require a verified email address for any account action (#15692)

* require a verified email address for any account action * Separate unverified views into a different route entirely * Use mixin for both * push this a bit more forward 🥚🐣 * Add emails to unverified template * We don't need separate routes for reverification * fix tests and translations * Remove unavailable options * Update language * Update translations * Revert template changes * Testing * Branch the redirect * Update translations ya dummy * Permit accounts without verified email to verify email * Don't need startswith * Fix typo * Fix typo * Remove unnecessary routes * Revert "Remove unnecessary routes" This reverts commit 0a4a0fc. * Fix typogit diff! --------- Co-authored-by: Dustin Ingram <di@users.noreply.github.com>
pypi · Apr 1, 2024 · 3f9e0e2 · 3f9e0e2
1 parent 3f8c520
commit 3f9e0e2
Show file tree

Hide file tree

Showing 9 changed files with 854 additions and 156 deletions.
diff --git a/tests/functional/manage/test_views.py b/tests/functional/manage/test_views.py
@@ -41,7 +41,7 @@ def test_save_account(self, pyramid_services, user_service, db_request):
         db_request.path = "/manage/accounts/"
         db_request.POST = MultiDict({"name": "new name", "public_email": ""})
 
-        views.ManageAccountViews(db_request).save_account()
+        views.ManageVerifiedAccountViews(db_request).save_account()
         user = user_service.get_user(user.id)
 
         assert user.name == "new name"

diff --git a/tests/unit/manage/test_views.py b/tests/unit/manage/test_views.py
diff --git a/tests/unit/test_routes.py b/tests/unit/test_routes.py
@@ -211,6 +211,9 @@ def add_policy(name, filename):
             "/account/verify-project-role/",
             domain=warehouse,
         ),
+        pretend.call(
+            "manage.unverified-account", "/manage/unverified-account/", domain=warehouse
+        ),
         pretend.call("manage.account", "/manage/account/", domain=warehouse),
         pretend.call(
             "manage.account.publishing", "/manage/account/publishing/", domain=warehouse

diff --git a/warehouse/accounts/security_policy.py b/warehouse/accounts/security_policy.py
@@ -184,8 +184,8 @@ def _permits_for_user_policy(acl, request, context, permission):
     if (
         isinstance(res, Allowed)
         and not request.identity.has_primary_verified_email
-        and request.matched_route.name.startswith("manage")
-        and request.matched_route.name != "manage.account"
+        and request.matched_route.name
+        not in {"manage.unverified-account", "accounts.verify-email"}
     ):
         return WarehouseDenied("unverified", reason="unverified_email")
 
@@ -214,6 +214,8 @@ def _check_for_mfa(request, context) -> WarehouseDenied | None:
         "manage.account.totp-provision",
         "manage.account.two-factor",
         "manage.account.webauthn-provision",
+        "manage.unverified-account",
+        "accounts.verify-email",
     ]
 
     if (