pk/atst
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Raise Unauthorized error in authz instead of route

Browse Source
This commit is contained in:
Montana 2019-02-01 14:51:40 -05:00
parent 49ed059853
commit 377149c766
3 changed files with 13 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
atst/domain/authz.py
View File

@ -37,8 +37,10 @@ class Authorization(object):
return user.atat_role.name == "ccpo" return user.atat_role.name == "ccpo"
@classmethod @classmethod
def is_ko(cls, user, task_order): def check_is_ko(cls, user, task_order):
return task_order.contracting_officer == user if task_order.contracting_officer != user:
message = "review Task Order {}".format(task_order.id)
raise UnauthorizedError(user, message)
@classmethod @classmethod
def check_task_order_permission(cls, user, task_order, permission, message): def check_task_order_permission(cls, user, task_order, permission, message):

2
atst/forms/ko_review.py
View File

@ -41,7 +41,7 @@ class KOReviewForm(CacheableForm):
render_kw={"required": False, "accept": ".pdf,application/pdf"}, render_kw={"required": False, "accept": ".pdf,application/pdf"},
) )
number = StringField( number = StringField(
translate("forms.ko_review.to_number"), validators=[Length(min=10), IsNumber()] translate("forms.ko_review.to_number"), validators=[Length(min=10)]
) )
loa = StringField( loa = StringField(
translate("forms.ko_review.loa"), validators=[Length(min=10), IsNumber()] translate("forms.ko_review.loa"), validators=[Length(min=10), IsNumber()]

19
atst/routes/portfolios/task_orders.py
View File

@ -75,16 +75,13 @@ def view_task_order(portfolio_id, task_order_id):
def ko_review(portfolio_id, task_order_id): def ko_review(portfolio_id, task_order_id):
task_order = TaskOrders.get(g.current_user, task_order_id) task_order = TaskOrders.get(g.current_user, task_order_id)
portfolio = Portfolios.get(g.current_user, portfolio_id) portfolio = Portfolios.get(g.current_user, portfolio_id)
if not Authorization.is_ko(g.current_user, task_order): Authorization.check_is_ko(g.current_user, task_order)
message = "review Task Order {}".format(task_order.id) return render_template(
raise UnauthorizedError(g.current_user, message) "/portfolios/task_orders/review.html",
else: portfolio=portfolio,
return render_template( task_order=task_order,
"/portfolios/task_orders/review.html", form=KOReviewForm(obj=task_order),
portfolio=portfolio, )
task_order=task_order,
form=KOReviewForm(obj=task_order),
)
@portfolios_bp.route( @portfolios_bp.route(
@ -95,7 +92,7 @@ def submit_ko_review(portfolio_id, task_order_id, form=None):
form = KOReviewForm(http_request.form) form = KOReviewForm(http_request.form)
portfolio = Portfolios.get(g.current_user, portfolio_id) portfolio = Portfolios.get(g.current_user, portfolio_id)
if form.validate(): if form.validate() and Authorization.check_is_ko(g.current_user, task_order):
TaskOrders.update(user=g.current_user, task_order=task_order, **form.data) TaskOrders.update(user=g.current_user, task_order=task_order, **form.data)
return redirect( return redirect(
url_for( url_for(