/switch_team/ requires login and a valid target username

hc/accounts/tests/test_switch_team.py

@@ -28,3 +28,17 @@ class SwitchTeamTestCase(BaseTestCase):
         url = "/accounts/switch_team/%s/" % self.alice.username
         r = self.client.get(url, follow=True)
         self.assertEqual(r.status_code, 200)
+
+    def test_it_handles_invalid_username(self):
+        self.client.login(username="bob@example.org", password="password")
+
+        url = "/accounts/switch_team/dave/"
+        r = self.client.get(url)
+        self.assertEqual(r.status_code, 403)
+
+    def test_it_requires_login(self):
+        url = "/accounts/switch_team/%s/" % self.alice.username
+        r = self.client.get(url)
+
+        expected_url = "/accounts/login/?next=/accounts/switch_team/alice/"
+        self.assertRedirects(r, expected_url)

hc/accounts/views.py

@@ -266,8 +266,12 @@ def unsubscribe_reports(request, username):
     return render(request, "accounts/unsubscribed.html")
 
 
+@login_required
 def switch_team(request, target_username):
+    try:
         other_user = User.objects.get(username=target_username)
+    except User.DoesNotExist:
+        return HttpResponseForbidden()
 
     # The rules:
     # Superuser can switch to any team.