[fix bug 760318] Only staff can be in Staff group.

Update UserProfile post_save signal to force users into the Staff group iff they have an email address in the AUTO_VOUCH_DOMAINS setting.
mozilla · Jun 5, 2012 · f8a00f0 · f8a00f0
1 parent e9883f2
commit f8a00f0
Show file tree

Hide file tree

Showing 2 changed files with 55 additions and 8 deletions.
diff --git a/apps/users/models.py b/apps/users/models.py
@@ -201,12 +201,14 @@ def auto_vouch(sender, instance, raw, using, **kwargs):
 
 @receiver(models.signals.post_save, sender=UserProfile)
 def add_to_staff_group(sender, instance, created, **kwargs):
-    """Add all mozilla.com users to the "staff" group upon creation."""
-    if created:
-        email = instance.user.email
-        if (any(email.endswith('@' + x) for x in
-                                               settings.AUTO_VOUCH_DOMAINS)):
-            instance.groups.add(Group.objects.get(name='staff', system=True))
+    """Keep users in the staff group if they're autovouchable."""
+    email = instance.user.email
+    staff = Group.objects.get(name='staff', system=True)
+    if any(email.endswith('@' + x) for x in
+           settings.AUTO_VOUCH_DOMAINS):
+        instance.groups.add(staff)
+    elif staff in instance.groups.all():
+        instance.groups.remove(staff)
 
 
 @receiver(dbsignals.post_save, sender=UserProfile)

diff --git a/apps/users/tests.py b/apps/users/tests.py
@@ -1,12 +1,13 @@
-from django.contrib.auth.models import User
 from django.conf import settings
+from django.contrib.auth.models import User
+from django.test.utils import override_settings
 
 from funfactory.urlresolvers import reverse
 from nose.tools import eq_
 from pyquery import PyQuery as pq
 
 from common import browserid_mock
-from common.tests import ESTestCase, TestCase
+from common.tests import ESTestCase, TestCase, user
 from groups.models import Group
 from users.models import UserProfile
 
@@ -391,3 +392,47 @@ def test_login(self):
                 r = self.client.post(reverse('register'), info, follow=True)
 
             eq_(r.status_code, 200)
+
+
+@override_settings(AUTO_VOUCH_DOMAINS=('mozilla.com',))
+class AutoVouchTests(TestCase):
+
+    def test_only_autovouch_in_staff(self):
+        """Restrict the staff group to emails in AUTO_VOUCH_DOMAINS."""
+        staff = Group.objects.get_or_create(name='staff', system=True)[0]
+        staff_user = user(email='abcd@mozilla.com')
+        staff_profile = staff_user.get_profile()
+        staff_profile.save()
+        assert staff in staff_profile.groups.all(), (
+            'Auto-vouched email in staff group by default.')
+
+        staff_profile.groups.remove(staff)
+        staff_profile.save()
+        assert staff in staff_profile.groups.all(), (
+            'Auto-vouched email cannot be removed from staff group.')
+
+        community_user = user()
+        community_profile = community_user.get_profile()
+        community_profile.save()
+        assert staff not in community_profile.groups.all(), (
+            'Non-auto-vouched email not automatically in staff group.')
+
+        community_profile.groups.add(staff)
+        community_profile.save()
+        assert staff not in community_profile.groups.all(), (
+            'Non-auto-vouched email cannot be added to staff group.')
+
+    def test_autovouch_email(self):
+        """Users with emails in AUTO_VOUCH_DOMAINS should be vouched."""
+        auto_user = user(email='abcd@mozilla.com')
+        auto_profile = auto_user.get_profile()
+        auto_profile.save()
+        assert auto_profile.is_vouched, 'Profile should be vouched.'
+        assert auto_profile.vouched_by is None, (
+            'Profile should not have a voucher.')
+
+        non_auto_user = user()
+        non_auto_profile = non_auto_user.get_profile()
+        non_auto_profile.save()
+        assert not non_auto_profile.is_vouched, (
+            'Profile should not be vouched.')