Inactive contracts should not appear in API results by default (#3074)

cp-at-mit · pre-commit-ci[bot] · web-flow · commit d37727e0e537 · 2025-11-10T08:00:28.000-05:00
Co-authored-by: pre-commit-ci[bot] &lt;66853113+pre-commit-ci[bot]@users.noreply.github.com&gt;
diff --git a/b2b/serializers/v0/__init__.py b/b2b/serializers/v0/__init__.py
@@ -54,7 +54,13 @@ class OrganizationPageSerializer(serializers.ModelSerializer):
     Serializer for the OrganizationPage model.
     """
 
-    contracts = ContractPageSerializer(many=True, read_only=True)
+    contracts = serializers.SerializerMethodField()
+
+    @extend_schema_field(ContractPageSerializer(many=True))
+    def get_contracts(self, instance):
+        """Get only active contracts for the organization"""
+        active_contracts = instance.contracts.filter(active=True)
+        return ContractPageSerializer(active_contracts, many=True).data
 
     class Meta:
         model = OrganizationPage
@@ -145,6 +151,7 @@ def get_contracts(self, instance):
             self.context["user"]
             .b2b_contracts.filter(
                 organization=instance.organization,
+                active=True,
             )
             .all()
         )
diff --git a/b2b/views/v0/__init__.py b/b2b/views/v0/__init__.py
@@ -47,12 +47,15 @@ class ContractPageViewSet(viewsets.ReadOnlyModelViewSet):
     Viewset for the ContractPage model.
     """
 
-    queryset = ContractPage.objects.all()
     serializer_class = ContractPageSerializer
     permission_classes = [IsAdminOrReadOnly | HasAPIKey]
     lookup_field = "slug"
     lookup_url_kwarg = "contract_slug"
 
+    def get_queryset(self):
+        """Filter to only return active contracts by default."""
+        return ContractPage.objects.filter(active=True)
+
 
 class Enroll(APIView):
     """View for enrolling in a B2B course."""
@@ -118,6 +121,13 @@ def post(self, request, enrollment_code: str, format=None):  # noqa: A002, ARG00
         """
 
         now = now_in_utc()
+
+        def get_active_user_contracts(user):
+            """Helper to get active contracts for a user."""
+            return user.b2b_contracts.filter(active=True).exclude(
+                Q(contract_start__gt=now) | Q(contract_end__lt=now)
+            )
+
         try:
             code = (
                 Discount.objects.annotate(Count("contract_redemptions"))
@@ -131,7 +141,9 @@ def post(self, request, enrollment_code: str, format=None):  # noqa: A002, ARG00
             )
         except Discount.DoesNotExist:
             return Response(
-                ContractPageSerializer(request.user.b2b_contracts.all(), many=True).data
+                ContractPageSerializer(
+                    get_active_user_contracts(request.user), many=True
+                ).data
             )
 
         contract_ids = list(code.b2b_contracts().values_list("id", flat=True))
@@ -157,5 +169,7 @@ def post(self, request, enrollment_code: str, format=None):  # noqa: A002, ARG00
         request.user.save()
 
         return Response(
-            ContractPageSerializer(request.user.b2b_contracts.all(), many=True).data
+            ContractPageSerializer(
+                get_active_user_contracts(request.user), many=True
+            ).data
         )
diff --git a/users/views_test.py b/users/views_test.py
@@ -146,6 +146,44 @@ def test_get_user_by_me(mocker, client, user, is_anonymous, has_orgs):
         }
 
 
+@pytest.mark.django_db
+def test_get_user_by_me_excludes_inactive_contracts(client, user):
+    """Test that /api/v0/users/me only returns active contracts"""
+    client.force_login(user)
+
+    # Create active and inactive contracts in the same organization
+    active_contract = ContractPageFactory.create(active=True)
+    inactive_contract = ContractPageFactory.create(
+        active=False, organization=active_contract.organization
+    )
+
+    # Add user to the organization
+    user.b2b_organizations.add(active_contract.organization)
+    # Add user to both contracts
+    user.b2b_contracts.add(active_contract)
+    user.b2b_contracts.add(inactive_contract)
+    user.save()
+
+    resp = client.get(reverse("users_api-me"))
+
+    assert resp.status_code == status.HTTP_200_OK
+
+    response_data = resp.json()
+    assert len(response_data["b2b_organizations"]) == 1
+
+    org_data = response_data["b2b_organizations"][0]
+    assert org_data["id"] == active_contract.organization.id
+
+    # Should only include the active contract
+    assert len(org_data["contracts"]) == 1
+    assert org_data["contracts"][0]["id"] == active_contract.id
+    assert org_data["contracts"][0]["active"] is True
+
+    # Should not include the inactive contract
+    contract_ids = [contract["id"] for contract in org_data["contracts"]]
+    assert inactive_contract.id not in contract_ids
+
+
 @pytest.mark.parametrize(
     ("is_anonymous", "has_openedx_user", "has_edx_username"),
     [
