Handle missing project when verifying role invitation (#18857)

* Handle missing project when verifying role

* Update translations

Author: di

tests/unit/accounts/test_views.py

@@ -3325,6 +3325,44 @@ def test_verify_fails_with_different_user(
         ]
         assert db_request.route_path.calls == [pretend.call("manage.projects")]
 
+    def test_verify_fails_with_missing_project(
+        self, db_request, user_service, token_service
+    ):
+        project = ProjectFactory.create()
+        user = UserFactory.create()
+
+        db_request.user = user
+        db_request.method = "POST"
+        db_request.GET.update({"token": "RANDOM_KEY"})
+        db_request.route_path = pretend.call_recorder(lambda name: "/")
+        db_request.remote_addr = "192.168.1.1"
+        token_service.loads = pretend.call_recorder(
+            lambda token: {
+                "action": "email-project-role-verify",
+                "desired_role": "Maintainer",
+                "user_id": user.id,
+                "project_id": project.id,
+                "submitter_id": db_request.user.id,
+            }
+        )
+        user_service.get_user = pretend.call_recorder(lambda user_id: user)
+        db_request.find_service = pretend.call_recorder(
+            lambda iface, context=None, name=None: {
+                ITokenService: token_service,
+                IUserService: user_service,
+            }.get(iface)
+        )
+        db_request.session.flash = pretend.call_recorder(lambda *a, **kw: None)
+
+        db_request.db.delete(project)
+
+        views.verify_project_role(db_request)
+
+        assert db_request.session.flash.calls == [
+            pretend.call("Invalid token: project does not exist", queue="error")
+        ]
+        assert db_request.route_path.calls == [pretend.call("manage.projects")]
+
     def test_verify_role_get_confirmation(
         self, db_request, user_service, token_service
     ):

warehouse/accounts/views.py

@@ -1264,11 +1264,14 @@ def _error(message):
     if user != request.user:
         return _error(request._("Role invitation is not valid."))
 
-    project = (
-        request.db.query(Project).filter(Project.id == data.get("project_id")).one()
-    )
-    desired_role = data.get("desired_role")
+    try:
+        project = (
+            request.db.query(Project).filter(Project.id == data.get("project_id")).one()
+        )
+    except NoResultFound:
+        return _error(request._("Invalid token: project does not exist"))
 
+    desired_role = data.get("desired_role")
     role_invite = (
         request.db.query(RoleInvitation)
         .filter(RoleInvitation.project == project)

warehouse/locale/messages.pot

@@ -282,47 +282,51 @@ msgstr ""
 msgid "Role invitation is not valid."
 msgstr ""
 
-#: warehouse/accounts/views.py:1280
+#: warehouse/accounts/views.py:1272
+msgid "Invalid token: project does not exist"
+msgstr ""
+
+#: warehouse/accounts/views.py:1283
 msgid "Role invitation no longer exists."
 msgstr ""
 
-#: warehouse/accounts/views.py:1312
+#: warehouse/accounts/views.py:1315
 #, python-brace-format
 msgid "Invitation for '${project_name}' is declined."
 msgstr ""
 
-#: warehouse/accounts/views.py:1378
+#: warehouse/accounts/views.py:1381
 #, python-brace-format
 msgid "You are now ${role} of the '${project_name}' project."
 msgstr ""
 
-#: warehouse/accounts/views.py:1458
+#: warehouse/accounts/views.py:1461
 #, python-brace-format
 msgid "Please review our updated <a href=\"${tos_url}\">Terms of Service</a>."
 msgstr ""
 
-#: warehouse/accounts/views.py:1670 warehouse/accounts/views.py:1924
+#: warehouse/accounts/views.py:1673 warehouse/accounts/views.py:1927
 #: warehouse/manage/views/oidc_publishers.py:120
 msgid ""
 "Trusted publishing is temporarily disabled. See https://pypi.org/help"
 "#admin-intervention for details."
 msgstr ""
 
-#: warehouse/accounts/views.py:1691
+#: warehouse/accounts/views.py:1694
 msgid "disabled. See https://pypi.org/help#admin-intervention for details."
 msgstr ""
 
-#: warehouse/accounts/views.py:1707
+#: warehouse/accounts/views.py:1710
 msgid ""
 "You must have a verified email in order to register a pending trusted "
 "publisher. See https://pypi.org/help#openid-connect for details."
 msgstr ""
 
-#: warehouse/accounts/views.py:1720
+#: warehouse/accounts/views.py:1723
 msgid "You can't register more than 3 pending trusted publishers at once."
 msgstr ""
 
-#: warehouse/accounts/views.py:1735
+#: warehouse/accounts/views.py:1738
 #: warehouse/manage/views/oidc_publishers.py:302
 #: warehouse/manage/views/oidc_publishers.py:417
 #: warehouse/manage/views/oidc_publishers.py:531
@@ -332,30 +336,30 @@ msgid ""
 "again later."
 msgstr ""
 
-#: warehouse/accounts/views.py:1745
+#: warehouse/accounts/views.py:1748
 #: warehouse/manage/views/oidc_publishers.py:315
 #: warehouse/manage/views/oidc_publishers.py:430
 #: warehouse/manage/views/oidc_publishers.py:544
 #: warehouse/manage/views/oidc_publishers.py:656
 msgid "The trusted publisher could not be registered"
 msgstr ""
 
-#: warehouse/accounts/views.py:1760
+#: warehouse/accounts/views.py:1763
 msgid ""
 "This trusted publisher has already been registered. Please contact PyPI's"
 " admins if this wasn't intentional."
 msgstr ""
 
-#: warehouse/accounts/views.py:1794
+#: warehouse/accounts/views.py:1797
 msgid "Registered a new pending publisher to create "
 msgstr ""
 
-#: warehouse/accounts/views.py:1937 warehouse/accounts/views.py:1950
-#: warehouse/accounts/views.py:1957
+#: warehouse/accounts/views.py:1940 warehouse/accounts/views.py:1953
+#: warehouse/accounts/views.py:1960
 msgid "Invalid publisher ID"
 msgstr ""
 
-#: warehouse/accounts/views.py:1964
+#: warehouse/accounts/views.py:1967
 msgid "Removed trusted publisher for project "
 msgstr ""