lingo: remove user retrieval from email in basket api (#42992)

This commit is contained in:
Valentin Deniaud 2020-06-10 10:47:12 +02:00
parent 4a62897422
commit fca2a33b33
2 changed files with 64 additions and 65 deletions

View File

@ -180,8 +180,6 @@ class AddBasketItemApiView(View):
try:
if request.GET.get('NameId'):
user = get_user_from_name_id(request.GET.get('NameId'), raise_on_missing=True)
elif request.GET.get('email'):
user = User.objects.get(email=request.GET.get('email'))
else:
user = None
except User.DoesNotExist:
@ -270,8 +268,6 @@ class RemoveBasketItemApiView(View):
user = get_user_from_name_id(request.GET.get('NameId'), raise_on_missing=True)
if user is None:
raise User.DoesNotExist()
elif request.GET.get('email'):
user = User.objects.get(email=request.GET.get('email'))
else:
return BadRequestJsonResponse('no user specified')
except User.DoesNotExist:

View File

@ -6,6 +6,9 @@ import urllib
from decimal import Decimal
import json
import mock
import uuid
from mellon.models import UserSAMLIdentifier
from django.apps import apps
from django.contrib.auth.models import User
@ -106,6 +109,12 @@ def user():
email='foo@example.com')
return user
@pytest.fixture
def user_name_id(user):
name_id = '7d6a86ae70f746f4887f22bad212f836'
UserSAMLIdentifier.objects.create(user=user, name_id=name_id)
return name_id
@pytest.fixture(params=['orig', 'sign_key'])
def key(request, settings):
if request.param == 'orig':
@ -245,30 +254,27 @@ def test_successfull_items_payment(app, basket_page, regie, user, with_payment_b
'/test_basket_cell/'
def test_add_amount_to_basket(app, key, regie, user):
def test_add_amount_to_basket(app, key, regie, user_name_id):
payment_backend = PaymentBackend.objects.create(
label='test2', slug='test2', service='dummy', service_options={'siret': '1234'})
other_regie = Regie(label='test2', slug='test2', payment_backend=payment_backend)
other_regie.save()
user_email = 'foo@example.com'
User.objects.get_or_create(email=user_email)
data = {'display_name': 'test amount',
'url': 'http://example.com'}
url = '%s?email=%s&orig=wcs' % (reverse('api-add-basket-item'), user_email)
url = '%s?NameId=%s&orig=wcs' % (reverse('api-add-basket-item'), user_name_id)
url = sign_url(url, key)
resp = app.post_json(url, params=data, status=400)
assert 'missing amount parameter' in resp.text
amount = 42
data['amount'] = amount
url = '%s?email=%s&orig=wcs' % (reverse('api-add-basket-item'), 'unknown@example.com')
url = '%s?NameId=%s&orig=wcs' % (reverse('api-add-basket-item'), 'unknown_id')
url = sign_url(url, key)
resp = app.post_json(url, params=data, status=400)
assert 'unknown user' in resp.text
url = '%s?email=%s&orig=wcs' % (reverse('api-add-basket-item'), user_email)
url = '%s?NameId=%s&orig=wcs' % (reverse('api-add-basket-item'), user_name_id)
url = sign_url(url, key)
resp = app.post_json(url, params=data)
assert resp.status_code == 200
@ -279,7 +285,7 @@ def test_add_amount_to_basket(app, key, regie, user):
resp = app.post_json('%s&amount=10' % url, params=data, status=403) # bad signature
data['extra'] = {'amount': '22.22'}
url = '%s?email=%s&orig=wcs' % (reverse('api-add-basket-item'), user_email)
url = '%s?NameId=%s&orig=wcs' % (reverse('api-add-basket-item'), user_name_id)
url = sign_url(url, key)
resp = app.post_json(url, params=data)
assert resp.status_code == 200
@ -288,7 +294,7 @@ def test_add_amount_to_basket(app, key, regie, user):
data['amount'] = [amount]
