|
6 | 6 | from django.http import HttpRequest |
7 | 7 | from django.urls import reverse |
8 | 8 | from rest_framework import status |
| 9 | +from rest_framework.authentication import SessionAuthentication |
9 | 10 | from rest_framework.request import Request |
10 | 11 | from rest_framework.response import Response |
11 | 12 |
|
@@ -89,6 +90,7 @@ class AcceptOrganizationInvite(Endpoint): |
89 | 90 | "POST": ApiPublishStatus.UNKNOWN, |
90 | 91 | } |
91 | 92 | # Disable authentication and permission requirements. |
| 93 | + authentication_classes = (SessionAuthentication,) |
92 | 94 | permission_classes = () |
93 | 95 |
|
94 | 96 | @staticmethod |
@@ -146,6 +148,20 @@ def get( |
146 | 148 |
|
147 | 149 | response = Response(None) |
148 | 150 |
|
| 151 | + # if the user is already authenticated, let's make sure |
| 152 | + # they have the email that the invite was sent to as a |
| 153 | + # verified email on their account |
| 154 | + if self.request.user.is_authenticated: |
| 155 | + user_verified_emails = {e.email for e in self.request.user.get_verified_emails()} |
| 156 | + |
| 157 | + if organization_member.email not in user_verified_emails: |
| 158 | + return Response( |
| 159 | + status=403, |
| 160 | + data={ |
| 161 | + "details": "Your account must have a verified email matching the email the invite was sent to." |
| 162 | + }, |
| 163 | + ) |
| 164 | + |
149 | 165 | # Allow users to register an account when accepting an invite |
150 | 166 | if not helper.user_authenticated: |
151 | 167 | request.session["can_register"] = True |
@@ -203,6 +219,7 @@ def post( |
203 | 219 | user_id=request.user.id, |
204 | 220 | request=request, |
205 | 221 | ) |
| 222 | + |
206 | 223 | if invite_context is None: |
207 | 224 | return self.respond_invalid() |
208 | 225 |
|
|
0 commit comments