implements reject_user_account

Author: pcrespov

api/specs/web-server/_users.py

@@ -170,7 +170,6 @@ async def approve_user_account(_body: UserApprove): ...
     "/admin/users:reject",
     status_code=status.HTTP_204_NO_CONTENT,
     tags=_extra_tags,
-    include_in_schema=False,  # UNDER DEVELOPMENT
 )
 async def reject_user_account(_body: UserReject): ...
 

services/web/server/src/simcore_service_webserver/api/v0/openapi.yaml

@@ -1422,6 +1422,22 @@ paths:
       responses:
         '204':
           description: Successful Response
+  /v0/admin/users:reject:
+    post:
+      tags:
+      - users
+      - admin
+      summary: Reject User Account
+      operationId: reject_user_account
+      requestBody:
+        content:
+          application/json:
+            schema:
+              $ref: '#/components/schemas/UserReject'
+        required: true
+      responses:
+        '204':
+          description: Successful Response
   /v0/admin/users:search:
     get:
       tags:
@@ -17261,6 +17277,16 @@ components:
       required:
       - read
       title: UserNotificationPatch
+    UserReject:
+      properties:
+        email:
+          type: string
+          format: email
+          title: Email
+      type: object
+      required:
+      - email
+      title: UserReject
     UserStatus:
       type: string
       enum:

services/web/server/src/simcore_service_webserver/users/_users_rest.py

@@ -273,3 +273,25 @@ async def approve_user_account(request: web.Request) -> web.Response:
     assert pre_registration_id  # nosec
 
     return web.json_response(status=status.HTTP_204_NO_CONTENT)
+
+
+@routes.post(f"/{API_VTAG}/admin/users:reject", name="reject_user_account")
+@login_required
+@permission_required("admin.users.write")
+@_handle_users_exceptions
+async def reject_user_account(request: web.Request) -> web.Response:
+    req_ctx = UsersRequestContext.model_validate(request)
+    assert req_ctx.product_name  # nosec
+
+    rejection_data = await parse_request_body_as(UserReject, request)
+
+    # Reject the user account, passing the current user's ID as the reviewer
+    pre_registration_id = await _users_service.reject_user_account(
+        request.app,
+        pre_registration_email=rejection_data.email,
+        product_name=req_ctx.product_name,
+        reviewer_id=req_ctx.user_id,
+    )
+    assert pre_registration_id  # nosec
+
+    return web.json_response(status=status.HTTP_204_NO_CONTENT)

services/web/server/src/simcore_service_webserver/users/_users_service.py

@@ -499,3 +499,53 @@ async def approve_user_account(
     )
 
     return pre_registration_id
+
+
+async def reject_user_account(
+    app: web.Application,
+    *,
+    pre_registration_email: LowerCaseEmailStr,
+    product_name: ProductName,
+    reviewer_id: UserID,
+) -> int:
+    """Reject a user account based on their pre-registration email.
+
+    Args:
+        app: The web application instance
+        pre_registration_email: Email of the pre-registered user to reject
+        product_name: Product name for which the user is being rejected
+        reviewer_id: ID of the user rejecting the account
+
+    Returns:
+        int: The ID of the rejected pre-registration record
+
+    Raises:
+        ValueError: If no pre-registration is found for the email/product
+    """
+    engine = get_asyncpg_engine(app)
+
+    # First, find the pre-registration entry matching the email and product
+    pre_registrations, _ = await _users_repository.list_user_pre_registrations(
+        engine,
+        filter_by_pre_email=pre_registration_email,
+        filter_by_product_name=product_name,
+        filter_by_account_request_status=AccountRequestStatus.PENDING,
+    )
+
+    if not pre_registrations:
+        msg = f"No pending pre-registration found for email {pre_registration_email} in product {product_name}"
+        raise ValueError(msg)
+
+    # There should be only one registration matching these criteria
+    pre_registration = pre_registrations[0]
+    pre_registration_id = pre_registration["id"]
+
+    # Update the pre-registration status to REJECTED using the reviewer's ID
+    await _users_repository.review_user_pre_registration(
+        engine,
+        pre_registration_id=pre_registration_id,
+        reviewed_by=reviewer_id,
+        new_status=AccountRequestStatus.REJECTED,
+    )
+
+    return pre_registration_id

