0
0
Fork 0
mirror of https://github.com/healthchecks/healthchecks.git synced 2025-03-16 21:23:36 +00:00

Check membership when initiating project's transfer. Use transaction.atomic() when completing the transfer.

This commit is contained in:
Pēteris Caune 2020-04-13 15:19:37 +03:00
parent 57da17b8e2
commit ca715dd8d4
No known key found for this signature in database
GPG key ID: E28D7679E9A9EDE2
2 changed files with 27 additions and 13 deletions

View file

@ -34,6 +34,13 @@ class ProjectTestCase(BaseTestCase):
r = self.client.post(self.url, form)
self.assertEqual(r.status_code, 403)
def test_transfer_project_checks_membership(self):
self.client.login(username="alice@example.org", password="password")
form = {"transfer_project": "1", "email": "charlie@example.org"}
r = self.client.post(self.url, form)
self.assertEqual(r.status_code, 400)
def test_cancel_works(self):
self.bobs_membership.transfer_request_date = now()
self.bobs_membership.save()

View file

@ -2,6 +2,7 @@ from datetime import timedelta as td
from urllib.parse import urlparse
import uuid
from django.db import transaction
from django.conf import settings
from django.contrib import messages
from django.contrib.auth import login as auth_login
@ -339,21 +340,27 @@ def project(request, code):
form = forms.TransferForm(request.POST)
if form.is_valid():
# Look up the proposed new owner
email = form.cleaned_data["email"]
try:
membership = project.member_set.filter(user__email=email).get()
except Member.DoesNotExist:
return HttpResponseBadRequest()
# Revoke any previous transfer requests
project.member_set.update(transfer_request_date=None)
# Initiate the new request
q = project.member_set.filter(user__email=email)
q.update(transfer_request_date=now())
membership.transfer_request_date = now()
membership.save()
# Send an email notification
profile = Profile.objects.for_user(membership.user)
profile.send_transfer_request(project)
ctx["transfer_initiated"] = True
ctx["transfer_status"] = "success"
profile = Profile.objects.get(user__email=email)
profile.send_transfer_request(project)
elif "cancel_transfer" in request.POST:
if not is_owner:
return HttpResponseForbidden()
@ -370,15 +377,15 @@ def project(request, code):
if not tr.can_accept():
return HttpResponseBadRequest()
# 1. Remove user's membership
tr.delete()
with transaction.atomic():
# 1. Reuse the existing membership, and change its user
tr.user = project.owner
tr.transfer_request_date = None
tr.save()
# 2. Invite the current owner as a member
Member.objects.create(user=project.owner, project=project)
# 3. Change project's owner
project.owner = request.user
project.save()
# 2. Change project's owner
project.owner = request.user
project.save()
ctx["is_owner"] = True
messages.success(request, "You are now the owner of this project!")