[accounts] patched api as request for supervision should be made ONLY to godfather accounts

e5f0631e · Flavio TARSETTI · 744a60e1 · e5f0631e
Commit e5f0631e authored 7 years ago by Flavio TARSETTI
--- a/beat/web/accounts/api.py
+++ b/beat/web/accounts/api.py
@@ -276,7 +276,32 @@ class SuperviseeAddGodfatherView(BaseCreateSupervisionTrackViewSupervisee):
    permission_classes = BaseCreateSupervisionTrackViewSupervisee.permission_classes

    def post(self, request, supervisor_name):
-        godfather = User.objects.get(username=supervisor_name)
+        #check if user exists and its validity and if it's a godfather account
+        try:
+            godfather = User.objects.get(username=supervisor_name)
+            if not godfather.profile.is_godfather:
+                #Not a valid godfather
+                reason = "Not a valid godfather request"
+                result = {
+                    'error': reason,
+                }
+                return BadRequestResponse(result)
+            else:
+                if godfather.profile.status == Profile.BLOCKED:
+                    #Not a valid godfather
+                    reason = "Not a valid godfather request"
+                    result = {
+                        'error': reason,
+                    }
+                    return BadRequestResponse(result)
+        except:
+            #This username does not exist but don't give too much information
+            reason = "Not a valid godfather request"
+            result = {
+                'error': reason,
+            }
+            return BadRequestResponse(result)
+
        supervisee = request.user
        if supervisee.profile.supervision_key is not None:
            #There's a key check if there's a valid track