Make sure that staff/oauth users cannot change their registered email

opentech/apply/users/forms.py

@@ -34,6 +34,10 @@ class ProfileForm(forms.ModelForm):
         if not self.instance.is_apply_staff:
             del self.fields['slack']
 
+        if not self.instance.has_usable_password():
+            # User is registered with oauth - no password change allowed
+            del self.fields['email']
+
     def clean_slack(self):
         slack = self.cleaned_data['slack']
         if slack:

opentech/apply/users/tests/factories.py

@@ -41,7 +41,7 @@ class AdminFactory(UserFactory):
     is_admin = True
 
 
-class StaffFactory(UserFactory):
+class StaffFactory(OAuthUserFactory):
     class Meta:
         exclude = ('slack_temp', )
     is_staff = True

opentech/apply/users/tests/test_forms.py

@@ -48,6 +48,13 @@ class TestStaffProfileForm(BaseTestProfileForm):
     def setUp(self):
         self.staff = StaffFactory()
 
+    def test_cant_change_password(self):
+        new_email = 'me@this.com'
+        form = self.submit_form(self.staff, email=new_email)
+        self.assertFalse('email' in form.fields)
+        self.staff.refresh_from_db()
+        self.assertNotEqual(new_email, self.staff.email)
+
     def test_can_set_slack_name(self):
         slack_name = '@foobar'
         self.submit_form(self.staff, slack=slack_name)

opentech/apply/users/tests/test_views.py

@@ -43,3 +43,7 @@ class TestStaffProfileView(BaseTestProfielView):
     def test_can_set_slack_name(self):
         response = self.client.get(self.url, follow=True)
         self.assertContains(response, 'Slack name')
+
+    def test_can_not_set_email(self):
+        response = self.client.get(self.url, follow=True)
+        self.assertNotContains(response, 'Email')