From bd226c46d82b31158c2862342f6f1ae613212442 Mon Sep 17 00:00:00 2001
From: Amelia Cordwell <ameliacordwell@catalyst.net.nz>
Date: Thu, 8 Jun 2017 16:11:07 +1200
Subject: [PATCH] Check action validity on submit before returning

If an action becomes invalid after during submit,
currently a user will get an OK response and an email stating the
completion of the action.

Now returns 400 in this case and does not send the email.

Change-Id: I4b998742cd2dfbafd40ff277a68ce9aca45b7872
---
 adjutant/api/v1/tests/test_api_taskview.py | 38 ++++++++++++++++++++++
 adjutant/api/v1/views.py                   |  8 +++++
 2 files changed, 46 insertions(+)

diff --git a/adjutant/api/v1/tests/test_api_taskview.py b/adjutant/api/v1/tests/test_api_taskview.py
index ab0ad7b..8cbef41 100644
--- a/adjutant/api/v1/tests/test_api_taskview.py
+++ b/adjutant/api/v1/tests/test_api_taskview.py
@@ -284,6 +284,44 @@ class TaskViewTests(AdjutantAPITestCase):
         response = self.client.post(url, data, format='json')
         self.assertEqual(response.status_code, status.HTTP_200_OK)
 
+    def test_new_project_invalid_on_submit(self):
+        """
+        Ensures that when a project becomes invalid at the submit stage
+        that the a 400 is recieved and no final emails are sent.
+        """
+
+        setup_temp_cache({}, {})
+
+        url = "/v1/actions/CreateProject"
+        data = {'project_name': "test_project", 'email': "test@example.com"}
+        response = self.client.post(url, data, format='json')
+        self.assertEqual(response.status_code, status.HTTP_200_OK)
+
+        headers = {
+            'project_name': "test_project",
+            'project_id': "test_project_id",
+            'roles': "admin,_member_",
+            'username': "test@example.com",
+            'user_id': "test_user_id",
+            'authenticated': True
+        }
+        new_task = Task.objects.all()[0]
+        url = "/v1/tasks/" + new_task.uuid
+        response = self.client.post(url, {'approved': True}, format='json',
+                                    headers=headers)
+        self.assertEqual(response.status_code, status.HTTP_200_OK)
+        self.assertEqual(
+            response.data,
+            {'notes': ['created token']}
+        )
+        tests.temp_cache['projects'] = {}
+
+        new_token = Token.objects.all()[0]
+        url = "/v1/tokens/" + new_token.token
+        data = {'password': 'testpassword'}
+        response = self.client.post(url, data, format='json')
+        self.assertEqual(response.status_code, status.HTTP_400_BAD_REQUEST)
+
     def test_new_project_existing(self):
         """
         Test to ensure validation marks actions as invalid
diff --git a/adjutant/api/v1/views.py b/adjutant/api/v1/views.py
index 92d3393..087c123 100644
--- a/adjutant/api/v1/views.py
+++ b/adjutant/api/v1/views.py
@@ -751,9 +751,14 @@ class TokenDetail(APIViewWithLogger):
         if errors:
             return Response({"errors": errors}, status=400)
 
+        valid = True
         for action in actions:
             try:
                 action.submit(data)
+
+                if not action.valid:
+                    valid = False
+
             except Exception as e:
                 notes = {
                     'errors':
@@ -781,6 +786,9 @@ class TokenDetail(APIViewWithLogger):
         token.task.save()
         token.delete()
 
+        if not valid:
+            return Response({"errors": ["Actions invalid"]}, status=400)
+
         # Sending confirmation email:
         class_conf = settings.TASK_SETTINGS.get(
             token.task.task_type, settings.DEFAULT_TASK_SETTINGS)