Switchable OTP verification for email bcc fields (#70)

Co-authored-by: Roman Kysil <[email protected]>
collective · Sep 19, 2024 · dd5c500 · dd5c500
1 parent ef327ba
commit dd5c500
Show file tree

Hide file tree

Showing 3 changed files with 73 additions and 1 deletion.
diff --git a/CHANGES.rst b/CHANGES.rst
@@ -4,6 +4,9 @@ Changelog
 3.1.4 (unreleased)
 ------------------
 
+- Switchable email bcc fields OTP verification.
+  [folix-01]
+
 - Added ISO formatted strings being allowed as date inputs
   [JeffersonBledsoe]
 

diff --git a/src/collective/volto/formsupport/restapi/services/submit_form/post.py b/src/collective/volto/formsupport/restapi/services/submit_form/post.py
@@ -247,7 +247,9 @@ def validate_bcc(self):
                 continue
 
             if data.get("field_id", "") in bcc_fields:
-                if not validate_email_token(
+                if self.block.get(
+                    "email_otp_verification", True
+                ) and not validate_email_token(
                     self.form_data.get("block_id", ""), data["value"], data["otp"]
                 ):
                     raise BadRequest(

diff --git a/src/collective/volto/formsupport/tests/test_send_action_form.py b/src/collective/volto/formsupport/tests/test_send_action_form.py
@@ -694,6 +694,73 @@ def test_email_field_used_as_bcc(
         self.assertNotIn("To: [email protected]", bcc_msg)
         self.assertIn("To: [email protected]", bcc_msg)
 
+        # Test send wrong otp
+        response = self.submit_form(
+            data={
+                "data": [
+                    {"label": "Message", "value": "just want to say hi"},
+                    {"label": "Name", "value": "Smith"},
+                    {
+                        "field_id": "contact",
+                        "label": "Email",
+                        "value": "[email protected]",
+                        "otp": None,
+                    },
+                ],
+                "block_id": "form-id",
+            },
+        )
+
+        self.assertEqual(response.status_code, 400)
+
+        # Test do not verify opt if otp flag `email_otp_verification` is False
+        self.document.blocks = {
+            "text-id": {"@type": "text"},
+            "form-id": {
+                "@type": "form",
+                "default_subject": "block subject",
+                "default_from": "[email protected]",
+                "send": False,
+                "store": True,
+                "email_otp_verification": False,
+                "subblocks": [
+                    {
+                        "field_id": "contact",
+                        "field_type": "from",
+                        "use_as_bcc": True,
+                    },
+                    {
+                        "field_id": "message",
+                        "field_type": "text",
+                    },
+                    {
+                        "field_id": "name",
+                        "field_type": "text",
+                    },
+                ],
+            },
+        }
+
+        transaction.commit()
+
+        response = self.submit_form(
+            data={
+                "data": [
+                    {"label": "Message", "value": "just want to say hi"},
+                    {"label": "Name", "value": "Smith"},
+                    {
+                        "field_id": "contact",
+                        "label": "Email",
+                        "value": "[email protected]",
+                        "otp": 123,
+                    },
+                ],
+                "block_id": "form-id",
+            },
+        )
+
+        self.assertEqual(response.status_code, 200)
+
     def test_send_attachment(
         self,
     ):