org: Ensure that we allow details only when they have not been submitted

Yopi · Yopi · commit 7bd1b6192935 · 2026-04-13T10:01:21.000+02:00
diff --git a/server/polar/organization/service.py b/server/polar/organization/service.py
@@ -360,7 +360,7 @@ async def update(
             },
         )
 
-        if update_schema.details:
+        if update_schema.details and organization.status == OrganizationStatus.CREATED:
             organization.details = cast(
                 OrganizationDetails, update_schema.details.model_dump()
             )
diff --git a/server/tests/organization/test_endpoints.py b/server/tests/organization/test_endpoints.py
@@ -7,7 +7,7 @@
 
 from polar.models import Product, User
 from polar.models.account import Account
-from polar.models.organization import Organization
+from polar.models.organization import Organization, OrganizationStatus
 from polar.models.subscription import SubscriptionStatus
 from polar.models.user_organization import UserOrganization
 from polar.payout_account.service import PayoutAccountServiceError
@@ -298,11 +298,15 @@ async def test_submit_for_review_valid(
         self,
         client: AsyncClient,
         mocker: MockerFixture,
+        save_fixture: SaveFixture,
         organization: Organization,
         user_organization: UserOrganization,
     ) -> None:
         enqueue_job_mock = mocker.patch("polar.organization.service.enqueue_job")
 
+        organization.status = OrganizationStatus.CREATED
+        await save_fixture(organization)
+
         update_response = await client.patch(
             f"/v1/organizations/{organization.id}",
             json={
diff --git a/server/tests/organization/test_service.py b/server/tests/organization/test_service.py
@@ -17,6 +17,9 @@
 from polar.exceptions import PolarRequestValidationError
 from polar.models import Customer, Organization, Product, User
 from polar.models.account import Account
+from polar.models.organization import (
+    OrganizationDetails as OrganizationDetailsDict,
+)
 from polar.models.organization import (
     OrganizationNotificationSettings,
     OrganizationStatus,
@@ -239,6 +242,10 @@ async def test_update_details_does_not_submit_for_review(
     ) -> None:
         enqueue_job_mock = mocker.patch("polar.organization.service.enqueue_job")
 
+        organization.status = OrganizationStatus.CREATED
+        session.add(organization)
+        await session.flush()
+
         result = await organization_service.update(
             session,
             organization,
@@ -271,6 +278,9 @@ async def test_update_with_submit_for_review(
         organization: Organization,
     ) -> None:
         enqueue_job_mock = mocker.patch("polar.organization.service.enqueue_job")
+        organization.status = OrganizationStatus.CREATED
+        session.add(organization)
+        await session.flush()
         await organization_service.update(
             session,
             organization,
@@ -306,6 +316,9 @@ async def test_update_with_submit_for_review_requires_relevant_fields(
         session: AsyncSession,
         organization: Organization,
     ) -> None:
+        organization.status = OrganizationStatus.CREATED
+        session.add(organization)
+        await session.flush()
         await organization_service.update(
             session,
             organization,
@@ -328,6 +341,38 @@ async def test_update_with_submit_for_review_requires_relevant_fields(
         assert ("body", "socials") in error_locations
         assert ("body", "details", "product_description") in error_locations
 
+    @pytest.mark.auth
+    async def test_update_details_ignored_after_initial_status(
+        self,
+        session: AsyncSession,
+        organization: Organization,
+    ) -> None:
+        original_details: OrganizationDetailsDict = {
+            "product_description": "Original description for the organization.",
+            "selling_categories": ["Software / SaaS"],
+            "pricing_models": ["Subscription"],
+            "switching": False,
+        }
+        organization.details = original_details
+        organization.status = OrganizationStatus.ACTIVE
+        session.add(organization)
+        await session.flush()
+
+        result = await organization_service.update(
+            session,
+            organization,
+            OrganizationUpdate(
+                details=OrganizationDetails(
+                    product_description="Attempted tampering after approval.",
+                    selling_categories=["Other"],
+                    pricing_models=["One-time"],
+                    switching=True,
+                )
+            ),
+        )
+
+        assert result.details == original_details
+
 
 @pytest.mark.asyncio
 async def test_get_next_invoice_number_organization(

Original file line number	Diff line number	Diff line change
`@@ -360,7 +360,7 @@ async def update(`
`360`	`360`	`},`
`361`	`361`	`)`
`362`	`362`
`363`		`- if update_schema.details:`
	`363`	`+ if update_schema.details and organization.status == OrganizationStatus.CREATED:`
`364`	`364`	`organization.details = cast(`
`365`	`365`	`OrganizationDetails, update_schema.details.model_dump()`
`366`	`366`	`)`