simple implementation of request view authorization

2018-08-07 16:15:34 -04:00
parent 1a5800cbc5
commit 2cfc142417
3 changed files with 63 additions and 1 deletions
--- a/atst/routes/requests/requests_form.py
+++ b/atst/routes/requests/requests_form.py
@@ -3,6 +3,7 @@ from flask import g, redirect, render_template, url_for, request as http_request
 from . import requests_bp
 from atst.domain.requests import Requests
 from atst.routes.requests.jedi_request_flow import JEDIRequestFlow
+from atst.models.permissions import Permissions


@requests_bp.route("/requests/new/<int:screen>", methods=["GET"])
@@ -25,6 +26,9 @@ def requests_form_new(screen):
 )
@requests_bp.route("/requests/new/<int:screen>/<string:request_id>", methods=["GET"])
 def requests_form_update(screen=1, request_id=None):
+    if request_id and not _can_view_request(request_id):
+        return redirect(url_for("atst.unauthorized"))
+
    request = Requests.get(request_id) if request_id is not None else None
    jedi_flow = JEDIRequestFlow(screen, request, request_id=request_id)

@@ -79,10 +83,12 @@ def requests_update(screen=1, request_id=None):
                    request_id=jedi_flow.request_id,
                )
            return redirect(where)
+
        else:
            return render_template(
                "requests/screen-%d.html" % int(screen), **rerender_args
            )
+
    else:
        return render_template("requests/screen-%d.html" % int(screen), **rerender_args)

@@ -94,5 +100,15 @@ def requests_submit(request_id=None):

    if request.status == "approved":
        return redirect("/requests?modal=True")
+
    else:
        return redirect("/requests")
+
+
+# TODO: generalize this, along with other authorizations, into a policy-pattern
+# for authorization in the application
+def _can_view_request(request_id):
+    return (
+        Permissions.REVIEW_AND_APPROVE_JEDI_WORKSPACE_REQUEST in g.current_user.atat_permissions
+        or Requests.is_creator(request_id, g.current_user.id)
+    )