pk/atst
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request #1142 from dod-ccpo/bugfix/revoke-deleted-user

Browse Source 
Bugfix: Invited but disabled portfolio member shouldn't be able to reactivate self
This commit is contained in:
dandds 2019-10-29 11:53:58 -04:00 committed by GitHub
commit 3456f37396
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 13 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
atst/domain/invitations.py
View File

@ -114,7 +114,9 @@ class BaseInvitations(object):
@classmethod @classmethod
def revoke(cls, token): def revoke(cls, token):
invite = cls._get(token) invite = cls._get(token)
return cls._update_status(invite, InvitationStatus.REVOKED) invite = cls._update_status(invite, InvitationStatus.REVOKED)
cls.role_domain_class.disable(invite.role)
return invite
@classmethod @classmethod
def resend(cls, inviter, token, user_info=None): def resend(cls, inviter, token, user_info=None):
@ -142,9 +144,3 @@ class PortfolioInvitations(BaseInvitations):
class ApplicationInvitations(BaseInvitations): class ApplicationInvitations(BaseInvitations):
model = ApplicationInvitation model = ApplicationInvitation
role_domain_class = ApplicationRoles role_domain_class = ApplicationRoles
@classmethod
def revoke(cls, token):
invite = super().revoke(token)
ApplicationRoles.disable(invite.role)
return invite

10
atst/routes/portfolios/admin.py
View File

@ -3,6 +3,8 @@ from flask import render_template, request as http_request, g, redirect, url_for
from . import portfolios_bp from . import portfolios_bp
from atst.domain.portfolios import Portfolios from atst.domain.portfolios import Portfolios
from atst.domain.portfolio_roles import PortfolioRoles from atst.domain.portfolio_roles import PortfolioRoles
from atst.models.portfolio_role import Status as PortfolioRoleStatus
from atst.domain.invitations import PortfolioInvitations
from atst.domain.permission_sets import PermissionSets from atst.domain.permission_sets import PermissionSets
from atst.domain.audit_log import AuditLog from atst.domain.audit_log import AuditLog
from atst.domain.common import Paginator from atst.domain.common import Paginator
@ -184,8 +186,12 @@ def remove_member(portfolio_id, portfolio_role_id):
g.current_user, "you can't delete the portfolios PPoC from the portfolio" g.current_user, "you can't delete the portfolios PPoC from the portfolio"
) )
# TODO: should this cascade and disable any application and environment if (
# roles they might have? portfolio_role.latest_invitation
and portfolio_role.status == PortfolioRoleStatus.PENDING
):
PortfolioInvitations.revoke(portfolio_role.latest_invitation.token)
else:
PortfolioRoles.disable(portfolio_role=portfolio_role) PortfolioRoles.disable(portfolio_role=portfolio_role)
flash("portfolio_member_removed", member_name=portfolio_role.full_name) flash("portfolio_member_removed", member_name=portfolio_role.full_name)

2
tests/domain/test_invitations.py
View File

@ -134,7 +134,7 @@ def test_revoke_invitation():
assert invite.is_pending assert invite.is_pending
PortfolioInvitations.revoke(invite.token) PortfolioInvitations.revoke(invite.token)
assert invite.is_revoked assert invite.is_revoked
assert invite.role.status == PortfolioRoleStatus.PENDING assert invite.role.status == PortfolioRoleStatus.DISABLED
def test_resend_invitation(session): def test_resend_invitation(session):