who is a domain manager of a domain (that is, they have an entry in UserDomainRole for their User) + if existing_user and UserDomainRole.objects.filter(user=existing_user).exists(): + + logger.info(f'Existing user email {existing_user.email}') + logger.info(f'User doman role email {UserDomainRole.objects.filter(user=existing_user).first().user.email}') + return False + + except: + pass + + # logger.info(f'UserDomainRole.objects.filter(user=existing_user).exists() {UserDomainRole.objects.filter(user=existing_user).exists()}') + logger.info('got past the existing_user get') + + + + # A new incoming user who is a domain manager for one of the domains that we inputted from Verisign (that is, their email address appears in the username field of a TransitionDomain) + if TransitionDomain.objects.filter(username=email).exists(): + logger.info('Transition user') + return False + + # A new incoming user who is being invited to be a domain manager (that is, their email address is in DomainInvitation for an invitation that is not yet "retrieved"). + if DomainInvitation.objects.filter(email=email, status=DomainInvitation.INVITED): + logger.info('Invited user') + return False + + logger.info('needs_identity_verification is TRUE') + return True def check_domain_invitations_on_login(self):