add access tests for all access-protected routes

- cleans up skipped access tests in domain tests
- cleans up other skipped tests that are no longer relevant

atst/routes/portfolios/applications.py

@@ -96,15 +96,20 @@ def update_application(portfolio_id, application_id):
         )
 
 
+def wrap_environment_role_lookup(
+    user, _perm, portfolio_id=None, environment_id=None, **kwargs
+):
+    env_role = EnvironmentRoles.get(user.id, environment_id)
+    if not env_role:
+        raise UnauthorizedError(user, "access environment {}".format(environment_id))
+
+    return True
+
+
 @portfolios_bp.route("/portfolios/<portfolio_id>/environments/<environment_id>/access")
-# TODO: we probably need a different permission for this
-@user_can(Permissions.VIEW_ENVIRONMENT)
+@user_can(None, exceptions=[wrap_environment_role_lookup])
 def access_environment(portfolio_id, environment_id):
     env_role = EnvironmentRoles.get(g.current_user.id, environment_id)
-    if not env_role:
-        raise UnauthorizedError(
-            g.current_user, "access environment {}".format(environment_id)
-        )
-    else:
-        token = app.csp.cloud.get_access_token(env_role)
-        return redirect(url_for("atst.csp_environment_access", token=token))
+    token = app.csp.cloud.get_access_token(env_role)
+
+    return redirect(url_for("atst.csp_environment_access", token=token))

atst/routes/portfolios/index.py

@@ -37,11 +37,7 @@ def serialize_member(member):
     }
 
 
-@portfolios_bp.route("/portfolios/<portfolio_id>/admin")
-@user_can(Permissions.VIEW_PORTFOLIO_ADMIN)
-def portfolio_admin(portfolio_id):
-    portfolio = Portfolios.get_for_update(portfolio_id)
-    form = PortfolioForm(data={"name": portfolio.name})
+def render_admin_page(portfolio, form):
     pagination_opts = Paginator.get_pagination_opts(http_request)
     audit_events = AuditLog.get_portfolio_events(portfolio, pagination_opts)
     members_data = [serialize_member(member) for member in portfolio.members]
@@ -55,6 +51,14 @@ def portfolio_admin(portfolio_id):
     )
 
 
+@portfolios_bp.route("/portfolios/<portfolio_id>/admin")
+@user_can(Permissions.VIEW_PORTFOLIO_ADMIN)
+def portfolio_admin(portfolio_id):
+    portfolio = Portfolios.get_for_update(portfolio_id)
+    form = PortfolioForm(data={"name": portfolio.name})
+    return render_admin_page(portfolio, form)
+
+
 @portfolios_bp.route("/portfolios/<portfolio_id>/edit", methods=["POST"])
 @user_can(Permissions.EDIT_PORTFOLIO_NAME)
 def edit_portfolio(portfolio_id):
@@ -66,7 +70,8 @@ def edit_portfolio(portfolio_id):
             url_for("portfolios.portfolio_applications", portfolio_id=portfolio.id)
         )
     else:
-        return render_template("portfolios/edit.html", form=form, portfolio=portfolio)
+        # rerender portfolio admin page
+        return render_admin_page(portfolio, form)
 
 
 @portfolios_bp.route("/portfolios/<portfolio_id>")

atst/routes/portfolios/members.py

@@ -129,6 +129,8 @@ def view_member(portfolio_id, member_id):
     )
 
 
+# TODO: check if member_id is consistent with other routes here;
+# user ID vs portfolio role ID
 @portfolios_bp.route(
     "/portfolios/<portfolio_id>/members/<member_id>/member_edit", methods=["POST"]
 )