Check users aren't using an alias as their link email address for partner links

app/account_linking.py

@@ -207,13 +207,14 @@ def process_login_case(
 ) -> LinkResult:
     # Sanitize email just in case
     link_request.email = sanitize_email(link_request.email)
-    check_alias(link_request.email)
     # Try to find a SimpleLogin user registered with that partner user id
     partner_user = PartnerUser.get_by(
         partner_id=partner.id, external_user_id=link_request.external_user_id
     )
     if partner_user is None:
         # We didn't find any SimpleLogin user registered with that partner user id
+        # Make sure they aren't using an alias as their link email
+        check_alias(link_request.email)
         # Try to find it using the partner's e-mail address
         user = User.get_by(email=link_request.email)
         return get_login_strategy(link_request, user, partner).process()

app/dashboard/views/coupon.py

@@ -68,9 +68,14 @@ def coupon_route():
                 )
                 return redirect(request.url)
 
-            coupon.used_by_user_id = current_user.id
-            coupon.used = True
-            Session.commit()
+            updated = (
+                Session.query(Coupon)
+                .filter_by(code=code, used=False)
+                .update({"used_by_user_id": current_user.id, "used": True})
+            )
+            if updated != 1:
+                flash("Coupon is not valid", "error")
+                return redirect(request.url)
 
             manual_sub: ManualSubscription = ManualSubscription.get_by(
                 user_id=current_user.id

tests/dashboard/test_coupon.py

@@ -0,0 +1,20 @@
+from flask import url_for
+from app.models import Coupon
+from app.utils import random_string
+from tests.utils import login
+
+
+def test_use_coupon(flask_client):
+    user = login(flask_client)
+    code = random_string(10)
+    Coupon.create(code=code, nb_year=1, commit=True)
+
+    r = flask_client.post(
+        url_for("dashboard.coupon_route"),
+        data={"code": code},
+    )
+
+    assert r.status_code == 302
+    coupon = Coupon.get_by(code=code)
+    assert coupon.used
+    assert coupon.used_by_user_id == user.id