Merge pull request #537 from biocore/csymons_prevent_minor_reconsent

Prevent Minors from Re-consenting
biocore · Sep 20, 2023 · f9aa7a2 · f9aa7a2
2 parents 736f52f + d3e64b7
commit f9aa7a2
Show file tree

Hide file tree

Showing 3 changed files with 62 additions and 0 deletions.
diff --git a/microsetta_private_api/api/_consent.py b/microsetta_private_api/api/_consent.py
@@ -75,6 +75,19 @@ def sign_consent_doc(account_id, source_id, consent_type, body, token_info):
                     code=403, message="Invalid age_range update"
                 ), 403
 
+        # NB For the time being, we need to block any pre-overhaul under-18
+        # profiles from re-consenting. For API purposes, the safest way to
+        # check whether it's a pre-overhaul or post-overhaul source is to look
+        # at the creation_time on the source. Anything pre-overhaul is
+        # prevented from signing a new consent document.
+        if source.source_data.age_range not in ["legacy", "18-plus"] and\
+                not source_repo.check_source_post_overhaul(
+                    account_id, source_id
+                ):
+            return jsonify(
+                code=403, message="Minors may not sign new consent documents"
+            ), 403
+
         # Now back to the normal flow of signing a consent document
         consent_repo = ConsentRepo(t)
         sign_id = str(uuid.uuid4())

diff --git a/microsetta_private_api/repo/source_repo.py b/microsetta_private_api/repo/source_repo.py
@@ -283,3 +283,27 @@ def get_duplicate_source_name(self, account_id, source_name):
             if r is None:
                 return {'source_duplicate': False}
             return {'source_duplicate': True}
+
+    def check_source_post_overhaul(self, account_id, source_id):
+        """Check whether source was created after the TMI overhaul deployment
+
+        Parameters
+        ----------
+        account_id : str, uuid
+            The associated account ID to check
+        source_id : str, uuid
+            The associated source ID to check
+
+        Returns
+        -------
+        True if the source is post-overhaul, False otherwise
+        """
+        with self._transaction.cursor() as cur:
+            cur.execute(
+                "SELECT id "
+                "FROM ag.source "
+                "WHERE account_id = %s AND id = %s "
+                "AND creation_time >= '2023-08-30 09:10:00'",
+                (account_id, source_id)
+            )
+            return cur.rowcount == 1
diff --git a/microsetta_private_api/repo/tests/test_source.py b/microsetta_private_api/repo/tests/test_source.py
@@ -105,6 +105,31 @@ def test_update_legacy_source_age_range_fail(self):
             )
             self.assertFalse(obs)
 
+    def test_check_source_post_overhaul_true(self):
+        # We'll check a newly created source and confirm that it's
+        # treated as post-overhaul. The source created during setUp
+        # can safely be used as-is.
+        with Transaction() as t:
+            sr = SourceRepo(t)
+            obs = sr.check_source_post_overhaul(ACCOUNT_ID, HUMAN_SOURCE.id)
+            self.assertTrue(obs)
+
+    def test_check_source_post_overhaul_false(self):
+        # Now we'll modify the creation_time column by hand and confirm it's
+        # treated as pre-overhaul
+        with Transaction() as t:
+            cur = t.cursor()
+            cur.execute(
+                "UPDATE ag.source "
+                "SET creation_time = '2023-01-01 10:00:00' "
+                "WHERE id = %s",
+                (HUMAN_SOURCE.id, )
+            )
+
+            sr = SourceRepo(t)
+            obs = sr.check_source_post_overhaul(ACCOUNT_ID, HUMAN_SOURCE.id)
+            self.assertFalse(obs)
+
 
 if __name__ == '__main__':
     unittest.main()