From d61be0476169d8f5bb4630f9ba31d6c36458e3be Mon Sep 17 00:00:00 2001 From: Jared Hirsch Date: Thu, 18 Jun 2026 18:20:43 -0700 Subject: [PATCH] FIDEFE-8709 - Prevent banned users from creating new shares --- fxsharing/shares/tests.py | 13 +++++++++++++ fxsharing/shares/views.py | 4 ++++ 2 files changed, 17 insertions(+) diff --git a/fxsharing/shares/tests.py b/fxsharing/shares/tests.py index 2acb51d..ba24327 100644 --- a/fxsharing/shares/tests.py +++ b/fxsharing/shares/tests.py @@ -661,6 +661,19 @@ def test_create_increments_with_limit_reached_outcome(self): assert response.status_code == 429 counter.add.assert_called_once_with(1, {"outcome": "limit_reached"}) + def test_create_increments_with_banned_outcome(self): + banned = User.objects.create_user(fxa_id="a1b2c3d4e5f6banned", is_banned=True) + self.client.force_login(banned) + with patch("fxsharing.shares.metrics.share_created") as counter: + response = self.client.post( + reverse("create_share"), + data=self._payload(), + content_type="application/json", + ) + assert response.status_code == 403 + assert not Share.objects.filter(user=banned).exists() + counter.add.assert_called_once_with(1, {"outcome": "banned"}) + def test_create_increments_with_unauthenticated_outcome(self): with patch("fxsharing.shares.metrics.share_created") as counter: response = self.client.post( diff --git a/fxsharing/shares/views.py b/fxsharing/shares/views.py index 87ebf23..c066f5d 100644 --- a/fxsharing/shares/views.py +++ b/fxsharing/shares/views.py @@ -197,6 +197,10 @@ def create_share(request): metrics.share_created.add(1, {"outcome": "unauthenticated"}) return HttpResponse(status=401) + if request.user.is_banned: + metrics.share_created.add(1, {"outcome": "banned"}) + return HttpResponse(status=403) + try: data = json.loads(request.body) validate(instance=data, schema=share_schema)