From 534bc5eaa1da6389cb96e8b65abd36f1c4674c2c Mon Sep 17 00:00:00 2001 From: Omer Lachish Date: Thu, 17 Jan 2019 10:11:44 +0200 Subject: [PATCH 1/2] explicitly look for a False under details['is_invitation_pending'] and not any falsey result, to avoid locking out invitations which were created before the Pending Invitation feature was introduced. Solves https://github.com/getredash/redash/issues/3297 --- redash/handlers/authentication.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/redash/handlers/authentication.py b/redash/handlers/authentication.py index d6c0380d6a..77b5de0ec5 100644 --- a/redash/handlers/authentication.py +++ b/redash/handlers/authentication.py @@ -38,7 +38,7 @@ def render_token_login_page(template, org_slug, token): return render_template("error.html", error_message="Your invite link has expired. Please ask for a new one."), 400 - if not user.is_invitation_pending: + if user.details.get('is_invitation_pending') is False: return render_template("error.html", error_message=("This invitation has already been accepted. " "Please try resetting your password instead.")), 400 From 4d124841a551eb89adbf238aee9933756f87cf49 Mon Sep 17 00:00:00 2001 From: Omer Lachish Date: Thu, 17 Jan 2019 10:54:58 +0200 Subject: [PATCH 2/2] test that old invites (that do not have any is_invitation_pending flag set in their details object) are still acceptable --- tests/handlers/test_authentication.py | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/tests/handlers/test_authentication.py b/tests/handlers/test_authentication.py index c0fb797d9f..1559921d14 100644 --- a/tests/handlers/test_authentication.py +++ b/tests/handlers/test_authentication.py @@ -50,6 +50,12 @@ def test_bad_token(self): response = self.post_request('/invite/{}'.format('jdsnfkjdsnfkj'), data={'password': '1234'}, org=self.factory.org) self.assertEqual(response.status_code, 400) + def test_user_invited_before_invitation_pending_check(self): + user = self.factory.create_user(details={}) + token = invite_token(user) + response = self.post_request('/invite/{}'.format(token), data={'password': 'test1234'}, org=self.factory.org) + self.assertEqual(response.status_code, 302) + def test_already_active_user(self): token = invite_token(self.factory.user) self.post_request('/invite/{}'.format(token), data={'password': 'test1234'}, org=self.factory.org)