data['extra'] = {'amount': ['22.22', '12']}
url = '%s?email=%s&orig=wcs&amount=5' % (reverse('api-add-basket-item'), user_email)
url = '%s?NameId=%s&orig=wcs&amount=5' % (reverse('api-add-basket-item'), user_name_id)
url = sign_url(url, key)
resp = app.post_json(url, params=data)
assert resp.status_code == 200
@ -296,12 +302,12 @@ def test_add_amount_to_basket(app, key, regie, user):
assert BasketItem.objects.filter(amount=Decimal('81.22')).exists()
# accept french notation if settings.LANGUAGE_CODE is 'fr-*'
url = '%s?amount=10,00&email=%s&orig=wcs' % (reverse('api-add-basket-item'), user_email)
url = '%s?amount=10,00&NameId=%s&orig=wcs' % (reverse('api-add-basket-item'), user_name_id)
url = sign_url(url, key)
resp = app.post_json(url, params=data, status=400)
assert resp.json['err_desc'] == 'invalid value for "amount" in query string'
data['amount'] = '1,10'
url = '%s?amount=10.00&email=%s&orig=wcs' % (reverse('api-add-basket-item'), user_email)
url = '%s?amount=10.00&NameId=%s&orig=wcs' % (reverse('api-add-basket-item'), user_name_id)
url = sign_url(url, key)
resp = app.post_json(url, params=data, status=400)
assert resp.json['err_desc'] == 'invalid value for "amount" in payload'
@ -312,7 +318,7 @@ def test_add_amount_to_basket(app, key, regie, user):
data['amount'] = '1,10'
data['extra'] = {'amount': '0,01'}
url = '%s?amount=10,00&email=%s&orig=wcs' % (reverse('api-add-basket-item'), user_email)
url = '%s?amount=10,00&NameId=%s&orig=wcs' % (reverse('api-add-basket-item'), user_name_id)
url = sign_url(url, key)
with override_settings(LANGUAGE_CODE='fr-be'):
resp = app.post_json(url, params=data, status=200)
@ -324,7 +330,7 @@ def test_add_amount_to_basket(app, key, regie, user):
other_regie.save()
data['amount'] = []
data['extra'] = {'amount': '22.23'}
url = '%s?email=%s&orig=wcs' % (reverse('api-add-basket-item'), user_email)
url = '%s?NameId=%s&orig=wcs' % (reverse('api-add-basket-item'), user_name_id)
url = sign_url(url, settings.LINGO_API_SIGN_KEY)
resp = app.post_json(url, params=data)
item = BasketItem.objects.get(amount=Decimal('22.23'))
@ -337,8 +343,8 @@ def test_add_amount_to_basket(app, key, regie, user):
assert BasketItem.objects.filter(amount=Decimal('22.23')).exists()
assert BasketItem.objects.filter(amount=Decimal('22.23'))[0].regie_id == other_regie.id
url = '%s?email=%s&regie_id=%s' % (
reverse('api-add-basket-item'), user_email, regie.id)
url = '%s?NameId=%s&regie_id=%s' % (
reverse('api-add-basket-item'), user_name_id, regie.id)
data['extra'] = {'amount': '22.24', 'foo': 'bar'}
url = sign_url(url, settings.LINGO_API_SIGN_KEY)
resp = app.post_json(url, params=data)
@ -348,8 +354,8 @@ def test_add_amount_to_basket(app, key, regie, user):
assert BasketItem.objects.filter(amount=Decimal('22.24'))[0].regie_id == regie.id
assert BasketItem.objects.filter(amount=Decimal('22.24'))[0].request_data == data['extra']
url = '%s?email=%s&regie_id=%s' % (
reverse('api-add-basket-item'), user_email, regie.slug)
url = '%s?NameId=%s&regie_id=%s' % (
reverse('api-add-basket-item'), user_name_id, regie.slug)
data['extra'] = {'amount': '13.67'}
url = sign_url(url, settings.LINGO_API_SIGN_KEY)
resp = app.post_json(url, params=data)
@ -358,15 +364,14 @@ def test_add_amount_to_basket(app, key, regie, user):
assert BasketItem.objects.filter(amount=Decimal('13.67')).exists()
assert BasketItem.objects.filter(amount=Decimal('13.67'))[0].regie_id == regie.id
