diff --git a/src/djangooidc/views.py b/src/djangooidc/views.py index 0eaf28f01..c58c3a0aa 100644 --- a/src/djangooidc/views.py +++ b/src/djangooidc/views.py @@ -129,7 +129,9 @@ def login_callback(request): # Clear the flag if the exception is not caught request.session.pop("redirect_attempted", None) - return redirect(request.session.get("next", "/")) + + success_redirect_url = "/" if user.finished_setup else f"/finish-user-setup/{user.id}" + return redirect(request.session.get("next", success_redirect_url)) else: raise o_e.BannedUser() except o_e.StateMismatch as nsd_err: diff --git a/src/registrar/config/urls.py b/src/registrar/config/urls.py index 720034150..2c6942ca8 100644 --- a/src/registrar/config/urls.py +++ b/src/registrar/config/urls.py @@ -100,6 +100,13 @@ urlpatterns = [ name="analytics", ), path("admin/", admin.site.urls), + path( + # We embed the current user ID here, but we have a permission check + # that ensures the user is who they say they are. + "finish-user-setup/", + views.FinishContactProfileSetupView.as_view(), + name="finish-contact-profile-setup", + ), path( "domain-request//edit/", views.DomainRequestWizard.as_view(), diff --git a/src/registrar/templates/finish_contact_setup.html b/src/registrar/templates/finish_contact_setup.html new file mode 100644 index 000000000..930eb4a23 --- /dev/null +++ b/src/registrar/templates/finish_contact_setup.html @@ -0,0 +1,7 @@ +{% extends "base.html" %} +{% load static url_helpers %} +{% block title %} Finish setting up your profile {% endblock %} + +{% block content %} +

TEST

+{% endblock content %} diff --git a/src/registrar/views/domain_request.py b/src/registrar/views/domain_request.py index 6b0ef7223..ee97dddf9 100644 --- a/src/registrar/views/domain_request.py +++ b/src/registrar/views/domain_request.py @@ -824,5 +824,5 @@ class DomainRequestDeleteView(DomainRequestPermissionDeleteView): class FinishContactProfileSetupView(ContactPermissionView): """This view forces the user into providing additional details that we may have missed from Login.gov""" - template_name = "domain_request_your_contact.html" - forms = [forms.YourContactForm] \ No newline at end of file + template_name = "finish_contact_setup.html" + forms = [forms.YourContactForm] diff --git a/src/registrar/views/utility/mixins.py b/src/registrar/views/utility/mixins.py index 4fdba113d..45c7c7860 100644 --- a/src/registrar/views/utility/mixins.py +++ b/src/registrar/views/utility/mixins.py @@ -9,6 +9,7 @@ from registrar.models import ( DomainInformation, UserDomainRole, Contact, + User, ) import logging @@ -340,10 +341,22 @@ class ContactPermission(PermissionsLoginMixin): if not self.request.user.is_authenticated: return False - user_pk = self.kwargs["pk"] + + given_user_pk = self.kwargs["pk"] + + # Grab the user in the DB to do a full object comparision, not just on ids + current_user = self.request.user + + # Check for the ids existence since we're dealing with requests + requested_user_exists = User.objects.filter(pk=given_user_pk).exists() + + # Compare the PK that was passed in to the user currently logged in + if current_user.pk != given_user_pk and requested_user_exists: + # Don't allow users to modify other users profiles + return False # Check if the user has an associated contact - associated_contacts = Contact.objects.filter(user=user_pk) + associated_contacts = Contact.objects.filter(user=current_user) associated_contacts_length = len(associated_contacts) if associated_contacts_length == 0: