From ceadf9c739b0fd93abaa6d1bd4696b48f6e0514d Mon Sep 17 00:00:00 2001
From: Ram Ramrakhya <ramramrakhya81@gmail.com>
Date: Fri, 3 Sep 2021 13:58:54 -0400
Subject: [PATCH] Backend: Fix bug in add_participant_to_challenge API to check
 if all members of team are in allowed email domain(#3591)

* [BugFix] Verify all members of team have a allowed email domain

* Fix tests

* Fix tests

Co-authored-by: Rishabh Jain <rishabhjain2018@gmail.com>
---
 apps/challenges/views.py            | 22 ++++++++-------
 tests/unit/challenges/test_views.py | 42 +++++++++++++++++++++++++++--
 2 files changed, 52 insertions(+), 12 deletions(-)

diff --git a/apps/challenges/views.py b/apps/challenges/views.py
index 89d670f4d8..58886a37d8 100644
--- a/apps/challenges/views.py
+++ b/apps/challenges/views.py
@@ -336,16 +336,18 @@ def add_participant_team_to_challenge(
     # Check if user is in allowed list.
     user_email = request.user.email
     if len(challenge.allowed_email_domains) > 0:
-        if not is_user_in_allowed_email_domains(user_email, challenge_pk):
-            message = "Sorry, users with {} email domain(s) are only allowed to participate in this challenge."
-            domains = ""
-            for domain in challenge.allowed_email_domains:
-                domains = "{}{}{}".format(domains, "/", domain)
-            domains = domains[1:]
-            response_data = {"error": message.format(domains)}
-            return Response(
-                response_data, status=status.HTTP_406_NOT_ACCEPTABLE
-            )
+        domains = ""
+        for domain in challenge.allowed_email_domains:
+            domains = "{}{}{}".format(domains, "/", domain)
+        domains = domains[1:]
+        for participant_email in participant_team.get_all_participants_email():
+            if not is_user_in_allowed_email_domains(participant_email, challenge_pk):
+                message = "Sorry, team consisting of users with non-{} email domain(s) are not allowed \
+                    to participate in this challenge."
+                response_data = {"error": message.format(domains)}
+                return Response(
+                    response_data, status=status.HTTP_406_NOT_ACCEPTABLE
+                )
 
     # Check if user is in blocked list.
     if is_user_in_blocked_email_domains(user_email, challenge_pk):
diff --git a/tests/unit/challenges/test_views.py b/tests/unit/challenges/test_views.py
index b199bddd0b..584d614996 100644
--- a/tests/unit/challenges/test_views.py
+++ b/tests/unit/challenges/test_views.py
@@ -632,6 +632,13 @@ def setUp(self):
             verified=True,
         )
 
+        EmailAddress.objects.create(
+            user=self.user2,
+            email="user2@example2.com",
+            primary=True,
+            verified=True,
+        )
+
         self.challenge_host_team2 = ChallengeHostTeam.objects.create(
             team_name="Some Test Challenge Host Team", created_by=self.user2
         )
@@ -695,6 +702,16 @@ def setUp(self):
             team=self.participant_team3,
         )
 
+        self.participant_team4 = ParticipantTeam.objects.create(
+            team_name="Some Participant Team 2 by User 2", created_by=self.user2
+        )
+
+        self.participant5 = Participant.objects.create(
+            user=self.user3,
+            status=Participant.ACCEPTED,
+            team=self.participant_team4,
+        )
+
     def test_registration_is_closed_for_a_particular_challenge(self):
         self.challenge2.is_registration_open = False
         self.challenge2.save()
@@ -781,7 +798,7 @@ def test_particular_participant_team_for_mapping_with_challenge_does_not_exist(
             "challenges:add_participant_team_to_challenge",
             kwargs={
                 "challenge_pk": self.challenge.pk,
-                "participant_team_pk": self.participant_team.pk + 3,
+                "participant_team_pk": self.participant_team.pk + 4,
             },
         )
         expected = {"error": "ParticipantTeam does not exist"}
@@ -853,7 +870,28 @@ def test_participation_when_participant_is_not_in_allowed_list(self):
         )
 
         response = self.client.post(self.url, {})
-        message = "Sorry, users with {} email domain(s) are only allowed to participate in this challenge."
+        message = "Sorry, team consisting of users with non-{} email domain(s) are not allowed \
+                    to participate in this challenge."
+        expected = {"error": message.format("example1/example2")}
+
+        self.assertEqual(response.data, expected)
+        self.assertEqual(response.status_code, status.HTTP_406_NOT_ACCEPTABLE)
+
+    def test_participation_when_participant_team_member_is_not_in_allowed_list(self):
+        self.client.force_authenticate(user=self.participant_team4.created_by)
+        self.challenge2.allowed_email_domains.extend(["example1", "example2"])
+        self.challenge2.save()
+        self.url = reverse_lazy(
+            "challenges:add_participant_team_to_challenge",
+            kwargs={
+                "challenge_pk": self.challenge2.pk,
+                "participant_team_pk": self.participant_team4.pk,
+            },
+        )
+
+        response = self.client.post(self.url, {})
+        message = "Sorry, team consisting of users with non-{} email domain(s) are not allowed \
+                    to participate in this challenge."
         expected = {"error": message.format("example1/example2")}
 
         self.assertEqual(response.data, expected)