url = '%s?email=%s&orig=wcs&regie_id=%s' % (reverse('api-add-basket-item'), user_email, 'scarecrow')
url = '%s?NameId=%s&orig=wcs&regie_id=%s' % (reverse('api-add-basket-item'), user_name_id, 'scarecrow')
url = sign_url(url, key)
resp = app.post_json(url, params=data, status=400)
assert resp.json['err_desc'] == 'unknown regie'
def test_basket_item_with_capture_date(app, user, regie, basket_page, monkeypatch):
User.objects.get_or_create(email=user.email)
url = '%s?email=%s' % (reverse('api-add-basket-item'), user.email)
def test_basket_item_with_capture_date(app, user, user_name_id, regie, basket_page, monkeypatch):
url = '%s?NameId=%s' % (reverse('api-add-basket-item'), user_name_id)
capture_date = timezone.now().date()
data = {
'amount': 10, 'capture_date': capture_date.isoformat(),
@ -393,8 +398,8 @@ def test_basket_item_with_capture_date(app, user, regie, basket_page, monkeypatc
@pytest.mark.parametrize("invalid_capture_date", [8, '', 'not-a-date'])
def test_add_basket_capture_date_format(app, user, regie, invalid_capture_date):
url = '%s?email=%s' % (reverse('api-add-basket-item'), user.email)
def test_add_basket_capture_date_format(app, user_name_id, regie, invalid_capture_date):
url = '%s?NameId=%s' % (reverse('api-add-basket-item'), user_name_id)
data = {'amount': 10, 'display_name': 'test item'}
data['capture_date'] = invalid_capture_date
url = sign_url(url, settings.LINGO_API_SIGN_KEY)
@ -402,18 +407,18 @@ def test_add_basket_capture_date_format(app, user, regie, invalid_capture_date):
assert resp.json['err_desc'] == 'bad format for capture date, it should be yyyy-mm-dd'
def test_add_basket_item_with_remote_regie(app, user, remote_regie):
def test_add_basket_item_with_remote_regie(app, user_name_id, remote_regie):
data = {'amount': 10, 'display_name': 'test item'}
url = '%s?email=%s' % (reverse('api-add-basket-item'), user.email)
url = '%s?NameId=%s' % (reverse('api-add-basket-item'), user_name_id)
url = sign_url(url, settings.LINGO_API_SIGN_KEY)
resp = app.post_json(url, params=data, status=400)
assert resp.json['err_desc'] == 'can not add a basket item to a remote regie'
def test_add_basket_item_without_display_name(app, user, regie):
def test_add_basket_item_without_display_name(app, user_name_id, regie):
data = {'amount': '42',
'url': 'http://example.com'}
url = '%s?email=%s&orig=wcs' % (reverse('api-add-basket-item'), user.email)
url = '%s?NameId=%s&orig=wcs' % (reverse('api-add-basket-item'), user_name_id)
url = sign_url(url, settings.LINGO_API_SIGN_KEY)
resp = app.post_json(url, params=data, status=400)
assert 'missing display_name parameter' in resp.text
@ -445,7 +450,7 @@ def test_cant_pay_if_different_capture_date(app, basket_page, regie, user):
assert "Invalid grouping for basket items: different capture dates." in resp.text
def test_pay_single_basket_item(app, key, regie, user, john_doe):
def test_pay_single_basket_item(app, key, regie, user_name_id, john_doe):
page = Page(title='xxx', slug='index', template_name='standard')
page.save()
cell = LingoBasketCell(page=page, placeholder='content', order=0)
@ -455,7 +460,7 @@ def test_pay_single_basket_item(app, key, regie, user, john_doe):
data = {'amount': amount,
'display_name': 'test amount',
'url': 'http://example.com'}
url = '%s?email=%s&orig=wcs' % (reverse('api-add-basket-item'), user.email)
url = '%s?NameId=%s&orig=wcs' % (reverse('api-add-basket-item'), user_name_id)
url = sign_url(url, key)
