pk/atst
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Raise AuthorizationError if user is not KO

Browse Source
This commit is contained in:
Montana 2019-02-01 10:49:34 -05:00
parent 70b4a51d8a
commit 49ed059853
3 changed files with 13 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
atst/domain/authz.py
View File

@ -36,9 +36,13 @@ class Authorization(object):
def is_ccpo(cls, user): def is_ccpo(cls, user):
return user.atat_role.name == "ccpo" return user.atat_role.name == "ccpo"
@classmethod
def is_ko(cls, user, task_order):
return task_order.contracting_officer == user
@classmethod @classmethod
def check_task_order_permission(cls, user, task_order, permission, message): def check_task_order_permission(cls, user, task_order, permission, message):
if Authorization._check_is_task_order_officer(task_order, user): if Authorization._check_is_task_order_officer(user, task_order):
return True return True
Authorization.check_portfolio_permission( Authorization.check_portfolio_permission(
@ -46,7 +50,7 @@ class Authorization(object):
) )
@classmethod @classmethod
def _check_is_task_order_officer(cls, task_order, user): def _check_is_task_order_officer(cls, user, task_order):
for officer in [ for officer in [
"contracting_officer", "contracting_officer",
"contracting_officer_representative", "contracting_officer_representative",

6
atst/forms/ko_review.py
View File

@ -36,11 +36,9 @@ class KOReviewForm(CacheableForm):
translate("forms.ko_review.pdf_label"), translate("forms.ko_review.pdf_label"),
description=translate("forms.ko_review.pdf_description"), description=translate("forms.ko_review.pdf_description"),
validators=[ validators=[
FileAllowed( FileAllowed(["pdf"], translate("forms.task_order.file_format_not_allowed"))
["pdf", "png"], translate("forms.task_order.file_format_not_allowed")
)
], ],
render_kw={"required": False, "accept": ".pdf,.png,application/pdf,image/png"}, render_kw={"required": False, "accept": ".pdf,application/pdf"},
) )
number = StringField( number = StringField(
translate("forms.ko_review.to_number"), validators=[Length(min=10), IsNumber()] translate("forms.ko_review.to_number"), validators=[Length(min=10), IsNumber()]

12
atst/routes/portfolios/task_orders.py
View File

@ -7,6 +7,7 @@ from . import portfolios_bp
from atst.database import db from atst.database import db
from atst.domain.task_orders import TaskOrders from atst.domain.task_orders import TaskOrders
from atst.domain.portfolios import Portfolios from atst.domain.portfolios import Portfolios
from atst.domain.authz import Authorization
from atst.forms.officers import EditTaskOrderOfficersForm from atst.forms.officers import EditTaskOrderOfficersForm
from atst.models.task_order import Status as TaskOrderStatus from atst.models.task_order import Status as TaskOrderStatus
from atst.forms.ko_review import KOReviewForm from atst.forms.ko_review import KOReviewForm
@ -74,19 +75,16 @@ def view_task_order(portfolio_id, task_order_id):
def ko_review(portfolio_id, task_order_id): def ko_review(portfolio_id, task_order_id):
task_order = TaskOrders.get(g.current_user, task_order_id) task_order = TaskOrders.get(g.current_user, task_order_id)
portfolio = Portfolios.get(g.current_user, portfolio_id) portfolio = Portfolios.get(g.current_user, portfolio_id)
if task_order.contracting_officer == g.current_user: if not Authorization.is_ko(g.current_user, task_order):
message = "review Task Order {}".format(task_order.id)
raise UnauthorizedError(g.current_user, message)
else:
return render_template( return render_template(
"/portfolios/task_orders/review.html", "/portfolios/task_orders/review.html",
portfolio=portfolio, portfolio=portfolio,
task_order=task_order, task_order=task_order,
form=KOReviewForm(obj=task_order), form=KOReviewForm(obj=task_order),
) )
else:
return render_template(
"portfolios/task_orders/show.html",
portfolio=portfolio,
task_order=task_order,
)
@portfolios_bp.route( @portfolios_bp.route(