Skip to content

Commit

Permalink
Prevent skipping submission steps 1 and 2 (#3962)
Browse files Browse the repository at this point in the history
* Checking referer header for auditeeinfo page

* Lint

* Var name tweak

* Using user profile data instead of referer header

* Lint

* Preventing step 2 skip

* Test fixes

* Comment
  • Loading branch information
phildominguez-gsa authored Jun 17, 2024
1 parent 8100219 commit a62c03b
Show file tree
Hide file tree
Showing 2 changed files with 64 additions and 10 deletions.
45 changes: 42 additions & 3 deletions backend/report_submission/test_views.py
Original file line number Diff line number Diff line change
Expand Up @@ -110,9 +110,9 @@ class TestPreliminaryViews(TestCase):
}

step2_data = {
"auditee_uei": "Lw4MXE7SKMV1",
"auditee_fiscal_period_start": "01/01/2021",
"auditee_fiscal_period_end": "12/31/2021",
"auditee_uei": "D7A4J33FUMJ1",
"auditee_fiscal_period_start": "2021-01-01",
"auditee_fiscal_period_end": "2021-12-31",
}

step3_data = {
Expand Down Expand Up @@ -260,6 +260,8 @@ def test_step_two_auditeeinfo_submission_empty(self, mock_get_uei_info):
}

user = baker.make(User)
user.profile.entry_form_data = self.step1_data
user.profile.save()
self.client.force_login(user)
url = reverse("report_submission:auditeeinfo")

Expand Down Expand Up @@ -295,6 +297,8 @@ def test_step_two_auditeeinfo_invalid_dates(self, mock_get_uei_info):
mock_get_uei_info.return_value = {"valid": True}

user = baker.make(User)
user.profile.entry_form_data = self.step1_data
user.profile.save()
self.client.force_login(user)
url = reverse("report_submission:auditeeinfo")

Expand Down Expand Up @@ -328,6 +332,12 @@ def test_step_three_accessandsubmission_submission_fail(self):
Check that the POST succeeds with appropriate data.
"""
user = baker.make(User)
user.profile.entry_form_data = {
**self.step1_data,
**self.step2_data,
**self.step3_data,
}
user.profile.save()
self.client.force_login(user)
url = reverse("report_submission:accessandsubmission")

Expand Down Expand Up @@ -378,6 +388,35 @@ def test_accessandsubmissionformview_get_requires_login(self):
self.assertIsInstance(response, HttpResponseRedirect)
self.assertTrue("openid/login" in response.url)

def test_auditeeinfo_no_eligibility(self):
user = baker.make(User)
user.profile.entry_form_data = {
**self.step1_data,
"is_usa_based": False, # Ineligible
}
user.profile.save()
self.client.force_login(user)

url = reverse("report_submission:auditeeinfo")
response = self.client.get(url)

# Should redirect to step 1 page due to no eligibility
self.assertIsInstance(response, HttpResponseRedirect)
self.assertTrue("report_submission/eligibility" in response.url)

def test_accessandsubmission_no_auditee_info(self):
user = baker.make(User)
user.profile.entry_form_data = self.step1_data
user.profile.save()
self.client.force_login(user)

url = reverse("report_submission:accessandsubmission")
response = self.client.get(url)

# Should redirect to step 2 page since auditee info isn't present
self.assertIsInstance(response, HttpResponseRedirect)
self.assertTrue("report_submission/auditeeinfo" in response.url)


class GeneralInformationFormViewTests(TestCase):
def test_get_requires_login(self):
Expand Down
29 changes: 22 additions & 7 deletions backend/report_submission/views.py
Original file line number Diff line number Diff line change
Expand Up @@ -53,10 +53,17 @@ def post(self, post_request):
# Step 2
class AuditeeInfoFormView(LoginRequiredMixin, View):
def get(self, request):
args = {}
args["step"] = 2
args["form"] = AuditeeInfoForm()
return render(request, "report_submission/step-2.html", args)
entry_form_data = request.user.profile.entry_form_data
eligible = api.views.eligibility_check(request.user, entry_form_data)

# Prevent users from skipping the eligibility form
if not eligible.get("eligible"):
return redirect(reverse("report_submission:eligibility"))
else:
args = {}
args["step"] = 2
args["form"] = AuditeeInfoForm()
return render(request, "report_submission/step-2.html", args)

# render auditee info form

Expand Down Expand Up @@ -95,9 +102,17 @@ def post(self, request):
# Step 3
class AccessAndSubmissionFormView(LoginRequiredMixin, View):
def get(self, request):
args = {}
args["step"] = 3
return render(request, "report_submission/step-3.html", args)
info_check = api.views.auditee_info_check(
request.user, request.user.profile.entry_form_data
)

# Prevent users from skipping the auditee info form
if info_check.get("errors"):
return redirect(reverse("report_submission:auditeeinfo"))
else:
args = {}
args["step"] = 3
return render(request, "report_submission/step-3.html", args)

# render access-submission form

Expand Down

0 comments on commit a62c03b

Please sign in to comment.