resp = app.post_json(url, params=data)
# check that an unpaid item exists in basket
@ -497,8 +502,8 @@ def test_pay_single_basket_item(app, key, regie, user, john_doe):
assert_payment_status(resp.location, transaction_id=item.transaction_set.last().pk)
def test_pay_multiple_regies(app, key, regie, user):
test_add_amount_to_basket(app, key, regie, user)
def test_pay_multiple_regies(app, key, regie, user_name_id):
test_add_amount_to_basket(app, key, regie, user_name_id)
page = Page(title='xxx', slug='test_basket_cell', template_name='standard')
page.save()
@ -516,8 +521,8 @@ def test_pay_multiple_regies(app, key, regie, user):
qs = urlparse.parse_qs(urlparse.urlparse(resp.location).query)
assert qs['amount'] == ['22.23']
def test_pay_as_anonymous_user(app, key, regie, user):
test_add_amount_to_basket(app, key, regie, user)
def test_pay_as_anonymous_user(app, key, regie, user_name_id):
test_add_amount_to_basket(app, key, regie, user_name_id)
page = Page(title='xxx', slug='test_basket_cell', template_name='standard')
page.save()
@ -529,10 +534,8 @@ def test_pay_as_anonymous_user(app, key, regie, user):
resp = resp.forms[0].submit().follow()
assert 'Payment requires to be logged in.' in resp.text
def test_cancel_basket_item(app, key, regie, user):
user_email = 'foo@example.com'
User.objects.get_or_create(email=user_email)
url = '%s?email=%s&orig=wcs' % (reverse('api-add-basket-item'), user_email)
def test_cancel_basket_item(app, key, regie, user_name_id):
url = '%s?NameId=%s&orig=wcs' % (reverse('api-add-basket-item'), user_name_id)
url = sign_url(url, key)
data = {'amount': 42, 'display_name': 'test amount', 'url':
'http://example.com/', 'notify': 'true'}
@ -550,19 +553,19 @@ def test_cancel_basket_item(app, key, regie, user):
assert BasketItem.objects.filter(amount=21, cancellation_date__isnull=True).exists()
basket_item_id_2 = json.loads(resp.text)['id']
url = '%s?email=%s&orig=wcs' % (reverse('api-remove-basket-item'), user_email)
url = '%s?NameId=%s&orig=wcs' % (reverse('api-remove-basket-item'), user_name_id)
url = sign_url(url, key)
data = {'notify': 'true'}
resp = app.post_json(url, params=data, status=400)
assert resp.json['err_desc'] == 'missing basket_item_id parameter'
url = '%s?email=%s&orig=wcs' % (reverse('api-remove-basket-item'), user_email)
url = '%s?NameId=%s&orig=wcs' % (reverse('api-remove-basket-item'), user_name_id)
url = sign_url(url, key)
data = {'basket_item_id': 'eggs', 'notify': 'true'}
resp = app.post_json(url, params=data, status=400)
assert resp.json['err_desc'] == 'invalid basket_item_id'
url = '%s?email=%s&orig=wcs' % (reverse('api-remove-basket-item'), user_email)
url = '%s?NameId=%s&orig=wcs' % (reverse('api-remove-basket-item'), user_name_id)
url = sign_url(url, key)
data = {'basket_item_id': 0, 'notify': 'true'}
resp = app.post_json(url, params=data, status=400)
@ -574,22 +577,23 @@ def test_cancel_basket_item(app, key, regie, user):
resp = app.post_json(url, params=data, status=400)
assert resp.json['err_desc'] == 'no user specified'
url = '%s?email=%s&orig=wcs' % (reverse('api-remove-basket-item'), 'unknown@example.com')
url = '%s?NameId=%s&orig=wcs' % (reverse('api-remove-basket-item'), 'unknown@example.com')
url = sign_url(url, key)
data = {'basket_item_id': basket_item_id, 'notify': 'true'}
resp = app.post_json(url, params=data, status=400)
assert resp.json['err_desc'] == 'unknown user'
other_user_email = 'bar@example.net'
