Clean up and address PR feedback. Modify conditionals, throw 403 earlier in auth process

JamesDemeryNava · JamesDemeryNava · commit 1e184af50697 · 2025-12-03T16:14:48.000-05:00
diff --git a/apps/dot_ext/views/authorization.py b/apps/dot_ext/views/authorization.py
@@ -91,6 +91,8 @@ class AuthorizationView(DotAuthorizationView):
     # TODO: rename this so that it isn't the same as self.version (works but confusing)
     # this needs to be here for urls.py as_view(version) calls, but don't use it
     version = 0
+    # Variable to help reduce the amount of times validate_v3_authorization_request is called
+    validate_v3_call = True
     form_class = SimpleAllowForm
     login_url = "/mymedicare/login"
 
@@ -149,6 +151,11 @@ def dispatch(self, request, *args, **kwargs):
         initially create an AuthFlowUuid object for authorization
         flow tracing in logs.
         """
+        path_info = self.request.__dict__.get('path_info')
+        version = get_api_version_number_from_url(path_info)
+        # If it is not version 3, we don't need to check anything, just return
+        if version == Versions.V3 and self.validate_v3_call:
+            self.validate_v3_authorization_request()
         # TODO: Should the client_id match a valid application here before continuing, instead of after matching to FHIR_ID?
         if not kwargs.get('is_subclass_approvalview', False):
             # Create new authorization flow trace UUID in session and AuthFlowUuid instance, if subclass is not ApprovalView
@@ -241,7 +248,11 @@ def validate_v3_authorization_request(self):
         try:
             application = get_application_model().objects.get(client_id=client_id[0])
             application_user = get_user_model().objects.get(id=application.user_id)
-            if flag.id is not None and flag.is_active_for_user(application_user):
+
+            if flag.id is None or flag.is_active_for_user(application_user):
+                # Update the class variable to ensure subsequent calls to dispatch don't call this function
+                # more times than is needed
+                self.validate_v3_call = False
                 return
             else:
                 raise AccessDeniedTokenCustomError(
@@ -292,11 +303,6 @@ def form_valid(self, form):
         refresh_token_delete_cnt = 0
 
         try:
-            path_info = self.request.__dict__.get('path_info')
-            version = get_api_version_number_from_url(path_info)
-            # If it is not version 3, we don't need to check anything, just return
-            if version == Versions.V3:
-                self.validate_v3_authorization_request()
 
             if not scopes:
                 # Since the create_authorization_response will re-inject scopes even when none are
@@ -456,7 +462,7 @@ def validate_v3_token_call(self, request) -> None:
             application = get_application_model().objects.get(id=refresh_token.application_id)
             application_user = get_user_model().objects.get(id=application.user_id)
 
-            if flag.id is not None and flag.is_active_for_user(application_user):
+            if flag.id is None or flag.is_active_for_user(application_user):
                 return
             else:
                 raise PermissionDenied(
diff --git a/apps/fhir/bluebutton/permissions.py b/apps/fhir/bluebutton/permissions.py
@@ -122,7 +122,7 @@ def has_permission(self, request, view):
         application_user = get_user_model().objects.get(id=application.user_id)
         flag = get_waffle_flag_model().get('v3_early_adopter')
 
-        if flag.id is not None and flag.is_active_for_user(application_user):
+        if flag.id is None or flag.is_active_for_user(application_user):
             return True
         else:
             raise PermissionDenied(
diff --git a/apps/fhir/bluebutton/tests/test_wellknown_endpoints.py b/apps/fhir/bluebutton/tests/test_wellknown_endpoints.py
@@ -51,6 +51,7 @@ def setUp(self):
 
     @skipIf((not settings.RUN_ONLINE_TESTS), 'Can\'t reach external sites.')
     @override_switch('v3_endpoints', active=True)
+    @override_flag('v3_early_adopter', active=False)
     def test_userinfo_returns_403(self):
         first_access_token = self.create_token('John', 'Smith', fhir_id_v2=FHIR_ID_V2)
         ac = AccessToken.objects.get(token=first_access_token)
diff --git a/apps/wellknown/permissions.py b/apps/wellknown/permissions.py
@@ -28,7 +28,7 @@ def has_permission(self, request, view):
         application_user = get_user_model().objects.get(id=application.user_id)
         flag = get_waffle_flag_model().get('v3_early_adopter')
 
-        if flag.id is not None and flag.is_active_for_user(application_user):
+        if flag.id is None or flag.is_active_for_user(application_user):
             return True
         else:
             raise PermissionDenied(
