From 2f1cc820a865f6d748fd0c3040390966f56aa161 Mon Sep 17 00:00:00 2001
From: Matti Lamppu <matti.lamppu@vincit.fi>
Date: Wed, 5 Feb 2025 09:29:36 +0200
Subject: [PATCH] Add age validation to application sent mutation

---
 tests/factories/application.py                     |  1 +
 .../test_graphql_api/test_application/test_send.py | 14 ++++++++++++++
 .../api/graphql/types/application/serializers.py   |  9 +++++++++
 3 files changed, 24 insertions(+)

diff --git a/tests/factories/application.py b/tests/factories/application.py
index 3a1fa1e865..e035aea155 100644
--- a/tests/factories/application.py
+++ b/tests/factories/application.py
@@ -131,6 +131,7 @@ def create_application_ready_for_sending(cls, **kwargs: Any) -> Application:
             "applicant_type": ApplicantTypeChoice.INDIVIDUAL,
             "cancelled_date": None,
             "sent_date": None,
+            "user__date_of_birth": datetime.date(1980, 1, 1),
             **kwargs,
         }
 
diff --git a/tests/test_graphql_api/test_application/test_send.py b/tests/test_graphql_api/test_application/test_send.py
index b3d90063a6..821e95b539 100644
--- a/tests/test_graphql_api/test_application/test_send.py
+++ b/tests/test_graphql_api/test_application/test_send.py
@@ -3,6 +3,7 @@
 import datetime
 
 import pytest
+from freezegun import freeze_time
 
 from tilavarauspalvelu.enums import ApplicantTypeChoice, Priority, Weekday
 from tilavarauspalvelu.integrations.email.main import EmailService
@@ -737,3 +738,16 @@ def test_send_application__company_applicant__identifier_missing(graphql):
     assert response.field_error_messages() == [
         "Application organisation must have an identifier.",
     ]
+
+
+@freeze_time("2024-01-01")
+def test_send_application__user_is_not_adult(graphql):
+    application = ApplicationFactory.create_application_ready_for_sending(
+        user__date_of_birth=datetime.date(2020, 1, 1),
+    )
+
+    graphql.login_with_superuser()
+    response = graphql(SEND_MUTATION, input_data={"pk": application.pk})
+
+    assert response.error_message() == "Mutation was unsuccessful."
+    assert response.field_error_messages() == ["Application can only be sent by an adult reservee"]
diff --git a/tilavarauspalvelu/api/graphql/types/application/serializers.py b/tilavarauspalvelu/api/graphql/types/application/serializers.py
index dcbcac40b9..f1037d448d 100644
--- a/tilavarauspalvelu/api/graphql/types/application/serializers.py
+++ b/tilavarauspalvelu/api/graphql/types/application/serializers.py
@@ -97,6 +97,7 @@ def validate(self, data: dict[str, Any]) -> dict[str, Any]:
 
         self.validate_application_sections(errors)
         self.validate_applicant(errors)
+        self.validate_user(self.instance.user, errors)
 
         status = self.instance.status
         if not status.can_send:
@@ -312,6 +313,14 @@ def validate_organisation_address(self, organisation: Organisation, errors: defa
             if self.instance.billing_address is not None:
                 self.validate_billing_address(errors)
 
+    def validate_user(self, user: User, errors: defaultdict[str, list[str]]) -> None:
+        if user.actions.is_ad_user or user.actions.is_of_age:
+            return
+
+        msg = "Application can only be sent by an adult reservee"
+        errors[api_settings.NON_FIELD_ERRORS_KEY].append(msg)
+        return
+
     def save(self, **kwargs: Any) -> Application:
         self.instance.sent_date = local_datetime()
         self.instance.save()