User.objects.get_or_create(email=other_user_email)
url = '%s?email=%s&orig=wcs' % (reverse('api-remove-basket-item'), other_user_email)
other_user, _ = User.objects.get_or_create(email='hop@example.com')
other_user_name_id = uuid.uuid4()
UserSAMLIdentifier.objects.get_or_create(user=other_user, name_id=other_user_name_id)
url = '%s?NameId=%s&orig=wcs' % (reverse('api-remove-basket-item'), other_user_name_id)
url = sign_url(url, key)
data = {'basket_item_id': basket_item_id, 'notify': 'true'}
resp = app.post_json(url, params=data, status=400)
assert resp.json['err_desc'] == 'user does not own the basket item'
with mock.patch('combo.utils.requests_wrapper.RequestsSession.request') as request:
url = '%s?email=%s&orig=wcs' % (reverse('api-remove-basket-item'), user_email)
url = '%s?NameId=%s&orig=wcs' % (reverse('api-remove-basket-item'), user_name_id)
url = sign_url(url, key)
data = {'basket_item_id': basket_item_id, 'notify': 'true'}
resp = app.post_json(url, params=data)
@ -598,7 +602,7 @@ def test_cancel_basket_item(app, key, regie, user):
assert BasketItem.objects.filter(amount=21, cancellation_date__isnull=True).exists()
with mock.patch('combo.utils.requests_wrapper.RequestsSession.request') as request:
url = '%s?email=%s&orig=wcs' % (reverse('api-remove-basket-item'), user_email)
url = '%s?NameId=%s&orig=wcs' % (reverse('api-remove-basket-item'), user_name_id)
url = sign_url(url, key)
data = {'basket_item_id': basket_item_id_2}
resp = app.post_json(url, params=data)
@ -606,20 +610,20 @@ def test_cancel_basket_item(app, key, regie, user):
assert not BasketItem.objects.filter(amount=42, cancellation_date__isnull=True).exists()
assert not BasketItem.objects.filter(amount=21, cancellation_date__isnull=True).exists()
url = '%s?email=%s&orig=wcs' % (reverse('api-remove-basket-item'), user_email)
url = '%s?NameId=%s&orig=wcs' % (reverse('api-remove-basket-item'), user_name_id)
url = sign_url(url, key)
data = {'basket_item_id': basket_item_id}
resp = app.post_json(url, params=data, status=400)
assert resp.json['err_desc'] == 'basket item already cancelled'
def test_cancel_basket_item_from_cell(app, key, regie, user):
def test_cancel_basket_item_from_cell(app, key, regie, user_name_id):
page = Page(title='xxx', slug='test_basket_cell', template_name='standard')
page.save()
cell = LingoBasketCell(page=page, placeholder='content', order=0)
cell.save()
url = '%s?email=%s&orig=wcs' % (reverse('api-add-basket-item'), user.email)
url = '%s?NameId=%s&orig=wcs' % (reverse('api-add-basket-item'), user_name_id)
url = sign_url(url, key)
data = {'amount': 42, 'display_name': 'test amount', 'url': 'http://example.org/testitem/'}
resp = app.post_json(url, params=data)
@ -642,7 +646,7 @@ def test_cancel_basket_item_from_cell(app, key, regie, user):
assert BasketItem.objects.filter(id=basket_item_id, cancellation_date__isnull=False).exists()
# check removal of an item that is not cancellable
url = '%s?email=%s&cancellable=no&orig=wcs' % (reverse('api-add-basket-item'), user.email)
url = '%s?NameId=%s&cancellable=no&orig=wcs' % (reverse('api-add-basket-item'), user_name_id)
url = sign_url(url, key)
data = {'amount': 21, 'display_name': 'test amount',
'url': 'http://example.org/testitem/'}
@ -658,9 +662,10 @@ def test_cancel_basket_item_from_cell(app, key, regie, user):
assert 'This item cannot be removed.' in resp.text
# check removal of the item of another user
user_email = 'bar@example.com'
