Add permission to check email

incuna · Apr 16, 2015 · 89362be · 89362be
1 parent 351ff9e
commit 89362be
Show file tree

Hide file tree

Showing 3 changed files with 34 additions and 3 deletions.
diff --git a/user_management/api/permissions.py b/user_management/api/permissions.py
@@ -18,3 +18,14 @@ def has_permission(self, request, view):
             return True
 
         return request.user.is_staff
+
+
+class IsAnonymousOrOwner(BasePermission):
+    """Check if user is anonymous or if email belongs to user."""
+    def has_permission(self, request, view):
+        if request.user.is_anonymous():
+            return True
+        email = request.DATA.get('email')
+        if not email:
+            return True
+        return request.user.email.lower() == email.lower()
diff --git a/user_management/api/tests/test_views.py b/user_management/api/tests/test_views.py
@@ -1028,3 +1028,23 @@ def test_send_email_authenticated(self):
 
         expected = 'example.com account validate'
         self.assertEqual(email.subject, expected)
+
+    def test_send_email_other_user(self):
+        """Assert a user can not request a confirmation email for another user."""
+        user, other_user = UserFactory.create_batch(2)
+        data = {'email': other_user.email}
+        request = self.create_request('post', user=user, data=data)
+        view = self.view_class.as_view()
+        response = view(request)
+
+        self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
+
+    def test_send_email_empty(self):
+        """Assert we delegate the error to the serializer if no email data was sent."""
+        data = {}
+        request = self.create_request('post', data=data)
+        view = self.view_class.as_view()
+        response = view(request)
+
+        self.assertEqual(response.status_code, status.HTTP_400_BAD_REQUEST)
+        self.assertIn('This field is required.', response.data['email'])
diff --git a/user_management/api/views.py b/user_management/api/views.py
@@ -298,10 +298,10 @@ class ResendConfirmationEmail(generics.GenericAPIView):
     """
     Resend a confirmation email.
 
-    `POST` request to resend a confirmation email for existing user. Useful when
-    the token has expired.
+    `POST` request to resend a confirmation email for existing user. If user is
+    authenticated the email sent should match.
     """
-    permission_classes = [AllowAny]
+    permission_classes = [permissions.IsAnonymousOrOwner]
     serializer_class = serializers.ResendConfirmationEmailSerializer
     throttle_classes = [throttling.ResendConfirmationEmailRateThrottle]
     throttle_scope = 'confirmations'