Merge pull request #1462 from cisagov/dk/1433-oidc-mult-levels

Issues 1433, 1435: Multi-level identity-verification based on users
2025-07-23 03:06:01 +02:00 · 2023-12-11 21:06:31 -05:00 · 2023-12-11 21:06:31 -05:00 · 796bda8493
commit 796bda8493
parent 5f48149818 f7fdecfd33
7 changed files with 195 additions and 18 deletions
--- a/src/registrar/models/user.py
+++ b/src/registrar/models/user.py
@ -3,6 +3,8 @@ import logging
 from django.contrib.auth.models import AbstractUser
 from django.db import models

+from registrar.models.user_domain_role import UserDomainRole
+
 from .domain_invitation import DomainInvitation
 from .transition_domain import TransitionDomain
 from .domain import Domain
@ -64,6 +66,36 @@ class User(AbstractUser):
    def is_restricted(self):
        return self.status == self.RESTRICTED

+    @classmethod
+    def needs_identity_verification(cls, email, uuid):
+        """A method used by our oidc classes to test whether a user needs email/uuid verification
+        or the full identity PII verification"""
+
+        # An existing user who is a domain manager of a domain (that is,
+        # they have an entry in UserDomainRole for their User)
+        try:
+            existing_user = cls.objects.get(username=uuid)
+            if existing_user and UserDomainRole.objects.filter(user=existing_user).exists():
+                return False
+        except cls.DoesNotExist:
+            # Do nothing when the user is not found, as we're checking for existence.
+            pass
+        except Exception as err:
+            raise err
+
+        # A new incoming user who is a domain manager for one of the domains
+        # that we inputted from Verisign (that is, their email address appears
+        # in the username field of a TransitionDomain)
+        if TransitionDomain.objects.filter(username=email).exists():
+            return False
+
+        # A new incoming user who is being invited to be a domain manager (that is,
+        # their email address is in DomainInvitation for an invitation that is not yet "retrieved").
+        if DomainInvitation.objects.filter(email=email, status=DomainInvitation.INVITED).exists():
+            return False
+
+        return True
+
    def check_domain_invitations_on_login(self):
        """When a user first arrives on the site, we need to retrieve any domain
        invitations that match their email address."""