zydronium/manage.get.gov
1
0
Fork 0
mirror of https://github.com/cisagov/manage.get.gov.git synced 2025-08-15 22:14:15 +02:00
Code Issues Projects Releases Packages Wiki Activity

Block users invited to other orgs from being domain managers

Browse source
This commit is contained in:
Erin Song 2024-09-26 10:24:29 -07:00
parent f9e60ac237
commit caad00df18
No known key found for this signature in database
1 changed files with 43 additions and 13 deletions
Download patch file Download diff file Expand all files Collapse all files

56
src/registrar/views/domain.py
View file

@ -21,8 +21,10 @@ from registrar.models import (
DomainRequest, DomainRequest,
DomainInformation, DomainInformation,
DomainInvitation, DomainInvitation,
PortfolioInvitation,
User, User,
UserDomainRole, UserDomainRole,
UserPortfolioPermission,
PublicContact, PublicContact,
) )
from registrar.utility.enums import DefaultEmail from registrar.utility.enums import DefaultEmail
@ -38,6 +40,7 @@ from registrar.utility.errors import (
) )
from registrar.models.utility.contact_error import ContactError from registrar.models.utility.contact_error import ContactError
from registrar.views.utility.permission_views import UserDomainRolePermissionDeleteView from registrar.views.utility.permission_views import UserDomainRolePermissionDeleteView
from registrar.utility.waffle import flag_is_active_for_user
from ..forms import ( from ..forms import (
SeniorOfficialContactForm, SeniorOfficialContactForm,
@ -778,7 +781,14 @@ class DomainAddUserView(DomainFormBaseView):
"""Get an absolute URL for this domain.""" """Get an absolute URL for this domain."""
return self.request.build_absolute_uri(reverse("domain", kwargs={"pk": self.object.id})) return self.request.build_absolute_uri(reverse("domain", kwargs={"pk": self.object.id}))
def _send_domain_invitation_email(self, email: str, requestor: User, add_success=True): def _is_member_of_different_org(self, email, org):
"""Verifies if an email belongs to a different organization as a member or invited member."""
# Check if user is a member of a different organization
existing_org_permission = UserPortfolioPermission.objects.get(email=email)
print("Existing org permission: ", existing_org_permission)
return True
def _send_domain_invitation_email(self, email: str, requestor: User, requested_user=None, add_success=True):
"""Performs the sending of the domain invitation email, """Performs the sending of the domain invitation email,
does not make a domain information object does not make a domain information object
email: string- email to send to email: string- email to send to
@ -803,6 +813,26 @@ class DomainAddUserView(DomainFormBaseView):
) )
return None return None
# Check is user is a member or invited member of a different org from this domain's org
print("org feature flag is active: ", flag_is_active_for_user(requestor, "organization_feature"))
if flag_is_active_for_user(requestor, "organization_feature"):
# Check if invited user is a member from a different org from this domain's org
existing_org_permission = UserPortfolioPermission.objects.filter(user=requested_user).first()
print("Existing org permission for requested email: ", existing_org_permission)
existing_org_invitation = PortfolioInvitation.objects.filter(email=email).first()
requestor_org = UserPortfolioPermission.objects.get(user=requestor).portfolio
print("Requestor org: ", requestor_org)
if (existing_org_permission and existing_org_permission.portfolio != requestor_org) or \
(existing_org_invitation and existing_org_invitation.portfolio != requestor_org):
add_success=False
messages.error(
self.request,
f"That email is already a member of another .gov organization.",
)
raise Exception
# Check to see if an invite has already been sent # Check to see if an invite has already been sent
try: try:
invite = DomainInvitation.objects.get(email=email, domain=self.object) invite = DomainInvitation.objects.get(email=email, domain=self.object)
@ -868,7 +898,7 @@ class DomainAddUserView(DomainFormBaseView):
else: else:
# if user already exists then just send an email # if user already exists then just send an email
try: try:
self._send_domain_invitation_email(requested_email, requestor, add_success=False) self._send_domain_invitation_email(requested_email, requestor, requested_user=requested_user, add_success=False)
except EmailSendingError: except EmailSendingError:
logger.warn( logger.warn(
"Could not send email invitation (EmailSendingError)", "Could not send email invitation (EmailSendingError)",
@ -883,17 +913,17 @@ class DomainAddUserView(DomainFormBaseView):
exc_info=True, exc_info=True,
) )
messages.warning(self.request, "Could not send email invitation.") messages.warning(self.request, "Could not send email invitation.")
else:
try: try:
UserDomainRole.objects.create( UserDomainRole.objects.create(
user=requested_user, user=requested_user,
domain=self.object, domain=self.object,
role=UserDomainRole.Roles.MANAGER, role=UserDomainRole.Roles.MANAGER,
) )
except IntegrityError: except IntegrityError:
messages.warning(self.request, f"{requested_email} is already a manager for this domain") messages.warning(self.request, f"{requested_email} is already a manager for this domain")
else: else:
messages.success(self.request, f"Added user {requested_email}.") messages.success(self.request, f"Added user {requested_email}.")
return redirect(self.get_success_url()) return redirect(self.get_success_url())