mirror of
https://github.com/healthchecks/healthchecks.git
synced 2025-03-16 21:23:36 +00:00
Check membership when initiating project's transfer. Use transaction.atomic() when completing the transfer.
This commit is contained in:
parent
57da17b8e2
commit
ca715dd8d4
2 changed files with 27 additions and 13 deletions
hc/accounts
|
@ -34,6 +34,13 @@ class ProjectTestCase(BaseTestCase):
|
|||
r = self.client.post(self.url, form)
|
||||
self.assertEqual(r.status_code, 403)
|
||||
|
||||
def test_transfer_project_checks_membership(self):
|
||||
self.client.login(username="alice@example.org", password="password")
|
||||
|
||||
form = {"transfer_project": "1", "email": "charlie@example.org"}
|
||||
r = self.client.post(self.url, form)
|
||||
self.assertEqual(r.status_code, 400)
|
||||
|
||||
def test_cancel_works(self):
|
||||
self.bobs_membership.transfer_request_date = now()
|
||||
self.bobs_membership.save()
|
||||
|
|
|
@ -2,6 +2,7 @@ from datetime import timedelta as td
|
|||
from urllib.parse import urlparse
|
||||
import uuid
|
||||
|
||||
from django.db import transaction
|
||||
from django.conf import settings
|
||||
from django.contrib import messages
|
||||
from django.contrib.auth import login as auth_login
|
||||
|
@ -339,21 +340,27 @@ def project(request, code):
|
|||
|
||||
form = forms.TransferForm(request.POST)
|
||||
if form.is_valid():
|
||||
# Look up the proposed new owner
|
||||
email = form.cleaned_data["email"]
|
||||
try:
|
||||
membership = project.member_set.filter(user__email=email).get()
|
||||
except Member.DoesNotExist:
|
||||
return HttpResponseBadRequest()
|
||||
|
||||
# Revoke any previous transfer requests
|
||||
project.member_set.update(transfer_request_date=None)
|
||||
|
||||
# Initiate the new request
|
||||
q = project.member_set.filter(user__email=email)
|
||||
q.update(transfer_request_date=now())
|
||||
membership.transfer_request_date = now()
|
||||
membership.save()
|
||||
|
||||
# Send an email notification
|
||||
profile = Profile.objects.for_user(membership.user)
|
||||
profile.send_transfer_request(project)
|
||||
|
||||
ctx["transfer_initiated"] = True
|
||||
ctx["transfer_status"] = "success"
|
||||
|
||||
profile = Profile.objects.get(user__email=email)
|
||||
profile.send_transfer_request(project)
|
||||
|
||||
elif "cancel_transfer" in request.POST:
|
||||
if not is_owner:
|
||||
return HttpResponseForbidden()
|
||||
|
@ -370,15 +377,15 @@ def project(request, code):
|
|||
if not tr.can_accept():
|
||||
return HttpResponseBadRequest()
|
||||
|
||||
# 1. Remove user's membership
|
||||
tr.delete()
|
||||
with transaction.atomic():
|
||||
# 1. Reuse the existing membership, and change its user
|
||||
tr.user = project.owner
|
||||
tr.transfer_request_date = None
|
||||
tr.save()
|
||||
|
||||
# 2. Invite the current owner as a member
|
||||
Member.objects.create(user=project.owner, project=project)
|
||||
|
||||
# 3. Change project's owner
|
||||
project.owner = request.user
|
||||
project.save()
|
||||
# 2. Change project's owner
|
||||
project.owner = request.user
|
||||
project.save()
|
||||
|
||||
ctx["is_owner"] = True
|
||||
messages.success(request, "You are now the owner of this project!")
|
||||
|
|
Loading…
Reference in a new issue