From 29e6d2934f696b3cf2b0e791e3c1909c152603c2 Mon Sep 17 00:00:00 2001
From: richard-dds <richard-ctr@friends.dds.mil>
Date: Wed, 5 Sep 2018 12:04:22 -0400
Subject: [PATCH] Check VIEW_WORKSPACE_MEMBERS permission

---
 atst/routes/workspaces.py | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/atst/routes/workspaces.py b/atst/routes/workspaces.py
index 0e18ed63..190b5eff 100644
--- a/atst/routes/workspaces.py
+++ b/atst/routes/workspaces.py
@@ -63,8 +63,14 @@ def show_workspace(workspace_id):
 
 @bp.route("/workspaces/<workspace_id>/members")
 def workspace_members(workspace_id):
-    workspace = Workspaces.get(g.current_user, workspace_id)
-    return render_template("workspaces/members/index.html", workspace=workspace)
+    user = g.current_user
+    workspace = Workspaces.get(user, workspace_id)
+    if not Authorization.has_workspace_permission(
+        user, workspace, Permissions.VIEW_WORKSPACE_MEMBERS
+    ):
+        raise UnauthorizedError(user, "view workspace members")
+
+    return render_template("workspace_members.html", workspace=workspace)
 
 
 @bp.route("/workspaces/<workspace_id>/reports")