Skip to content
Snippets Groups Projects

Handle wrong person following invitation link

Merged Handle wrong person following invitation link
GREG-166-invitation-theft-prevention into master
All threads resolved!
Merged Andreas Ellewsen requested to merge GREG-166-invitation-theft-prevention into master
All threads resolved!
Viewing commit 3239c488
Show latest version
1 file
+ 16
0
Compare changes
  • Side-by-side
  • Inline
gregui/authentication/auth_backends.py
+ 16
0
@@ -622,6 +622,13 @@ class GregOIDCBackend(ValidatingOIDCBackend):
not inv_person.registration_completed_date
and not name_diff_too_large(old_name, inv_name, 4)
):
logger.debug(
"Invitation (%s) opened by existing person (%s)."
" Giving role to them and deleting invited person (%s)",
invitation_link.invitation.id,
old_person.id,
inv_person.id,
)
# The name is close and the invited person has not completed
# registration. Give the role to the existing person, and
# delete the invited one.
@@ -632,6 +639,15 @@ class GregOIDCBackend(ValidatingOIDCBackend):
else:
# The logged in user has gotten someone else's invitation, and
# the invitation should be disabled.
logger.warning(
"Illegal person accessed invitation (%s). Invitation belongs to"
" person id %s, but was access by person id %s. Expiring"
" InvitationLink %s.",
invitation_link.invitation.id,
inv_person.id,
old_person.id,
invitation_link.id,
)
invitation_link.expire = timezone.now()
invitation_link.save()
else: