From 53ab37dc6853860ce356eabbbfee8a6edc30ae36 Mon Sep 17 00:00:00 2001
From: richard-dds <richard-ctr@friends.dds.mil>
Date: Mon, 16 Jul 2018 14:53:21 -0400
Subject: [PATCH] Check for permission before listing requests

---
 atst/handlers/request.py | 14 ++++++++++----
 1 file changed, 10 insertions(+), 4 deletions(-)

diff --git a/atst/handlers/request.py b/atst/handlers/request.py
index 6c6322d0..4d2e88e6 100644
--- a/atst/handlers/request.py
+++ b/atst/handlers/request.py
@@ -27,9 +27,15 @@ class Request(BaseHandler):
     @tornado.gen.coroutine
     def get(self):
         user = self.get_current_user()
-        response = yield self.requests_client.get(
-            "/users/{}/requests".format(user["id"])
-        )
-        requests = response.json["requests"]
+
+        if "review_and_approve_jedi_workspace_request" in user["atat_permissions"]:
+            response = yield self.requests_client.get("/requests")
+            requests = response.json
+        else:
+            response = yield self.requests_client.get(
+                "/requests?creator_id={}".format(user["id"])
+            )
+            requests = response.json["requests"]
+
         mapped_requests = [map_request(user, request) for request in requests]
         self.render("requests.html.to", page=self.page, requests=mapped_requests)