Raise AuthorizationError if user is not KO

2019-02-01 10:49:34 -05:00 · 2019-02-01 10:49:34 -05:00 · 49ed059853
commit 49ed059853
parent 70b4a51d8a
3 changed files with 13 additions and 13 deletions
--- a/atst/domain/authz.py
+++ b/atst/domain/authz.py
@ -36,9 +36,13 @@ class Authorization(object):
    def is_ccpo(cls, user):
        return user.atat_role.name == "ccpo"

+    @classmethod
+    def is_ko(cls, user, task_order):
+        return task_order.contracting_officer == user
+
    @classmethod
    def check_task_order_permission(cls, user, task_order, permission, message):
-        if Authorization._check_is_task_order_officer(task_order, user):
+        if Authorization._check_is_task_order_officer(user, task_order):
            return True

        Authorization.check_portfolio_permission(
@ -46,7 +50,7 @@ class Authorization(object):
        )

    @classmethod
-    def _check_is_task_order_officer(cls, task_order, user):
+    def _check_is_task_order_officer(cls, user, task_order):
        for officer in [
            "contracting_officer",
            "contracting_officer_representative",
--- a/atst/forms/ko_review.py
+++ b/atst/forms/ko_review.py
@ -36,11 +36,9 @@ class KOReviewForm(CacheableForm):
        translate("forms.ko_review.pdf_label"),
        description=translate("forms.ko_review.pdf_description"),
        validators=[
-            FileAllowed(
-                ["pdf", "png"], translate("forms.task_order.file_format_not_allowed")
-            )
+            FileAllowed(["pdf"], translate("forms.task_order.file_format_not_allowed"))
        ],
-        render_kw={"required": False, "accept": ".pdf,.png,application/pdf,image/png"},
+        render_kw={"required": False, "accept": ".pdf,application/pdf"},
    )
    number = StringField(
        translate("forms.ko_review.to_number"), validators=[Length(min=10), IsNumber()]
--- a/atst/routes/portfolios/task_orders.py
+++ b/atst/routes/portfolios/task_orders.py
@ -7,6 +7,7 @@ from . import portfolios_bp
 from atst.database import db
 from atst.domain.task_orders import TaskOrders
 from atst.domain.portfolios import Portfolios
+from atst.domain.authz import Authorization
 from atst.forms.officers import EditTaskOrderOfficersForm
 from atst.models.task_order import Status as TaskOrderStatus
 from atst.forms.ko_review import KOReviewForm
@ -74,19 +75,16 @@ def view_task_order(portfolio_id, task_order_id):
 def ko_review(portfolio_id, task_order_id):
    task_order = TaskOrders.get(g.current_user, task_order_id)
    portfolio = Portfolios.get(g.current_user, portfolio_id)
-    if task_order.contracting_officer == g.current_user:
+    if not Authorization.is_ko(g.current_user, task_order):
+        message = "review Task Order {}".format(task_order.id)
+        raise UnauthorizedError(g.current_user, message)
+    else:
        return render_template(
            "/portfolios/task_orders/review.html",
            portfolio=portfolio,
            task_order=task_order,
            form=KOReviewForm(obj=task_order),
        )
-    else:
-        return render_template(
-            "portfolios/task_orders/show.html",
-            portfolio=portfolio,
-            task_order=task_order,
-        )


@portfolios_bp.route(