Esempio n. 1
0
    def test_regenerate_token(self):
        organization = self.create_organization()
        member = OrganizationMember(organization=organization, email="*****@*****.**")
        assert member.token is None
        assert member.token_expires_at is None

        member.regenerate_token()
        assert member.token
        assert member.token_expires_at
        expires_at = timezone.now() + timedelta(days=INVITE_DAYS_VALID)
        assert member.token_expires_at.date() == expires_at.date()
Esempio n. 2
0
    def test_regenerate_token(self):
        organization = self.create_organization()
        member = OrganizationMember(
            organization=organization,
            email='*****@*****.**')
        assert member.token is None
        assert member.token_expires_at is None

        member.regenerate_token()
        assert member.token
        assert member.token_expires_at
        expires_at = timezone.now() + timedelta(days=INVITE_DAYS_VALID)
        assert member.token_expires_at.date() == expires_at.date()
Esempio n. 3
0
    def put(
        self,
        request: Request,
        organization: Organization,
        member: OrganizationMember,
    ) -> Response:
        serializer = OrganizationMemberSerializer(data=request.data,
                                                  partial=True)

        if not serializer.is_valid():
            return Response(status=400)

        try:
            auth_provider = AuthProvider.objects.get(organization=organization)
            auth_provider = auth_provider.get_provider()
        except AuthProvider.DoesNotExist:
            auth_provider = None

        allowed_roles = None
        result = serializer.validated_data

        # XXX(dcramer): if/when this expands beyond reinvite we need to check
        # access level
        if result.get("reinvite"):
            if member.is_pending:
                if ratelimits.for_organization_member_invite(
                        organization=organization,
                        email=member.email,
                        user=request.user,
                        auth=request.auth,
                ):
                    metrics.incr(
                        "member-invite.attempt",
                        instance="rate_limited",
                        skip_internal=True,
                        sample_rate=1.0,
                    )
                    return Response({"detail": ERR_RATE_LIMITED}, status=429)

                if result.get("regenerate"):
                    if request.access.has_scope("member:admin"):
                        member.regenerate_token()
                        member.save()
                    else:
                        return Response({"detail": ERR_INSUFFICIENT_SCOPE},
                                        status=400)
                if member.token_expired:
                    return Response({"detail": ERR_EXPIRED}, status=400)
                member.send_invite_email()
            elif auth_provider and not getattr(member.flags, "sso:linked"):
                member.send_sso_link_email(request.user, auth_provider)
            else:
                # TODO(dcramer): proper error message
                return Response({"detail": ERR_UNINVITABLE}, status=400)

        if "teams" in result:
            # dupe code from member_index
            # ensure listed teams are real teams
            teams = list(
                Team.objects.filter(organization=organization,
                                    status=TeamStatus.VISIBLE,
                                    slug__in=result["teams"]))

            if len(set(result["teams"])) != len(teams):
                return Response({"teams": "Invalid team"}, status=400)

            with transaction.atomic():
                # teams may be empty
                OrganizationMemberTeam.objects.filter(
                    organizationmember=member).delete()
                OrganizationMemberTeam.objects.bulk_create([
                    OrganizationMemberTeam(team=team,
                                           organizationmember=member)
                    for team in teams
                ])

        if result.get("role"):
            _, allowed_roles = get_allowed_roles(request, organization)
            allowed_role_ids = {r.id for r in allowed_roles}

            # A user cannot promote others above themselves
            if result["role"] not in allowed_role_ids:
                return Response(
                    {
                        "role":
                        "You do not have permission to assign the given role."
                    },
                    status=403)

            # A user cannot demote a superior
            if member.role not in allowed_role_ids:
                return Response(
                    {
                        "role":
                        "You do not have permission to assign a role to the given user."
                    },
                    status=403,
                )

            if member.user == request.user and (result["role"] != member.role):
                return Response(
                    {"detail": "You cannot make changes to your own role."},
                    status=400)

            member.update(role=result["role"])

        self.create_audit_entry(
            request=request,
            organization=organization,
            target_object=member.id,
            target_user=member.user,
            event=AuditLogEntryEvent.MEMBER_EDIT,
            data=member.get_audit_log_data(),
        )

        context = self._serialize_member(member, request, allowed_roles)

        return Response(context)