diff --git a/profiles/schema.py b/profiles/schema.py index 1aa73c8c..dbe91826 100644 --- a/profiles/schema.py +++ b/profiles/schema.py @@ -70,7 +70,10 @@ VerifiedPersonalInformationPermanentForeignAddress, VerifiedPersonalInformationTemporaryAddress, ) -from .utils import requester_can_view_verified_personal_information +from .utils import ( + requester_can_view_verified_personal_information, + requester_has_sufficient_loa_to_perform_gdpr_request, +) User = get_user_model() @@ -1490,6 +1493,10 @@ def mutate_and_get_payload(cls, root, info, **input): _("You do not have permission to perform this action.") ) + if not requester_has_sufficient_loa_to_perform_gdpr_request(info.context): + raise PermissionDenied( + _("You do not have permission to perform this action.") + ) dry_run = input.get("dry_run", False) results = delete_connected_service_data( @@ -1554,6 +1561,11 @@ def mutate(parent, info, input): _("You do not have permission to perform this action.") ) + if not requester_has_sufficient_loa_to_perform_gdpr_request(info.context): + raise PermissionDenied( + _("You do not have permission to perform this action.") + ) + service_connections = profile.effective_service_connections_qs().filter( service__name=input["service_name"] ) @@ -1734,6 +1746,11 @@ def resolve_download_my_profile(self, info, **kwargs): _("You do not have permission to perform this action.") ) + if not requester_has_sufficient_loa_to_perform_gdpr_request(info.context): + raise PermissionDenied( + _("You do not have permission to perform this action.") + ) + external_data = download_connected_service_data( profile, kwargs["authorization_code"], diff --git a/profiles/tests/gdpr/test_gql_delete_my_profile_mutation.py b/profiles/tests/gdpr/test_gql_delete_my_profile_mutation.py index cf10dbba..ea693f60 100644 --- a/profiles/tests/gdpr/test_gql_delete_my_profile_mutation.py +++ b/profiles/tests/gdpr/test_gql_delete_my_profile_mutation.py @@ -11,7 +11,11 @@ from open_city_profile.oidc import TunnistamoTokenExchange from open_city_profile.tests.asserts import assert_match_error_code from profiles.models import Profile -from profiles.tests.factories import ProfileFactory, ProfileWithPrimaryEmailFactory +from profiles.tests.factories import ( + ProfileFactory, + ProfileWithPrimaryEmailFactory, + VerifiedPersonalInformationFactory, +) from services.models import ServiceConnection from services.tests.factories import ServiceConnectionFactory from users.models import User @@ -546,3 +550,24 @@ def test_api_tokens_missing(user_gql_client, service_1, mocker): executed = user_gql_client.execute(DELETE_MY_PROFILE_MUTATION) assert_match_error_code(executed, MISSING_GDPR_API_TOKEN_ERROR) + + +@pytest.mark.parametrize( + "loa,errors", + [ + ("low", True), + ("substantial", False), + ("high", False), + ], +) +def test_delete_with_verified_personal_information( + user_gql_client, gdpr_api_tokens, loa, errors +): + """Deletion is allowed when GDPR URL is set, and service returns a successful status.""" + profile = ProfileFactory(user=user_gql_client.user) + VerifiedPersonalInformationFactory(profile=profile) + + executed = user_gql_client.execute( + DELETE_MY_PROFILE_MUTATION, auth_token_payload={"loa": loa} + ) + assert bool(executed.get("errors")) == errors diff --git a/profiles/tests/gdpr/test_gql_download_my_profile_query.py b/profiles/tests/gdpr/test_gql_download_my_profile_query.py index f527c8a5..4616e3a5 100644 --- a/profiles/tests/gdpr/test_gql_download_my_profile_query.py +++ b/profiles/tests/gdpr/test_gql_download_my_profile_query.py @@ -128,6 +128,7 @@ def download_verified_personal_information_with_loa(loa, user_gql_client, servic ) full_dump = json.loads(executed["data"]["downloadMyProfile"]) + profile_dump = next( child for child in full_dump["children"] if child["key"] == "PROFILE" ) @@ -154,16 +155,18 @@ def test_verified_personal_information_is_included_in_the_downloaded_profile_whe @pytest.mark.parametrize("loa", [None, "foo", "low"]) def test_verified_personal_information_is_replaced_with_an_error_when_loa_is_not_high_enough( - loa, user_gql_client, profile_service + loa, user_gql_client, profile_service, service ): - vpi_dump = download_verified_personal_information_with_loa( - loa, user_gql_client, profile_service - ) - - assert vpi_dump == { - "key": "VERIFIEDPERSONALINFORMATION", - "error": _("No permission to read verified personal information."), + VerifiedPersonalInformationFactory(profile__user=user_gql_client.user) + token_payload = { + "loa": loa, } + executed = user_gql_client.execute( + DOWNLOAD_MY_PROFILE_MUTATION, service=service, auth_token_payload=token_payload + ) + assert executed["data"]["downloadMyProfile"] is None + assert len(executed["errors"]) == 1 + assert executed["errors"][0]["extensions"]["code"] == "PERMISSION_DENIED_ERROR" def test_downloading_non_existent_profile_doesnt_return_errors(user_gql_client): diff --git a/profiles/tests/test_audit_log_to_db.py b/profiles/tests/test_audit_log_to_db.py index f8779820..19d467f1 100644 --- a/profiles/tests/test_audit_log_to_db.py +++ b/profiles/tests/test_audit_log_to_db.py @@ -414,7 +414,9 @@ def test_audit_log_delete(live_server, profile_with_related): } } """ - do_graphql_call_as_user(live_server, user, query=query) + do_graphql_call_as_user( + live_server, user, query=query, extra_claims={"loa": "substantial"} + ) log_entries = list(LogEntry.objects.all()) # Audit logging the Profile DELETE with a related object causes some READs diff --git a/profiles/tests/test_audit_log_to_logger.py b/profiles/tests/test_audit_log_to_logger.py index 1e1610d6..794ba02b 100644 --- a/profiles/tests/test_audit_log_to_logger.py +++ b/profiles/tests/test_audit_log_to_logger.py @@ -442,7 +442,9 @@ def test_audit_log_delete(live_server, profile_with_related, cap_audit_log): } } """ - do_graphql_call_as_user(live_server, user, query=query) + do_graphql_call_as_user( + live_server, user, query=query, extra_claims={"loa": "substantial"} + ) audit_logs = cap_audit_log.get_logs() # Audit logging the Profile DELETE with a related object causes some READs diff --git a/profiles/utils.py b/profiles/utils.py index 8f06eece..cad1192c 100644 --- a/profiles/utils.py +++ b/profiles/utils.py @@ -29,3 +29,15 @@ def requester_can_view_verified_personal_information(request): or request.user_auth.data.get("amr") in settings.VERIFIED_PERSONAL_INFORMATION_ACCESS_AMR_LIST ) + + +def requester_has_sufficient_loa_to_perform_gdpr_request(request): + user = request.user + profile = user.profile + if not profile: + return False + loa = request.user_auth.data.get("loa") + return not hasattr(profile, "verified_personal_information") or loa in [ + "substantial", + "high", + ]