Add perms checks

2025-05-19 19:09:22 +02:00 · 2024-05-09 12:45:21 -06:00 · 2024-05-09 12:45:21 -06:00 · 84408fce48
commit 84408fce48
parent 2f36033eb2
5 changed files with 34 additions and 5 deletions
--- a/src/djangooidc/views.py
+++ b/src/djangooidc/views.py
@ -129,7 +129,9 @@ def login_callback(request):

            # Clear the flag if the exception is not caught
            request.session.pop("redirect_attempted", None)
-            return redirect(request.session.get("next", "/"))
+
+            success_redirect_url = "/" if user.finished_setup else f"/finish-user-setup/{user.id}"
+            return redirect(request.session.get("next", success_redirect_url))
        else:
            raise o_e.BannedUser()
    except o_e.StateMismatch as nsd_err:
--- a/src/registrar/config/urls.py
+++ b/src/registrar/config/urls.py
@ -100,6 +100,13 @@ urlpatterns = [
        name="analytics",
    ),
    path("admin/", admin.site.urls),
+    path(
+        # We embed the current user ID here, but we have a permission check
+        # that ensures the user is who they say they are.
+        "finish-user-setup/<int:pk>",
+        views.FinishContactProfileSetupView.as_view(),
+        name="finish-contact-profile-setup",
+    ),
    path(
        "domain-request/<id>/edit/",
        views.DomainRequestWizard.as_view(),
--- a/src/registrar/templates/finish_contact_setup.html
+++ b/src/registrar/templates/finish_contact_setup.html
@ -0,0 +1,7 @@
+{% extends "base.html" %}
+{% load static url_helpers %}
+{% block title %} Finish setting up your profile {% endblock %}
+
+{% block content %}
+<h2>TEST</h2>
+{% endblock content %}
--- a/src/registrar/views/domain_request.py
+++ b/src/registrar/views/domain_request.py
@ -824,5 +824,5 @@ class DomainRequestDeleteView(DomainRequestPermissionDeleteView):
 class FinishContactProfileSetupView(ContactPermissionView):
    """This view forces the user into providing additional details that 
    we may have missed from Login.gov"""
-    template_name = "domain_request_your_contact.html"
+    template_name = "finish_contact_setup.html"
    forms = [forms.YourContactForm]
--- a/src/registrar/views/utility/mixins.py
+++ b/src/registrar/views/utility/mixins.py
@ -9,6 +9,7 @@ from registrar.models import (
    DomainInformation,
    UserDomainRole,
    Contact,
+    User,
 )
 import logging

@ -340,10 +341,22 @@ class ContactPermission(PermissionsLoginMixin):
        if not self.request.user.is_authenticated:
            return False

-        user_pk = self.kwargs["pk"]
+
+        given_user_pk = self.kwargs["pk"]
+
+        # Grab the user in the DB to do a full object comparision, not just on ids
+        current_user = self.request.user
+
+        # Check for the ids existence since we're dealing with requests
+        requested_user_exists = User.objects.filter(pk=given_user_pk).exists()
+
+        # Compare the PK that was passed in to the user currently logged in
+        if current_user.pk != given_user_pk and requested_user_exists:
+            # Don't allow users to modify other users profiles
+            return False

        # Check if the user has an associated contact
-        associated_contacts = Contact.objects.filter(user=user_pk)
+        associated_contacts = Contact.objects.filter(user=current_user)
        associated_contacts_length = len(associated_contacts)

        if associated_contacts_length == 0: