remove access checks from domain methods

tests/domain/test_authz.py

@@ -1,7 +1,13 @@
 import pytest
 
-from tests.factories import TaskOrderFactory, UserFactory, PortfolioRoleFactory
-from atst.domain.authz import Authorization
+from tests.factories import (
+    TaskOrderFactory,
+    UserFactory,
+    PortfolioFactory,
+    PortfolioRoleFactory,
+)
+from atst.domain.authz import Authorization, user_can_access
+from atst.domain.authz.decorator import user_can_access_decorator
 from atst.domain.permission_sets import PermissionSets
 from atst.domain.exceptions import UnauthorizedError
 from atst.models.permissions import Permissions
@@ -58,3 +64,85 @@ def test_has_portfolio_permission():
     assert not Authorization.has_portfolio_permission(
         different_user, port_role.portfolio, Permissions.VIEW_PORTFOLIO_REPORTS
     )
+
+
+def test_user_can_access():
+    ccpo = UserFactory.create_ccpo()
+    edit_admin = UserFactory.create()
+    view_admin = UserFactory.create()
+
+    portfolio = PortfolioFactory.create(owner=edit_admin)
+    # factory gives view perms by default
+    PortfolioRoleFactory.create(user=view_admin, portfolio=portfolio)
+
+    # check a site-wide permission
+    assert user_can_access(ccpo, Permissions.VIEW_AUDIT_LOG)
+    with pytest.raises(UnauthorizedError):
+        user_can_access(edit_admin, Permissions.VIEW_AUDIT_LOG)
+        user_can_access(view_admin, Permissions.VIEW_AUDIT_LOG)
+
+    # check a portfolio view permission
+    assert user_can_access(ccpo, Permissions.VIEW_PORTFOLIO, portfolio=portfolio)
+    assert user_can_access(edit_admin, Permissions.VIEW_PORTFOLIO, portfolio=portfolio)
+    assert user_can_access(view_admin, Permissions.VIEW_PORTFOLIO, portfolio=portfolio)
+
+    # check a portfolio edit permission
+    assert user_can_access(ccpo, Permissions.EDIT_PORTFOLIO_NAME, portfolio=portfolio)
+    assert user_can_access(
+        edit_admin, Permissions.EDIT_PORTFOLIO_NAME, portfolio=portfolio
+    )
+    with pytest.raises(UnauthorizedError):
+        user_can_access(
+            view_admin, Permissions.EDIT_PORTFOLIO_NAME, portfolio=portfolio
+        )
+
+
+@pytest.fixture
+def set_current_user(request_ctx):
+    def _set_current_user(user):
+        request_ctx.g.current_user = user
+
+    yield _set_current_user
+
+    request_ctx.g.current_user = None
+
+
+def test_user_can_access_decorator(set_current_user):
+    ccpo = UserFactory.create_ccpo()
+    edit_admin = UserFactory.create()
+    view_admin = UserFactory.create()
+
+    portfolio = PortfolioFactory.create(owner=edit_admin)
+    # factory gives view perms by default
+    PortfolioRoleFactory.create(user=view_admin, portfolio=portfolio)
+
+    @user_can_access_decorator(Permissions.EDIT_PORTFOLIO_NAME)
+    def _edit_portfolio_name(*args, **kwargs):
+        return True
+
+    set_current_user(ccpo)
+    assert _edit_portfolio_name(portfolio_id=portfolio.id)
+
+    set_current_user(edit_admin)
+    assert _edit_portfolio_name(portfolio_id=portfolio.id)
+
+    set_current_user(view_admin)
+    with pytest.raises(UnauthorizedError):
+        _edit_portfolio_name(portfolio_id=portfolio.id)
+
+
+def test_user_can_access_decorator_exceptions(set_current_user):
+    rando_calrissian = UserFactory.create()
+    portfolio = PortfolioFactory.create()
+
+    wont_work = lambda *args, **kwargs: False
+    because_i_said_so = lambda *args, **kwargs: True
+
+    @user_can_access_decorator(
+        Permissions.EDIT_PORTFOLIO_NAME, exceptions=[wont_work, because_i_said_so]
+    )
+    def _edit_portfolio_name(*args, **kwargs):
+        return True
+
+    set_current_user(rando_calrissian)
+    assert _edit_portfolio_name(portfolio_id=portfolio.id)