From 50888f9e9f7e51bfbf7396e2d693f96380e7eb2b Mon Sep 17 00:00:00 2001 From: dandds Date: Wed, 7 Nov 2018 12:56:22 -0500 Subject: [PATCH] push authz into the workspace domain for revoking tokens --- atst/domain/workspaces/workspaces.py | 12 ++++++++++++ atst/routes/workspaces.py | 8 +------- 2 files changed, 13 insertions(+), 7 deletions(-) diff --git a/atst/domain/workspaces/workspaces.py b/atst/domain/workspaces/workspaces.py index c92513ab..453a1eed 100644 --- a/atst/domain/workspaces/workspaces.py +++ b/atst/domain/workspaces/workspaces.py @@ -50,6 +50,18 @@ class Workspaces(object): return workspace + @classmethod + def get_for_update_member(cls, user, workspace_id): + workspace = WorkspacesQuery.get(workspace_id) + Authorization.check_workspace_permission( + user, + workspace, + Permissions.ASSIGN_AND_UNASSIGN_ATAT_ROLE, + "update a workspace member", + ) + + return workspace + @classmethod def get_by_request(cls, request): return WorkspacesQuery.get_by_request(request) diff --git a/atst/routes/workspaces.py b/atst/routes/workspaces.py index c259410f..60f4f512 100644 --- a/atst/routes/workspaces.py +++ b/atst/routes/workspaces.py @@ -368,13 +368,7 @@ def accept_invitation(token): @bp.route("/workspaces//invitations//revoke", methods=["POST"]) def revoke_invitation(workspace_id, token): - workspace = Workspaces.get(g.current_user, workspace_id) - Authorization.check_workspace_permission( - g.current_user, - workspace, - Permissions.ASSIGN_AND_UNASSIGN_ATAT_ROLE, - "revoke member invitation", - ) + workspace = Workspaces.get_for_update_member(g.current_user, workspace_id) Invitations.revoke(token) return redirect(url_for("workspaces.workspace_members", workspace_id=workspace.id))