services/web/server/tests/unit/with_dbs/03/test_users_rest_registration.py

@@ -326,3 +326,87 @@ async def test_list_users_for_admin(
     for item in filtered_page_data:
         user = UserForAdminGet(**item)
         assert user.registered is False  # Pending users are not registered
+
+
+@pytest.mark.parametrize(
+    "user_role",
+    [
+        UserRole.PRODUCT_OWNER,
+    ],
+)
+async def test_reject_user_account(
+    client: TestClient,
+    logged_user: UserInfoDict,
+    account_request_form: dict[str, Any],
+    faker: Faker,
+    product_name: ProductName,
+):
+    assert client.app
+
+    # 1. Create a pre-registered user
+    form_data = account_request_form.copy()
+    form_data["firstName"] = faker.first_name()
+    form_data["lastName"] = faker.last_name()
+    form_data["email"] = faker.email()
+
+    resp = await client.post(
+        "/v0/admin/users:pre-register",
+        json=form_data,
+        headers={X_PRODUCT_NAME_HEADER: product_name},
+    )
+    pre_registered_data, _ = await assert_status(resp, status.HTTP_200_OK)
+    pre_registered_email = pre_registered_data["email"]
+
+    # 2. Verify the user is in PENDING status
+    url = client.app.router["list_users_for_admin"].url_for()
+    resp = await client.get(
+        f"{url}?status=PENDING", headers={X_PRODUCT_NAME_HEADER: product_name}
+    )
+    data, _ = await assert_status(resp, status.HTTP_200_OK)
+
+    pending_emails = [user["email"] for user in data if user["status"] is None]
+    assert pre_registered_email in pending_emails
+
+    # 3. Reject the pre-registered user
+    url = client.app.router["reject_user_account"].url_for()
+    resp = await client.post(
+        f"{url}",
+        headers={X_PRODUCT_NAME_HEADER: product_name},
+        json={"email": pre_registered_email},
+    )
+    await assert_status(resp, status.HTTP_204_NO_CONTENT)
+
+    # 4. Verify the user is no longer in PENDING status
+    url = client.app.router["list_users_for_admin"].url_for()
+    resp = await client.get(
+        f"{url}?status=PENDING", headers={X_PRODUCT_NAME_HEADER: product_name}
+    )
+    pending_data, _ = await assert_status(resp, status.HTTP_200_OK)
+    pending_emails = [user["email"] for user in pending_data]
+    assert pre_registered_email not in pending_emails
+
+    # 5. Verify the user is now in REJECTED status
+    # First get user details to check status
+    resp = await client.get(
+        "/v0/admin/users:search",
+        params={"email": pre_registered_email},
+        headers={X_PRODUCT_NAME_HEADER: product_name},
+    )
+    found, _ = await assert_status(resp, status.HTTP_200_OK)
+    assert len(found) == 1
+
+    # Check that account_request_status is REJECTED
+    user_data = found[0]
+    assert user_data["account_request_status"] == "REJECTED"
+    assert user_data["account_request_reviewed_by"] == logged_user["id"]
+    assert user_data["account_request_reviewed_at"] is not None
+
+    # 6. Verify that a rejected user cannot be approved
+    url = client.app.router["approve_user_account"].url_for()
+    resp = await client.post(
+        f"{url}",
+        headers={X_PRODUCT_NAME_HEADER: product_name},
+        json={"email": pre_registered_email},
+    )
+    # Should fail as the account is already reviewed
+    assert resp.status == status.HTTP_400_BAD_REQUEST