Raise Unauthorized error in authz instead of route

2019-02-01 14:51:40 -05:00 · 2019-02-01 14:51:40 -05:00 · 377149c766
commit 377149c766
parent 49ed059853
3 changed files with 13 additions and 14 deletions
--- a/atst/domain/authz.py
+++ b/atst/domain/authz.py
@ -37,8 +37,10 @@ class Authorization(object):
        return user.atat_role.name == "ccpo"

    @classmethod
-    def is_ko(cls, user, task_order):
-        return task_order.contracting_officer == user
+    def check_is_ko(cls, user, task_order):
+        if task_order.contracting_officer != user:
+            message = "review Task Order {}".format(task_order.id)
+            raise UnauthorizedError(user, message)

    @classmethod
    def check_task_order_permission(cls, user, task_order, permission, message):
--- a/atst/forms/ko_review.py
+++ b/atst/forms/ko_review.py
@ -41,7 +41,7 @@ class KOReviewForm(CacheableForm):
        render_kw={"required": False, "accept": ".pdf,application/pdf"},
    )
    number = StringField(
-        translate("forms.ko_review.to_number"), validators=[Length(min=10), IsNumber()]
+        translate("forms.ko_review.to_number"), validators=[Length(min=10)]
    )
    loa = StringField(
        translate("forms.ko_review.loa"), validators=[Length(min=10), IsNumber()]
--- a/atst/routes/portfolios/task_orders.py
+++ b/atst/routes/portfolios/task_orders.py
@ -75,16 +75,13 @@ def view_task_order(portfolio_id, task_order_id):
 def ko_review(portfolio_id, task_order_id):
    task_order = TaskOrders.get(g.current_user, task_order_id)
    portfolio = Portfolios.get(g.current_user, portfolio_id)
-    if not Authorization.is_ko(g.current_user, task_order):
-        message = "review Task Order {}".format(task_order.id)
-        raise UnauthorizedError(g.current_user, message)
-    else:
-        return render_template(
-            "/portfolios/task_orders/review.html",
-            portfolio=portfolio,
-            task_order=task_order,
-            form=KOReviewForm(obj=task_order),
-        )
+    Authorization.check_is_ko(g.current_user, task_order)
+    return render_template(
+        "/portfolios/task_orders/review.html",
+        portfolio=portfolio,
+        task_order=task_order,
+        form=KOReviewForm(obj=task_order),
+    )


@portfolios_bp.route(
@ -95,7 +92,7 @@ def submit_ko_review(portfolio_id, task_order_id, form=None):
    form = KOReviewForm(http_request.form)
    portfolio = Portfolios.get(g.current_user, portfolio_id)

-    if form.validate():
+    if form.validate() and Authorization.check_is_ko(g.current_user, task_order):
        TaskOrders.update(user=g.current_user, task_order=task_order, **form.data)
        return redirect(
            url_for(