From 24b2d95f03e7dde143756148af7e29041ecf663d Mon Sep 17 00:00:00 2001
From: dandds <dan-ctr@friends.dds.mil>
Date: Thu, 15 Aug 2019 10:20:30 -0400
Subject: [PATCH] Application members should not see deleted applications.

This updates the `Portfolios.for_user` method to screen out deleted
ApplicationRole entities. For extra assurance, we also mark application
roles as disabled when they are deleted.
---
 atst/domain/applications.py     |  1 +
 atst/domain/portfolios/query.py |  1 +
 tests/domain/test_portfolios.py | 15 +++++++++++++++
 3 files changed, 17 insertions(+)

diff --git a/atst/domain/applications.py b/atst/domain/applications.py
index 42858719..dc519a0a 100644
--- a/atst/domain/applications.py
+++ b/atst/domain/applications.py
@@ -63,6 +63,7 @@ class Applications(BaseDomainClass):
 
         for role in application.roles:
             role.deleted = True
+            role.status = ApplicationRoleStatus.DISABLED
             db.session.add(role)
 
         db.session.add(application)
diff --git a/atst/domain/portfolios/query.py b/atst/domain/portfolios/query.py
index 86ff539f..18554017 100644
--- a/atst/domain/portfolios/query.py
+++ b/atst/domain/portfolios/query.py
@@ -35,6 +35,7 @@ class PortfoliosQuery(Query):
                                     ApplicationRole.status
                                     == ApplicationRoleStatus.ACTIVE
                                 )
+                                .filter(ApplicationRole.deleted == False)
                                 .subquery()
                             )
                         )
diff --git a/tests/domain/test_portfolios.py b/tests/domain/test_portfolios.py
index 87be0cb5..e69ee45d 100644
--- a/tests/domain/test_portfolios.py
+++ b/tests/domain/test_portfolios.py
@@ -225,3 +225,18 @@ def test_for_user_does_not_include_deleted_portfolios():
     user = UserFactory.create()
     PortfolioFactory.create(owner=user, deleted=True)
     assert len(Portfolios.for_user(user)) == 0
+
+
+def test_for_user_does_not_include_deleted_application_roles():
+    user1 = UserFactory.create()
+    user2 = UserFactory.create()
+    portfolio = PortfolioFactory.create()
+    app = ApplicationFactory.create(portfolio=portfolio)
+    ApplicationRoleFactory.create(
+        status=ApplicationRoleStatus.ACTIVE, user=user1, application=app
+    )
+    assert len(Portfolios.for_user(user1)) == 1
+    ApplicationRoleFactory.create(
+        status=ApplicationRoleStatus.ACTIVE, user=user2, application=app, deleted=True
+    )
+    assert len(Portfolios.for_user(user2)) == 0