From 516ed9b90e929c0051b9b1a3c8b7c43f89384ffe Mon Sep 17 00:00:00 2001
From: Montana <montana-ctr@friends.dds.mil>
Date: Thu, 31 Jan 2019 13:45:00 -0500
Subject: [PATCH] Only the KO can view

---
 atst/forms/data.py                    |  5 +----
 atst/forms/ko_review.py               |  2 +-
 atst/routes/portfolios/task_orders.py | 20 +++++++++++++-------
 3 files changed, 15 insertions(+), 12 deletions(-)

diff --git a/atst/forms/data.py b/atst/forms/data.py
index 6b6125fe..b7b8469c 100644
--- a/atst/forms/data.py
+++ b/atst/forms/data.py
@@ -196,10 +196,7 @@ APPLICATION_COMPLEXITY = [
 ]
 
 DEV_TEAM = [
-    (
-        "civilians",
-        translate("forms.task_order.dev_team.civilians"),
-    ),
+    ("civilians", translate("forms.task_order.dev_team.civilians")),
     ("military", translate("forms.task_order.dev_team.military")),
     ("contractor", translate("forms.task_order.dev_team.contractor")),
     ("other", translate("forms.task_order.dev_team.other")),
diff --git a/atst/forms/ko_review.py b/atst/forms/ko_review.py
index 8b882f21..35ff6be0 100644
--- a/atst/forms/ko_review.py
+++ b/atst/forms/ko_review.py
@@ -3,7 +3,7 @@ from flask_wtf.file import FileAllowed
 
 from wtforms.fields.html5 import DateField
 from wtforms.fields import StringField, TextAreaField, FileField
-from wtforms.validators import Optional, Length, InputRequired
+from wtforms.validators import Optional, Length
 
 from .forms import CacheableForm
 from .validators import IsNumber, DateRange
diff --git a/atst/routes/portfolios/task_orders.py b/atst/routes/portfolios/task_orders.py
index 3a76e0db..af5ac64a 100644
--- a/atst/routes/portfolios/task_orders.py
+++ b/atst/routes/portfolios/task_orders.py
@@ -73,14 +73,20 @@ def view_task_order(portfolio_id, task_order_id):
 @portfolios_bp.route("/portfolios/<portfolio_id>/task_order/<task_order_id>/review")
 def ko_review(portfolio_id, task_order_id):
     task_order = TaskOrders.get(g.current_user, task_order_id)
-    # get permission: make sure g.current_user is task_order.contracting_officer
     portfolio = Portfolios.get(g.current_user, portfolio_id)
-    return render_template(
-        "/portfolios/task_orders/review.html",
-        portfolio=portfolio,
-        task_order=task_order,
-        form=KOReviewForm(obj=task_order),
-    )
+    if task_order.contracting_officer == g.current_user:
+        return render_template(
+            "/portfolios/task_orders/review.html",
+            portfolio=portfolio,
+            task_order=task_order,
+            form=KOReviewForm(obj=task_order),
+        )
+    else:
+        return render_template(
+            "portfolios/task_orders/show.html",
+            portfolio=portfolio,
+            task_order=task_order,
+        )
 
 
 @portfolios_bp.route(