Remove non-org-scoped invites from backend (#585)

* Remove non-org-scoped invites - remove POST /users/invite and related tests - remove GET /users/invite-delete/{token}
2023-02-08 21:56:28 -05:00 · 2023-02-08 21:56:28 -05:00 · 103d91556f
commit 103d91556f
parent b642c53c59
2 changed files with 3 additions and 100 deletions
--- a/backend/btrixcloud/users.py
+++ b/backend/btrixcloud/users.py
@ -25,7 +25,7 @@ from fastapi_users.authentication import (
 )
 from fastapi_users.db import MongoDBUserDatabase

-from .invites import InvitePending, InviteRequest, UserRole
+from .invites import InvitePending, UserRole


 # ============================================================================
@ -446,31 +446,6 @@ def init_users_api(app, user_manager):
        print(f"user info with orgs: {user_info}", flush=True)
        return user_info

-    @users_router.post("/invite", tags=["invites"])
-    async def invite_user(
-        invite: InviteRequest,
-        request: Request,
-        user: User = Depends(current_active_user),
-    ):
-        if not user.is_superuser:
-            raise HTTPException(status_code=403, detail="Not Allowed")
-
-        await user_manager.invites.invite_user(
-            invite,
-            user,
-            user_manager,
-            org=None,
-            allow_existing=False,
-            headers=request.headers,
-        )
-
-        return {"invited": "new_user"}
-
-    @users_router.get("/invite/{token}", tags=["invites"])
-    async def get_invite_info(token: str, email: str):
-        invite = await user_manager.invites.get_valid_invite(uuid.UUID(token), email)
-        return await user_manager.format_invite(invite)
-
    @users_router.get("/me/invite/{token}", tags=["invites"])
    async def get_existing_user_invite_info(
        token: str, user: User = Depends(current_active_user)
--- a/backend/test/test_invites.py
+++ b/backend/test/test_invites.py
@ -15,9 +15,9 @@ def test_pending_invites(admin_auth_headers, default_org_id):
    INVITE_EMAIL = "invite-pending@example.com"

    r = requests.post(
-        f"{API_PREFIX}/users/invite",
+        f"{API_PREFIX}/orgs/{default_org_id}/invite",
        headers=admin_auth_headers,
-        json={"email": INVITE_EMAIL},
+        json={"email": INVITE_EMAIL, "role": 20},
    )
    assert r.status_code == 200
    data = r.json()
@ -40,75 +40,3 @@ def test_pending_invites_crawler(crawler_auth_headers, default_org_id):
    # Verify that only superusers can see pending invites
    r = requests.get(f"{API_PREFIX}/users/invites", headers=crawler_auth_headers)
    assert r.status_code == 403
-
-
-@pytest.mark.parametrize(
-    "invite_email, expected_stored_email",
-    [
-        # Standard email
-        ("invite-to-accept@example.com", "invite-to-accept@example.com"),
-        # Email address with comments
-        ("user+comment@example.com", "user+comment@example.com"),
-        # URL encoded email address with comments
-        ("user%2Bcomment-encoded%40example.com", "user+comment-encoded@example.com"),
-        # User email with diacritic characters
-        ("diacritic-tést@example.com", "diacritic-tést@example.com"),
-        # User email with encoded diacritic characters
-        (
-            "diacritic-t%C3%A9st-encoded%40example.com",
-            "diacritic-tést-encoded@example.com",
-        ),
-    ],
-)
-def test_send_and_accept_invite(
-    admin_auth_headers, default_org_id, invite_email, expected_stored_email
-):
-    # Send invite
-    r = requests.post(
-        f"{API_PREFIX}/users/invite",
-        headers=admin_auth_headers,
-        json={"email": invite_email},
-    )
-    assert r.status_code == 200
-    data = r.json()
-    assert data["invited"] == "new_user"
-
-    # Look up token
-    r = requests.get(
-        f"{API_PREFIX}/users/invites",
-        headers=admin_auth_headers,
-    )
-    assert r.status_code == 200
-    data = r.json()
-    invites_matching_email = [
-        invite
-        for invite in data["pending_invites"]
-        if invite["email"] == expected_stored_email
-    ]
-    token = invites_matching_email[0]["id"]
-
-    # Register user
-    # Note: This will accept invitation without needing to call the
-    # accept invite endpoint explicitly due to post-registration hook.
-    r = requests.post(
-        f"{API_PREFIX}/auth/register",
-        headers=admin_auth_headers,
-        json={
-            "name": "accepted",
-            "email": expected_stored_email,
-            "password": "testpw",
-            "inviteToken": token,
-            "newOrg": False,
-        },
-    )
-    assert r.status_code == 201
-
-    # Verify user belongs to org
-    r = requests.get(f"{API_PREFIX}/orgs/{default_org_id}", headers=admin_auth_headers)
-    assert r.status_code == 200
-    data = r.json()
-    users = data["users"]
-    users_with_invited_email = [
-        user for user in users.values() if user["email"] == expected_stored_email
-    ]
-    assert len(users_with_invited_email) == 1