From 3cfac9e95ecd502d8ae79f1beb520fd460b2b1f4 Mon Sep 17 00:00:00 2001 From: Montana Date: Tue, 2 Apr 2019 10:16:46 -0400 Subject: [PATCH] Validate the form --- atst/routes/portfolios/index.py | 31 ++++++++++++++------------- tests/routes/portfolios/test_admin.py | 28 ++++++++++++++++++++++++ 2 files changed, 44 insertions(+), 15 deletions(-) diff --git a/atst/routes/portfolios/index.py b/atst/routes/portfolios/index.py index dfee5004..541a8194 100644 --- a/atst/routes/portfolios/index.py +++ b/atst/routes/portfolios/index.py @@ -96,24 +96,25 @@ def edit_portfolio_members(portfolio_id): portfolio = Portfolios.get_for_update(portfolio_id) member_perms_form = member_forms.MembersPermissionsForm(http_request.form) - for subform in member_perms_form.members_permissions: - new_perm_set = subform.data["permission_sets"] - user_id = subform.user_id.data - portfolio_role = PortfolioRoles.get(portfolio.id, user_id) - PortfolioRoles.update(portfolio_role, new_perm_set) + if member_perms_form.validate(): + for subform in member_perms_form.members_permissions: + new_perm_set = subform.data["permission_sets"] + user_id = subform.user_id.data + portfolio_role = PortfolioRoles.get(portfolio.id, user_id) + PortfolioRoles.update(portfolio_role, new_perm_set) - flash("update_portfolio_members", portfolio=portfolio) + flash("update_portfolio_members", portfolio=portfolio) - return redirect( - url_for( - "portfolios.portfolio_admin", - portfolio_id=portfolio.id, - fragment="portfolio-members", - _anchor="portfolio-members", + return redirect( + url_for( + "portfolios.portfolio_admin", + portfolio_id=portfolio.id, + fragment="portfolio-members", + _anchor="portfolio-members", + ) ) - ) - - return render_admin_page(portfolio) + else: + return render_admin_page(portfolio) @portfolios_bp.route("/portfolios//edit", methods=["POST"]) diff --git a/tests/routes/portfolios/test_admin.py b/tests/routes/portfolios/test_admin.py index 4a5f2a32..522dcb0c 100644 --- a/tests/routes/portfolios/test_admin.py +++ b/tests/routes/portfolios/test_admin.py @@ -102,3 +102,31 @@ def test_no_update_member_permissions_without_edit_access(client, user_session): assert not rando_pf_role.has_permission_set( PermissionSets.EDIT_PORTFOLIO_APPLICATION_MANAGEMENT ) + + +def test_rerender_admin_page_if_member_perms_form_does_not_validate( + client, user_session +): + portfolio = PortfolioFactory.create() + user = UserFactory.create() + PortfolioRoleFactory.create( + user=user, + portfolio=portfolio, + permission_sets=[PermissionSets.get(PermissionSets.EDIT_PORTFOLIO_ADMIN)], + ) + user_session(user) + form_data = { + "members_permissions-0-user_id": user.id, + "members_permissions-0-perms_app_mgmt": "bad input", + "members_permissions-0-perms_funding": "view_portfolio_funding", + "members_permissions-0-perms_reporting": "view_portfolio_reports", + "members_permissions-0-perms_portfolio_mgmt": "view_portfolio_admin", + } + + response = client.post( + url_for("portfolios.edit_portfolio_members", portfolio_id=portfolio.id), + data=form_data, + follow_redirects=True, + ) + assert response.status_code == 200 + assert "Portfolio Administration" in response.data.decode()