User.objects.get_or_create(email=user_email)
url = '%s?email=%s&orig=wcs' % (reverse('api-add-basket-item'), user_email)
other_user, _ = User.objects.get_or_create(email='hop@example.com')
other_user_name_id = uuid.uuid4()
UserSAMLIdentifier.objects.get_or_create(user=other_user, name_id=other_user_name_id)
url = '%s?NameId=%s&orig=wcs' % (reverse('api-add-basket-item'), other_user_name_id)
url = sign_url(url, key)
data = {'amount': 42, 'display_name': 'test amount', 'url': 'http://example.org/testitem/'}
resp = app.post_json(url, params=data)
@ -941,12 +946,10 @@ def test_transaction_cancel(app, key, regie, user):
assert json.loads(resp.text)['err'] == 1
assert TransactionOperation.objects.filter(transaction=t1).count() == 1
def test_extra_fees(app, basket_page, key, regie, user):
def test_extra_fees(app, basket_page, key, regie, user_name_id):
regie.extra_fees_ws_url = 'http://www.example.net/extra-fees'
regie.save()
user_email = 'foo@example.com'
User.objects.get_or_create(email=user_email)
amount = 42
data = {'amount': amount, 'display_name': 'test amount'}
with mock.patch('combo.utils.requests_wrapper.RequestsSession.request') as request:
@ -954,7 +957,7 @@ def test_extra_fees(app, basket_page, key, regie, user):
mock_json.status_code = 200
mock_json.json.return_value = {'err': 0, 'data': [{'subject': 'Extra Fees', 'amount': '5'}]}
request.return_value = mock_json
url = sign_url('%s?email=%s&orig=wcs' % (reverse('api-add-basket-item'), user_email), key)
url = sign_url('%s?NameId=%s&orig=wcs' % (reverse('api-add-basket-item'), user_name_id), key)
resp = app.post_json(url, params=data)
assert resp.status_code == 200
assert json.loads(resp.text)['result'] == 'success'
@ -969,7 +972,7 @@ def test_extra_fees(app, basket_page, key, regie, user):
mock_json.json.return_value = {'err': 0, 'data': [{'subject': 'Extra Fees', 'amount': '7'}]}
request.return_value = mock_json
data['amount'] = 43
url = sign_url('%s?email=%s&orig=wcs' % (reverse('api-add-basket-item'), user_email), key)
url = sign_url('%s?NameId=%s&orig=wcs' % (reverse('api-add-basket-item'), user_name_id), key)
resp = app.post_json(url, params=data)
assert request.call_args[0] == ('POST', 'http://www.example.net/extra-fees')
assert len(json.loads(request.call_args[1]['data'])['data']) == 2
@ -984,7 +987,7 @@ def test_extra_fees(app, basket_page, key, regie, user):
mock_json.status_code = 200
mock_json.json.return_value = {'err': 0, 'data': [{'subject': 'Extra Fees', 'amount': '4'}]}
request.return_value = mock_json
url = sign_url('%s?email=%s&orig=wcs' % (reverse('api-remove-basket-item'), user_email), key)
url = sign_url('%s?NameId=%s&orig=wcs' % (reverse('api-remove-basket-item'), user_name_id), key)
data = {'basket_item_id': BasketItem.objects.get(amount=43).id}
resp = app.post_json(url, params=data)
assert resp.status_code == 200
@ -1101,12 +1104,12 @@ def test_payment_callback_not_found(app, user, regie):
@pytest.mark.parametrize("authenticated", [True, False])
def test_payment_no_basket(app, user, regie, authenticated):
def test_payment_no_basket(app, user_name_id, regie, authenticated):
url = reverse('api-add-basket-item')
source_url = 'http://example.org/item/1'
data = {'amount': 10, 'display_name': 'test item', 'url': source_url}
if authenticated:
data['email'] = user.email
data['NameId'] = user_name_id
url = sign_url(url, settings.LINGO_API_SIGN_KEY)
resp = app.post_json(url, params=data)
assert resp.status_code == 200