Mentorship-backend: Validate if a User has email verified before allowing any action using this user

Created on 27 Jul 2018  路  13Comments  路  Source: anitab-org/mentorship-backend

Description

As a developer,
I need to verify if a user is requested for some action,
so that I can prevent actions with invalid users.

Implementation options by order of optimal solution (best -> worst) as discussed on project weekly:

  1. Create a decorator to validate User
  2. Do a check in every API endpoint that needs such verification
  3. Create function in UserModel to find a user by id and email verified

Acceptance Criteria

Update [Required]

  • [ ] Check if the existing user has an email verified

Definition of Done

  • [ ] All of the required items are completed.
  • [x] Approval by 1 mentor.

Estimation

2 hours

Coding Bug

All 13 comments

Still no @sys-bot showing up, just testing to get timestamp

@isabelcosta I am working on this issue !

Okay! @SwethasriKavuri :D any doubt tell me, I don't mind scheduling a call with you to help you with something

@SwethasriKavuri are you still working on this?

@SwethasriKavuri are you still working on this? if not, no problem at all, I can set this to be available again, for another contributor to work on this

I'm making this available again since there are no updates on this issue's work

@isabelcosta I would like to work on this issue

@LordGameleo sure! so ahead :)

@isabelcosta can you guide me a bit.... where should I write code for creation of new decorator?

I'm not sure about it, since I haven't done a lot of research for it. Can you look into the code and suggest me a solution? cc @ramitsawhney27

@LordGameleo I'd recommend looking into the DAO itself. That's the first place any operations would take place. Ensure your decorator wraps methods like 'update_user_profile' that would ensure that such an authorization operation is done before any further processing. cc @isabelcosta

Last week, I answered this on Slack:

we only get our authentication access token after verifying our email. I guess this decorator will not be needed.

I can be authenticated and verified. One of the things that come to my mind is, I can't send a mentorship request to someone unverified. Use an ID from a user which is not verified. The android application does not allow that. But if you do things using the api only through swagger ui, then you are allowed to do that. Think of edge cases like this. Look into the api and think in what cases this could happen.

@isabelcosta Let me look into that.

Was this page helpful?
0 / 5 - 0 ratings