From c6f051ac65cb6298ed3ab5d5b87c5f37bd423cd8 Mon Sep 17 00:00:00 2001
From: Sam <samuel.molina@enreda.coop>
Date: Wed, 10 Mar 2021 10:10:16 +0000
Subject: [PATCH] added email validation to purchase_email view

---
 products/tests.py | 21 +++++++++++++++++++++
 products/views.py |  8 ++++++--
 2 files changed, 27 insertions(+), 2 deletions(-)

diff --git a/products/tests.py b/products/tests.py
index bbf7cec..19d7f2a 100644
--- a/products/tests.py
+++ b/products/tests.py
@@ -1253,3 +1253,24 @@ class PurchaseEmailTest(APITestCase):
         self.assertEquals(response.status_code, 200)
         self.assertEquals(2, len(mail.outbox))
 
+    def test_anon_user_bad_email(self):
+        company = CompanyFactory()
+        self.user.role = 'COOP_MANAGER'
+        self.user.company = company
+        self.user.save()
+        product = ProductFactory(company=company)
+
+        data = {
+            'email': '324r@qwer',
+            'telephone': '123123123',
+            'company': company.id,
+            'product': product.id,
+            'comment': '',
+        }
+
+        response = self.client.post(self.endpoint, data=data, format='json')
+        # assertions
+        self.assertEquals(response.status_code, 406)
+        payload = response.json()
+        self.assertTrue( 'email' in payload['error'])
+
diff --git a/products/views.py b/products/views.py
index 091990d..280f36a 100644
--- a/products/views.py
+++ b/products/views.py
@@ -5,6 +5,7 @@ import json
 
 from django.db.models import Q
 from django.core import serializers
+from django.core.validators import EmailValidator, validate_email
 from django.contrib.auth import get_user_model
 from django.template.loader import render_to_string
 from django.core.mail import EmailMessage
@@ -259,7 +260,6 @@ def purchase_email(request):
     # check data
     if request.user.is_anonymous and 'email' not in data:
         return Response({"error": "Anonymous users must include an email parameter value"}, status=status.HTTP_406_NOT_ACCEPTABLE)
-
     try:
         for param in ('telephone', 'company', 'product', 'comment'):
             assert(param in data.keys())
@@ -271,7 +271,11 @@ def purchase_email(request):
     else:
         email = request.user.email
     telephone = data.get('telephone')
-
+    # validate email
+    try:
+        validate_email(email)
+    except:
+        return Response({"error": "Value for email is not valid"}, status=status.HTTP_406_NOT_ACCEPTABLE)
     # get company
     company = Company.objects.filter(id=data['company']).first()
     if not company: