From a62c03b5a800ceb7785caff3203359ba53fe8199 Mon Sep 17 00:00:00 2001
From: Phil Dominguez <142051477+phildominguez-gsa@users.noreply.github.com>
Date: Mon, 17 Jun 2024 08:14:22 -0400
Subject: [PATCH] Prevent skipping submission steps 1 and 2 (#3962)

* Checking referer header for auditeeinfo page

* Lint

* Var name tweak

* Using user profile data instead of referer header

* Lint

* Preventing step 2 skip

* Test fixes

* Comment
---
 backend/report_submission/test_views.py | 45 +++++++++++++++++++++++--
 backend/report_submission/views.py      | 29 ++++++++++++----
 2 files changed, 64 insertions(+), 10 deletions(-)

diff --git a/backend/report_submission/test_views.py b/backend/report_submission/test_views.py
index 7fdf3ec13b..5ea9a51704 100644
--- a/backend/report_submission/test_views.py
+++ b/backend/report_submission/test_views.py
@@ -110,9 +110,9 @@ class TestPreliminaryViews(TestCase):
     }
 
     step2_data = {
-        "auditee_uei": "Lw4MXE7SKMV1",
-        "auditee_fiscal_period_start": "01/01/2021",
-        "auditee_fiscal_period_end": "12/31/2021",
+        "auditee_uei": "D7A4J33FUMJ1",
+        "auditee_fiscal_period_start": "2021-01-01",
+        "auditee_fiscal_period_end": "2021-12-31",
     }
 
     step3_data = {
@@ -260,6 +260,8 @@ def test_step_two_auditeeinfo_submission_empty(self, mock_get_uei_info):
         }
 
         user = baker.make(User)
+        user.profile.entry_form_data = self.step1_data
+        user.profile.save()
         self.client.force_login(user)
         url = reverse("report_submission:auditeeinfo")
 
@@ -295,6 +297,8 @@ def test_step_two_auditeeinfo_invalid_dates(self, mock_get_uei_info):
         mock_get_uei_info.return_value = {"valid": True}
 
         user = baker.make(User)
+        user.profile.entry_form_data = self.step1_data
+        user.profile.save()
         self.client.force_login(user)
         url = reverse("report_submission:auditeeinfo")
 
@@ -328,6 +332,12 @@ def test_step_three_accessandsubmission_submission_fail(self):
         Check that the POST succeeds with appropriate data.
         """
         user = baker.make(User)
+        user.profile.entry_form_data = {
+            **self.step1_data,
+            **self.step2_data,
+            **self.step3_data,
+        }
+        user.profile.save()
         self.client.force_login(user)
         url = reverse("report_submission:accessandsubmission")
 
@@ -378,6 +388,35 @@ def test_accessandsubmissionformview_get_requires_login(self):
         self.assertIsInstance(response, HttpResponseRedirect)
         self.assertTrue("openid/login" in response.url)
 
+    def test_auditeeinfo_no_eligibility(self):
+        user = baker.make(User)
+        user.profile.entry_form_data = {
+            **self.step1_data,
+            "is_usa_based": False,  # Ineligible
+        }
+        user.profile.save()
+        self.client.force_login(user)
+
+        url = reverse("report_submission:auditeeinfo")
+        response = self.client.get(url)
+
+        # Should redirect to step 1 page due to no eligibility
+        self.assertIsInstance(response, HttpResponseRedirect)
+        self.assertTrue("report_submission/eligibility" in response.url)
+
+    def test_accessandsubmission_no_auditee_info(self):
+        user = baker.make(User)
+        user.profile.entry_form_data = self.step1_data
+        user.profile.save()
+        self.client.force_login(user)
+
+        url = reverse("report_submission:accessandsubmission")
+        response = self.client.get(url)
+
+        # Should redirect to step 2 page since auditee info isn't present
+        self.assertIsInstance(response, HttpResponseRedirect)
+        self.assertTrue("report_submission/auditeeinfo" in response.url)
+
 
 class GeneralInformationFormViewTests(TestCase):
     def test_get_requires_login(self):
diff --git a/backend/report_submission/views.py b/backend/report_submission/views.py
index c5b53ec044..ab244a3d8d 100644
--- a/backend/report_submission/views.py
+++ b/backend/report_submission/views.py
@@ -53,10 +53,17 @@ def post(self, post_request):
 # Step 2
 class AuditeeInfoFormView(LoginRequiredMixin, View):
     def get(self, request):
-        args = {}
-        args["step"] = 2
-        args["form"] = AuditeeInfoForm()
-        return render(request, "report_submission/step-2.html", args)
+        entry_form_data = request.user.profile.entry_form_data
+        eligible = api.views.eligibility_check(request.user, entry_form_data)
+
+        # Prevent users from skipping the eligibility form
+        if not eligible.get("eligible"):
+            return redirect(reverse("report_submission:eligibility"))
+        else:
+            args = {}
+            args["step"] = 2
+            args["form"] = AuditeeInfoForm()
+            return render(request, "report_submission/step-2.html", args)
 
     # render auditee info form
 
@@ -95,9 +102,17 @@ def post(self, request):
 # Step 3
 class AccessAndSubmissionFormView(LoginRequiredMixin, View):
     def get(self, request):
-        args = {}
-        args["step"] = 3
-        return render(request, "report_submission/step-3.html", args)
+        info_check = api.views.auditee_info_check(
+            request.user, request.user.profile.entry_form_data
+        )
+
+        # Prevent users from skipping the auditee info form
+        if info_check.get("errors"):
+            return redirect(reverse("report_submission:auditeeinfo"))
+        else:
+            args = {}
+            args["step"] = 3
+            return render(request, "report_submission/step-3.html", args)
 
     # render access-submission form