From abff91e6bbe601866d34a211cc31a36df6570ecd Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?David=20Barrag=C3=A1n=20Merino?=
 <david.barragan@kaleidos.net>
Date: Thu, 4 Aug 2016 10:31:38 +0200
Subject: [PATCH] Fix memeverships-bulk-create validator

---
 taiga/projects/validators.py                  | 17 ++++++++++---
 taiga/users/validators.py                     | 10 +-------
 .../test_projects_choices_resources.py        |  1 +
 tests/integration/test_memberships.py         | 24 +++++++++++++++++++
 4 files changed, 40 insertions(+), 12 deletions(-)

diff --git a/taiga/projects/validators.py b/taiga/projects/validators.py
index fdf917ea..7d3c48cc 100644
--- a/taiga/projects/validators.py
+++ b/taiga/projects/validators.py
@@ -24,7 +24,7 @@ from taiga.base.api import validators
 from taiga.base.exceptions import ValidationError
 from taiga.base.fields import JsonField
 from taiga.base.fields import PgArrayField
-from taiga.users.validators import RoleExistsValidator
+from taiga.users.models import Role
 
 from .tagging.fields import TagsField
 
@@ -200,16 +200,27 @@ class MembershipAdminValidator(MembershipValidator):
         exclude = ("token",)
 
 
-class MemberBulkValidator(RoleExistsValidator, validators.Validator):
+class _MemberBulkValidator(validators.Validator):
     email = serializers.EmailField()
     role_id = serializers.IntegerField()
 
 
 class MembersBulkValidator(ProjectExistsValidator, validators.Validator):
     project_id = serializers.IntegerField()
-    bulk_memberships = MemberBulkValidator(many=True)
+    bulk_memberships = _MemberBulkValidator(many=True)
     invitation_extra_text = serializers.CharField(required=False, max_length=255)
 
+    def validate_bulk_memberships(self, attrs, source):
+        filters = {
+            "project__id": attrs["project_id"],
+            "id__in": [r["role_id"] for r in attrs["bulk_memberships"]]
+        }
+
+        if Role.objects.filter(**filters).count() != len(set(filters["id__in"])):
+            raise ValidationError(_("Invalid role ids. All roles must belong to the same project."))
+
+        return attrs
+
 
 ######################################################
 # Projects
diff --git a/taiga/users/validators.py b/taiga/users/validators.py
index f23da47a..279e6ce4 100644
--- a/taiga/users/validators.py
+++ b/taiga/users/validators.py
@@ -29,18 +29,10 @@ from .models import User, Role
 import re
 
 
-class RoleExistsValidator:
-    def validate_role_id(self, attrs, source):
-        value = attrs[source]
-        if not Role.objects.filter(pk=value).exists():
-            msg = _("There's no role with that id")
-            raise ValidationError(msg)
-        return attrs
-
-
 ######################################################
 # User
 ######################################################
+
 class UserValidator(validators.ModelValidator):
     class Meta:
         model = User
diff --git a/tests/integration/resources_permissions/test_projects_choices_resources.py b/tests/integration/resources_permissions/test_projects_choices_resources.py
index 75c0f39d..28e1f483 100644
--- a/tests/integration/resources_permissions/test_projects_choices_resources.py
+++ b/tests/integration/resources_permissions/test_projects_choices_resources.py
@@ -2055,6 +2055,7 @@ def test_membership_action_bulk_create(client, data):
     results = helper_test_http_method(client, 'post', url, bulk_data, users)
     assert results == [401, 403, 403, 403, 451]
 
+
 def test_membership_action_resend_invitation(client, data):
     public_invitation = f.InvitationFactory(project=data.public_project, role__project=data.public_project)
     private_invitation1 = f.InvitationFactory(project=data.private_project1, role__project=data.private_project1)
diff --git a/tests/integration/test_memberships.py b/tests/integration/test_memberships.py
index c6b2ca5e..70d3d198 100644
--- a/tests/integration/test_memberships.py
+++ b/tests/integration/test_memberships.py
@@ -72,6 +72,30 @@ def test_api_create_bulk_members(client):
     assert response.data[1]["email"] == joseph.email
 
 
+def test_api_create_bulk_members_with_invalid_roles(client):
+    project = f.ProjectFactory()
+    john = f.UserFactory.create()
+    joseph = f.UserFactory.create()
+    tester = f.RoleFactory(name="Tester")
+    gamer = f.RoleFactory(name="Gamer")
+    f.MembershipFactory(project=project, user=project.owner, is_admin=True)
+
+    url = reverse("memberships-bulk-create")
+
+    data = {
+        "project_id": project.id,
+        "bulk_memberships": [
+            {"role_id": tester.pk, "email": john.email},
+            {"role_id": gamer.pk, "email": joseph.email},
+        ]
+    }
+    client.login(project.owner)
+    response = client.json.post(url, json.dumps(data))
+
+    assert response.status_code == 400
+    assert "bulk_memberships" in response.data
+
+
 def test_api_create_bulk_members_with_allowed_domain(client):
     project = f.ProjectFactory()
     john = f.UserFactory.create()