From 377149c76672883ca8bf20d213ed3a6d54a6d1c2 Mon Sep 17 00:00:00 2001 From: Montana Date: Fri, 1 Feb 2019 14:51:40 -0500 Subject: [PATCH] Raise Unauthorized error in authz instead of route --- atst/domain/authz.py | 6 ++++-- atst/forms/ko_review.py | 2 +- atst/routes/portfolios/task_orders.py | 19 ++++++++----------- 3 files changed, 13 insertions(+), 14 deletions(-) diff --git a/atst/domain/authz.py b/atst/domain/authz.py index 9f4d4cf6..de3c2156 100644 --- a/atst/domain/authz.py +++ b/atst/domain/authz.py @@ -37,8 +37,10 @@ class Authorization(object): return user.atat_role.name == "ccpo" @classmethod - def is_ko(cls, user, task_order): - return task_order.contracting_officer == user + def check_is_ko(cls, user, task_order): + if task_order.contracting_officer != user: + message = "review Task Order {}".format(task_order.id) + raise UnauthorizedError(user, message) @classmethod def check_task_order_permission(cls, user, task_order, permission, message): diff --git a/atst/forms/ko_review.py b/atst/forms/ko_review.py index 4664b80d..4baaa032 100644 --- a/atst/forms/ko_review.py +++ b/atst/forms/ko_review.py @@ -41,7 +41,7 @@ class KOReviewForm(CacheableForm): render_kw={"required": False, "accept": ".pdf,application/pdf"}, ) number = StringField( - translate("forms.ko_review.to_number"), validators=[Length(min=10), IsNumber()] + translate("forms.ko_review.to_number"), validators=[Length(min=10)] ) loa = StringField( translate("forms.ko_review.loa"), validators=[Length(min=10), IsNumber()] diff --git a/atst/routes/portfolios/task_orders.py b/atst/routes/portfolios/task_orders.py index a35445a2..5ed29cb6 100644 --- a/atst/routes/portfolios/task_orders.py +++ b/atst/routes/portfolios/task_orders.py @@ -75,16 +75,13 @@ def view_task_order(portfolio_id, task_order_id): def ko_review(portfolio_id, task_order_id): task_order = TaskOrders.get(g.current_user, task_order_id) portfolio = Portfolios.get(g.current_user, portfolio_id) - if not Authorization.is_ko(g.current_user, task_order): - message = "review Task Order {}".format(task_order.id) - raise UnauthorizedError(g.current_user, message) - else: - return render_template( - "/portfolios/task_orders/review.html", - portfolio=portfolio, - task_order=task_order, - form=KOReviewForm(obj=task_order), - ) + Authorization.check_is_ko(g.current_user, task_order) + return render_template( + "/portfolios/task_orders/review.html", + portfolio=portfolio, + task_order=task_order, + form=KOReviewForm(obj=task_order), + ) @portfolios_bp.route( @@ -95,7 +92,7 @@ def submit_ko_review(portfolio_id, task_order_id, form=None): form = KOReviewForm(http_request.form) portfolio = Portfolios.get(g.current_user, portfolio_id) - if form.validate(): + if form.validate() and Authorization.check_is_ko(g.current_user, task_order): TaskOrders.update(user=g.current_user, task_order=task_order, **form.data) return redirect( url_for(