Accounts: Account takeover edge cases

[islemaster]

(FND-320) Implements three new account takeover edge cases:

Teacher taking over another teacher account that has no progress but does own sections

Given I am a teacher
And there exists another teacher
  having credential X
  and having no activity
  and owning section Y
When I link credential X
Then the other teacher is destroyed
And I own section Y instead of the other teacher

Teacher taking over a student account that has no progress but is enrolled in sections

Given I am a teacher
And there exists a student
  having credential X
  and having no activity
  and enrolled in section Y
When I link credential X
Then the student is destroyed
And I am enrolled in section Y instead of the student

Student taking over a teacher account that has no progress

Given I am a student
And there exists a teacher
  having credential X
  and having no activity
When I link credential X
Then linking credential X fails with a message about it already being in use by another account.

I've captured these cases as tests and updated our implementation to match.

[maddiedierker]

great test cases! 🥇 out of curiosity, how did we discover these edge cases?

[islemaster]

Poorva brought up this case in an email yesterday afternoon:

Currently, if you have a Clever account with no progress and then try to connect that same Clever login to another Code.org account, you can. The original Clever Code.org account will get deleted. This is intentional and desired except that we should also be checking if the teacher has sections. We aren't doing that, meaning that if the teacher has no progress but has students with progress, then the student accounts will get deleted.

It's unclear whether this has ever actually happened, but it seems to be possible and was easy to fix (the first case listed in the PR description). The other two occurred to me while fixing up the first case.