Handle case of deleted journalists

[prateekj117]

Status

Ready for review

Description of Changes

Fixes #5232

Changes proposed in this pull request:

Because of #5178, deleted journalist username and uuid is set to deleted. We should not allow the deleted journalist to login. Also, we can differentiate it from other not deleted journalists whose username is deleted by comparing both the username and uuid rather than just username. Also, we should not allow adding new journalist with username deleted for less confusion.

Testing

How should the reviewer test this PR?

Make a test journalist with username deleted, it would fail (due to changes in form.py file). Undo those changes and make a new journalist with username deleted and try logging in using credentials of that journalist, it should succeed. Change uuid of that journalist to deleted, it should fail to login again for that journalist.

Checklist

If you made changes to the server application code:

• Linting (make lint) and tests (make test) pass in the development container

If you made changes to securedrop-admin:

• Linting and tests (make -C admin test) pass in the admin development container

If you made changes to the system configuration:

• Configuration tests pass

If you made non-trivial code changes:

• I have written a test plan and validated it for this PR

[kushaldas]

We should have a list of usernames which will not be allowed, that will enable us to add more such keywords/names safely to the blocking list in future.

We also need required unit and functional tests and also related explanation documentation for the same in the PR.

[prateekj117]

@kushaldas Done. Ready for another review. Let me know if I missed something.

[kushaldas]

@prateekj117 this PR needs a rebase with develop.

[kushaldas]

@prateekj117 Also, can you please add a functional test for the same? As right now the error should propagate to the admin nicely.

[prateekj117]

@kushaldas Done. Ready for another review.

[prateekj117]

@kushaldas One thing that can be missing from here is I think we can also check the exception that is being raised in unit tests. Let me know if that is required.

[prateekj117]

Hey @kushaldas. The thing is, it's an endpoint, I am not sure how I will write a test for checking exception raising. app.post won't be able to check the exception as it happens on the server-side and app.post would just return a response. Can you share an example? It would be of great help. Thanks.

[prateekj117]

Ok, I think I got what you meant. Added the tests. Let me know if anything else is required.

[kushaldas]

Hey @kushaldas. The thing is, it's an endpoint, I am not sure how I will write a test for checking exception raising. app.post won't be able to check the exception as it happens on the server-side and app.post would just return a response. Can you share an example?

This whole code base is server side. I don't understand what do you mean by endpoint in this case. You have to test that the right error message is showing in the proper way in the web application, Please have a look at https://github.com/freedomofpress/securedrop/blob/develop/securedrop/tests/functional/test_source_notfound.py or any other file in that directory for examples.

[prateekj117]

@kushaldas Now that I see the examples, I get it. I will correct it. Thanks !!!

[prateekj117]

@kushaldas Done.

[rmol]

Thanks @prateekj117. This looks pretty good. I requested a pedantic grammar change, would like to keep the list of invalid usernames on the Journalist model, and think we should omit invalid usernames from the exception or flash messages.

[prateekj117]

@rmol Did the changes. Ready for another review.

[kushaldas]

We should get some feedback from @ninavizz about adding/showing the invalid usernames in the web form to create a new user.

[rmol]

This looks good. I've run through the test scenario and confirmed behavior and messaging with the latest changes. Thanks again for your patience and perseverance, @prateekj117.

The behavior is as we specified.