Check membership when initiating project's transfer. Use transaction.atomic() when completing the transfer.

2025-03-16 21:23:36 +00:00 · 2020-04-13 15:19:37 +03:00 · 2020-04-13 15:19:37 +03:00 · ca715dd8d4
commit ca715dd8d4
parent 57da17b8e2
2 changed files with 27 additions and 13 deletions
--- a/hc/accounts/tests/test_transfer_project.py
+++ b/hc/accounts/tests/test_transfer_project.py
@ -34,6 +34,13 @@ class ProjectTestCase(BaseTestCase):
        r = self.client.post(self.url, form)
        self.assertEqual(r.status_code, 403)

+    def test_transfer_project_checks_membership(self):
+        self.client.login(username="alice@example.org", password="password")
+
+        form = {"transfer_project": "1", "email": "charlie@example.org"}
+        r = self.client.post(self.url, form)
+        self.assertEqual(r.status_code, 400)
+
    def test_cancel_works(self):
        self.bobs_membership.transfer_request_date = now()
        self.bobs_membership.save()
--- a/hc/accounts/views.py
+++ b/hc/accounts/views.py
@ -2,6 +2,7 @@ from datetime import timedelta as td
 from urllib.parse import urlparse
 import uuid

+from django.db import transaction
 from django.conf import settings
 from django.contrib import messages
 from django.contrib.auth import login as auth_login
@ -339,21 +340,27 @@ def project(request, code):

            form = forms.TransferForm(request.POST)
            if form.is_valid():
+                # Look up the proposed new owner
                email = form.cleaned_data["email"]
+                try:
+                    membership = project.member_set.filter(user__email=email).get()
+                except Member.DoesNotExist:
+                    return HttpResponseBadRequest()

                # Revoke any previous transfer requests
                project.member_set.update(transfer_request_date=None)

                # Initiate the new request
-                q = project.member_set.filter(user__email=email)
-                q.update(transfer_request_date=now())
+                membership.transfer_request_date = now()
+                membership.save()
+
+                # Send an email notification
+                profile = Profile.objects.for_user(membership.user)
+                profile.send_transfer_request(project)

                ctx["transfer_initiated"] = True
                ctx["transfer_status"] = "success"

-                profile = Profile.objects.get(user__email=email)
-                profile.send_transfer_request(project)
-
        elif "cancel_transfer" in request.POST:
            if not is_owner:
                return HttpResponseForbidden()
@ -370,15 +377,15 @@ def project(request, code):
            if not tr.can_accept():
                return HttpResponseBadRequest()

-            # 1. Remove user's membership
-            tr.delete()
+            with transaction.atomic():
+                # 1. Reuse the existing membership, and change its user
+                tr.user = project.owner
+                tr.transfer_request_date = None
+                tr.save()

-            # 2. Invite the current owner as a member
-            Member.objects.create(user=project.owner, project=project)
-
-            # 3. Change project's owner
-            project.owner = request.user
-            project.save()
+                # 2. Change project's owner
+                project.owner = request.user
+                project.save()

            ctx["is_owner"] = True
            messages.success(request, "You are now the owner of this project!")