-
Notifications
You must be signed in to change notification settings - Fork 687
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Handle case of deleted journalists #5284
Handle case of deleted journalists #5284
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We should have a list of usernames which will not be allowed, that will enable us to add more such keywords/names safely to the blocking list in future.
We also need required unit and functional tests and also related explanation documentation for the same in the PR.
@kushaldas Done. Ready for another review. Let me know if I missed something. |
@prateekj117 this PR needs a rebase with |
@prateekj117 Also, can you please add a functional test for the same? As right now the error should propagate to the admin nicely. |
f2db3a0
to
997fed7
Compare
@kushaldas Done. Ready for another review. |
@kushaldas One thing that can be missing from here is I think we can also check the exception that is being raised in unit tests. Let me know if that is required. |
Hey @kushaldas. The thing is, it's an endpoint, I am not sure how I will write a test for checking exception raising. |
97ef783
to
0b9ecfd
Compare
Ok, I think I got what you meant. Added the tests. Let me know if anything else is required. |
This whole code base is server side. I don't understand what do you mean by endpoint in this case. You have to test that the right error message is showing in the proper way in the web application, Please have a look at https://github.com/freedomofpress/securedrop/blob/develop/securedrop/tests/functional/test_source_notfound.py or any other file in that directory for examples. |
@kushaldas Now that I see the examples, I get it. I will correct it. Thanks !!! |
a385888
to
9e43e6c
Compare
@kushaldas Done. |
d0f7373
to
85327b0
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks @prateekj117. This looks pretty good. I requested a pedantic grammar change, would like to keep the list of invalid usernames on the Journalist
model, and think we should omit invalid usernames from the exception or flash messages.
85327b0
to
bf1d966
Compare
@rmol Did the changes. Ready for another review. |
bf1d966
to
4a4818d
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We should get some feedback from @ninavizz about adding/showing the invalid usernames in the web form to create a new user.
4a4818d
to
6fafa9f
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This looks good. I've run through the test scenario and confirmed behavior and messaging with the latest changes. Thanks again for your patience and perseverance, @prateekj117.
In #5284 we made sure that the username `deleted` is not not allowed to be added in the system via the admin section of the journalist web application. But, one could still edit any existing user and change the name to `deleted`. Or, an admin can add a new user via `manage.py` in command line. In PR adds checks to make sure that addiving a new user via `manage.py` will fail if you try to set the username as `deleted`, it also blocks editing any existing username to `deleted`. The PR also includes unit and functional tests.
In #5284 we made sure that the username `deleted` is not not allowed to be added in the system via the admin section of the journalist web application. But, one could still edit any existing user and change the name to `deleted`. Or, an admin can add a new user via `manage.py` in command line. In PR adds checks to make sure that addiving a new user via `manage.py` will fail if you try to set the username as `deleted`, it also blocks editing any existing username to `deleted`. The PR also includes unit and functional tests.
In #5284 we made sure that the username `deleted` is not not allowed to be added in the system via the admin section of the journalist web application. But, one could still edit any existing user and change the name to `deleted`. Or, an admin can add a new user via `manage.py` in command line. In PR adds checks to make sure that addiving a new user via `manage.py` will fail if you try to set the username as `deleted`, it also blocks editing any existing username to `deleted`. The PR also includes unit and functional tests. (cherry picked from commit 90e19ea)
Status
Ready for review
Description of Changes
Fixes #5232
Changes proposed in this pull request:
Because of #5178, deleted journalist
username
anduuid
is set todeleted
. We should not allow the deleted journalist to login. Also, we can differentiate it from other not deleted journalists whose username is deleted by comparing both theusername
anduuid
rather than just username. Also, we should not allow adding new journalist with usernamedeleted
for less confusion.Testing
How should the reviewer test this PR?
Make a test journalist with username
deleted
, it would fail (due to changes inform.py
file). Undo those changes and make a new journalist with usernamedeleted
and try logging in using credentials of that journalist, it should succeed. Changeuuid
of that journalist todeleted
, it should fail to login again for that journalist.Checklist
If you made changes to the server application code:
make lint
) and tests (make test
) pass in the development containerIf you made changes to
securedrop-admin
:make -C admin test
) pass in the admin development containerIf you made changes to the system configuration:
If you made non-trivial code changes: