Merge pull request #4517 from gratipay/close-loophole

Prevent claiming already-claimed packages
gratipay · Jun 15, 2017 · 4b93a90 · 4b93a90
2 parents 76bb0d4 + bf20047
commit 4b93a90
Show file tree

Hide file tree

Showing 3 changed files with 36 additions and 2 deletions.
diff --git a/gratipay/testing/harness.py b/gratipay/testing/harness.py
@@ -427,7 +427,19 @@ def get_tip(self, tipper, tippee):
     def add_and_verify_email(self, participant, *emails):
         """Given a participant and some email addresses, add and verify them.
         """
+        if participant.__class__ is not Participant:
+            participant = P(participant)
         for email in emails:
             participant.start_email_verification(email)
             nonce = participant.get_email(email).nonce
             participant.finish_email_verification(email, nonce)
+
+
+    def claim_package(self, participant, package):
+        """Given a participant and a package, claim the package for the participant.
+        """
+        if participant.__class__ is not Participant:
+            participant = P(participant)
+        if package.__class__ is not Package:
+            package = Package.from_names(NPM, package)
+        package.get_or_create_linked_team(self.db, participant)
diff --git a/tests/py/test_email.py b/tests/py/test_email.py
@@ -295,7 +295,7 @@ def test_package_verification_fails_if_email_not_listed(self):
         assert response.code == 400
         assert self.db.all('select package_id from claims order by package_id') == []
 
-    def test_package_verification_fails_package_id_is_garbage(self):
+    def test_package_verification_fails_if_package_id_is_garbage(self):
         response = self.hit_email_spt( 'start-verification'
                                      , '[email protected]'
                                      , package_ids=['cheese monkey']
@@ -304,6 +304,26 @@ def test_package_verification_fails_package_id_is_garbage(self):
         assert response.code == 400
         assert self.db.all('select package_id from claims order by package_id') == []
 
+    def test_package_reverification_succeeds_if_package_is_already_claimed_by_self(self):
+        foo = self.make_package()
+        self.claim_package('alice', foo)
+        response = self.hit_email_spt( 'start-verification'
+                                     , '[email protected]'
+                                     , package_ids=[foo.id]
+                                      )
+        assert response.code == 200
+
+    def test_package_verification_fails_if_package_is_already_claimed_by_other(self):
+        self.make_participant('bob', claimed_time='now', email_address='[email protected]')
+        foo = self.make_package(emails=['[email protected]', '[email protected]'])
+        self.claim_package('bob', foo)
+        response = self.hit_email_spt( 'start-verification'
+                                     , '[email protected]'
+                                     , package_ids=[foo.id]
+                                     , should_fail=True
+                                      )
+        assert response.code == 400
+
 
 class TestFunctions(Alice):
 

diff --git a/www/~/%username/emails/modify.json.spt b/www/~/%username/emails/modify.json.spt
@@ -4,7 +4,6 @@ Manages the authenticated user's email addresses.
 import re
 
 from aspen import Response
-from gratipay.exceptions import EmailTaken, EmailAlreadyVerified, Throttled
 from gratipay.utils import get_participant
 from gratipay.models.package import Package
 
@@ -37,6 +36,9 @@ if action in ('add-email', 'resend', 'start-verification'):
             try:
                 package = Package.from_id(package_id)
                 assert address in package.emails
+                team = package.team
+                owner = team.owner if team else None
+                assert owner == user.participant.username if owner else True
             except:
                 raise Response(400)
             packages.append(package)