Only the KO can view

2019-01-31 13:45:00 -05:00 · 2019-01-31 13:45:00 -05:00 · 516ed9b90e
commit 516ed9b90e
parent 4ed445dd99
3 changed files with 15 additions and 12 deletions
--- a/atst/forms/data.py
+++ b/atst/forms/data.py
@ -196,10 +196,7 @@ APPLICATION_COMPLEXITY = [
 ]

 DEV_TEAM = [
-    (
-        "civilians",
-        translate("forms.task_order.dev_team.civilians"),
-    ),
+    ("civilians", translate("forms.task_order.dev_team.civilians")),
    ("military", translate("forms.task_order.dev_team.military")),
    ("contractor", translate("forms.task_order.dev_team.contractor")),
    ("other", translate("forms.task_order.dev_team.other")),
--- a/atst/forms/ko_review.py
+++ b/atst/forms/ko_review.py
@ -3,7 +3,7 @@ from flask_wtf.file import FileAllowed

 from wtforms.fields.html5 import DateField
 from wtforms.fields import StringField, TextAreaField, FileField
-from wtforms.validators import Optional, Length, InputRequired
+from wtforms.validators import Optional, Length

 from .forms import CacheableForm
 from .validators import IsNumber, DateRange
--- a/atst/routes/portfolios/task_orders.py
+++ b/atst/routes/portfolios/task_orders.py
@ -73,14 +73,20 @@ def view_task_order(portfolio_id, task_order_id):
@portfolios_bp.route("/portfolios/<portfolio_id>/task_order/<task_order_id>/review")
 def ko_review(portfolio_id, task_order_id):
    task_order = TaskOrders.get(g.current_user, task_order_id)
-    # get permission: make sure g.current_user is task_order.contracting_officer
    portfolio = Portfolios.get(g.current_user, portfolio_id)
+    if task_order.contracting_officer == g.current_user:
        return render_template(
            "/portfolios/task_orders/review.html",
            portfolio=portfolio,
            task_order=task_order,
            form=KOReviewForm(obj=task_order),
        )
+    else:
+        return render_template(
+            "portfolios/task_orders/show.html",
+            portfolio=portfolio,
+            task_order=task_order,
+        )


@portfolios_bp.route(